The Student Privacy Pledge and Security

February 12, 2015

Brenda Leong

We know it is critical for ed tech companies to get security right.

The Student Privacy Pledge developed by FPF and SIIA requires signatories to maintain “a comprehensive security program that is reasonably designed to protect the security . . . of personal student information . . . appropriate to the sensitivity of the information.” “Reasonableness” in this context is not a subjective standard, open to interpretation by each company, but rather a standard used and interpreted across a range of contexts by the Federal Trade Commission. It is also the basis of California’s new Student Online Privacy Protection Act.

A company’s security and other commitments made under the Student Privacy Pledge are legally enforceable. Under Section 5 of the Consumer Protection Act, the Federal Trade Commission (FTC) can take action against companies that commit deceptive trade practices. It is a form of deception to make a public statement such as signing the Student Privacy Pledge but then implementing practices that do not conform to those public statements. The FTC and various State Attorneys General have brought enforcement actions against companies that made privacy promises to their consumers and then violated those promises.

Companies with security practices that fall short can therefore face legal liability. The pledge does not designate specific security technologies, because those measures need to be tailored to the service, context and sensitivity of the protected information. What constitutes reasonable may depend on the specific company and nature of the data that it handles, and must evolve over time as new threats and solutions emerge.

For services that hold sensitive student data, login password encryption or equally protective measures are basic measures that companies must implement. Of course, effective security requires ongoing training of company employees, and toward that end, we have also kicked off a series of workshops starting next week to help companies further hone their security and privacy practices.

When a company signs the Pledge, they publicly commit to its responsible and appropriate standards for student privacy and data security, and the pledge allows the public – the media, parents, educators and federal regulators – to hold these companies accountable. It’s exactly this sort of public scrutiny that makes the pledge an effective means for ensuring data accountability. This accountability requires that all stakeholders understand its security standard, enforceability and other elements of the Student Privacy Pledge.

-FPF and SIIA

Explore

Issues

authors

dates

Posts by Brenda

The Spectrum of AI: Companion to the FPF AI Infographic

Now, On the Internet, EVERYONE Knows You’re a Dog

5 Highlights from FPF’s “AI Out Loud” Expert Panel

The Student Privacy Pledge and Security

Explore

The African Union’s Continental AI Strategy: Data Protection and Governance Laws Set to Play a Key Role in AI Regulation

U.S. Legislative Trends in AI-Generated Content: 2024 and Beyond

Processing of Personal Data for AI Training in Brazil: Takeaways from ANPD’s Preliminary Decisions in the Meta Case

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

Future of Privacy Forum Convenes Over 200 State Lawmakers in AI Policy Working Group Focused on 2025 Legislative Sessions

Synthetic Content: Exploring the Risks, Technical Approaches, and Regulatory Responses

Out, Not Outed: Privacy for Sexual Health, Orientations, and Gender Identities

FPF Analysis of New Requirements for Generative AI Use by Healthcare Entities in Patient Communications

FPF Submits Comments to Inform New York Children’s Privacy Rulemaking Processes