How the Student Privacy Pledge Bolsters Legal Requirements and Supports Better Privacy in Education
The Student Privacy Pledge is a public and legally enforceable statement by edtech companies to safeguard student privacy, built around a dozen privacy commitments regarding the collection, maintenance, use, and sharing of student personal information. Since it was introduced in 2014 by the Future of Privacy Forum (FPF) and the Software and Information Industry Association, more than 400 edtech companies have signed the Pledge. In 2015, the White House endorsed the Pledge, and it has influenced company practices, school policies, and lawmakers’ approaches to regulating student privacy. Many school districts use the Pledge as they review prospective vendors, and it is aligned with—and has broader coverage than—the most widely-adopted state student privacy law.*
The Student Privacy Pledge is a voluntary promise, not a law that applies to everyone. But once companies sign the Pledge, the Federal Trade Commission (FTC) and state Attorneys General (AG) have legal authority to ensure they keep their promises. The FTC and state AGs have a track record of using public commitments like the Student Privacy Pledge as tools to enforce companies’ privacy promises. These legal claims arise from the intersection between Pledge promises and Consumer Protection Unfair & Deceptive Acts & Practices (UDAP) statutes—without the Pledge commitments, it would be much more difficult for the FTC and AGs to bring enforcement actions under state and federal UDAP laws. In the absence of a comprehensive federal consumer privacy law, the Pledge provides an important and unique means for privacy enforcement; it complements state and federal student privacy laws that directly regulate companies and schools.
In addition to enforcement at the federal and state levels, many schools require vendors to adhere to contracts that are modeled after or heavily mirror the Pledge, and schools have contractual rights to enforce these promises. If companies are found to break their commitments, schools can force a vendor to change practices, terminate contracts with the company, and sue for damages.
When FPF learns of a complaint about a Pledge signatory, we analyze the issue and reach out to the signatory to understand the complaint, the signatory’s policies and practices, and other relevant information. We typically work with the company to resolve any pledge-covered practices that do not align with the Pledge. We seek to bring signatories into compliance with the Pledge rather than remove them as signatories – an action that could result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge’s promises for future activities.
One of the most common misunderstandings about the Pledge is the assumption that the Pledge applies to all products offered by a signatory or used by a student. However, the Student Privacy Pledge applies to “school service providers”—companies that design and market their services and devices for use in schools. When a company offering services to both school audiences and general audiences becomes a Pledge signatory, the Pledge commitments only apply to the services they provide to schools. Companies selling tools or providing services to the general public are not obligated to redesign these products because they sign the Pledge. This is consistent with most state student privacy laws and proposed federal bills.
In 2019, we decided to analyze the Pledge in light of the evolving education ecosystem, incorporating what we’ve learned from reviewing thousands of edtech privacy policies and engaging directly with stakeholders and reviewing the 130 state laws that have passed since the Pledge was created. We are excited to apply this knowledge to the Student Privacy Pledge with Student Privacy Pledge 2020, being released this fall.
* The Student Privacy Pledge’s commitments are echoed in the most commonly passed student privacy law aimed at edtech service providers, California’s Student Online Personal Information Protection Act (Cal. Bus. & Prof. Code § 22584). A version of this law has been enacted by several states, including: Arizona (Ariz. Rev. Stat. § 15-1046), Arkansas (Ark. Code Ann. § 6-18-109), Connecticut (Conn. Gen. Stat. §§ 10-234bb-234dd), Delaware (Del. Code. Ann. tit. 14, §§ 8101), Georgia (Ga. Stat. § 20-2-660), Hawaii (Hi. Rev. Stat. §§ 302A-499-500), Iowa (Iowa Code § 279.70), Kansas (K.S.A. 72-6312), Maine (Me. Rev. St. Ann. 20-A § 951), Maryland (Md. Educ. Code § 4-131), Michigan (Mich. Comp. Laws § 388.1295), Nebraska (Neb. Rev. Stat. § 79-2,153), New Hampshire (NH. St. § 189:68-a), New Jersey (Assembly Bill 4978, signed into law Jan. 2020), North Carolina (N.C. Gen. Stat. § 115C-401.2), Oregon (Or. Rev. Stat. Ann § 336.184-187), Texas (Tex. Educ. Code § 32.151), Virginia (Va. Code Ann. § 22.1-289.01), and Washington State (Wash. Rev. Code § 28A.604).