Student Privacy Pledge Loopholes? Nope. We Did Our Homework.
The Student Privacy Pledge was introduced over two years ago by the Future of Privacy Forum and the Software and Information Industry Association. It was endorsed by the White House and published at the forefront of the movement to clarify responsible practices in the collection, protection, and use of student data as the presence of technology in schools expanded. The Pledge has since been signed by more than 300 ed tech companies as a way to help demonstrate their commitment to student privacy.
The Electronic Frontier Foundation yesterday published a confusing analysis of the Pledge. EFF generally praises the Pledge commitments, but claims that the Pledge includes some fine print definitions that undercut its protections. The Pledge defines ’Student personal information’ as “personally identifiable information as well as other information when it is both collected and maintained on an individual level and is linked to personally identifiable information.” EFF claims that the Pledge “is surely meant to be narrowly interpreted” and would “seem to permit signatories to collect sensitive and potentially identifying data such search history, so long as not tied to a student’s name.”
We don’t agree. We have written extensively on the definition of personal information, in general and under FERPA. FERPA, SOPIPA and other statutes define student personal information broadly and, in our view, any reasonable analysis of the definition of Personally Identifiable Information would cover direct or indirect information that could be reasonably used to identify an individual student. To conclude, as EFF has done, that we “surely meant” some narrower definition is not consistent with either the plain meaning of the Pledge language, our published discussions about it, or the use of this definition in subsequent state student privacy laws where the Pledge has been a basis for the legislative language. There is no logic in creating or implying a meaning that would be in violation of FERPA and state laws, and we would have been happy to explain this to EFF had they reached out to us.
But whatever our view, the FTC has the authority to enforce the Pledge and interpret what the Commission thinks the language means – and we would be very surprised if they were to adopt EFF’s position that the language of the pledge should be read in a narrow and limited way.
EFF also takes issue with the fact that the Pledge covers only “school service providers” – that is, services designed and marketed to schools. However, the Pledge definition tracks consistently with the definitions in state laws and in previously proposed federal bills. SOPIPA, for example, covers programs and services that are primarily used for K-12 school purposes “and (were) designed and marketed” for such purposes. It would be quite confusing to schools and to vendors if the Pledge was interpreted to be out of sync with the standard definitions that have become widely adopted.
Why do state laws and the Pledge cover only services designed and marketed to schools? As we have discussed previously, vendors who sell general products shouldn’t be required to revamp their services simply because a school is using their product. In many cases, the vendor may not even know that a school is using their products. However the Pledge does cover services that are designed and marketed to schools, a distinction consistently made by the Pledge and state laws. We disagree that this is a “loophole” – in fact it’s an important legal distinction that policymakers have supported.
The Future of Privacy Forum has worked on student privacy with just about every major privacy group and education organization involved with student data. Getting this right is important to us. Ensuring responsible use of student data requires close collaboration between school leaders, teachers, parents, vendors, and students. We have huge respect for EFF’s smart advocacy across a range of tech policy issues, and hope they will take the time to work with us and others who are working to ensure responsible uses of technology for student learning.