FPF Highlights Intersection of AI, Privacy, and Civil Rights in Response to California’s Proposed Employment Regulations
On July 18, the Future of Privacy Forum submitted comments to the California Civil Rights Council (Council) in response to their proposed modifications to the state Fair Employment and Housing Act (FEHA) regarding automated-decision systems (ADS). As one of the first state agencies in the U.S. to advance modernized employment regulations to account for automated-decision systems, the Council is likely to influence how other states, regulators, and policymakers consider how existing civil rights and data privacy laws apply to artificial intelligence.
In order for these regulations to provide clarity and constructive guidance within existing laws and frameworks for organizations and individuals alike, including California’s consumer privacy laws, FPF provided four recommendations to the Council:
1. Definition Alignment: The Council’s definition of “automated decision system” should align with similar regulations at the state and federal levels to facilitate greater clarity and compliance.
2. Role-Specific Responsibilities: The Council should create legal standards for when a developer of an AI system becomes an agent or employment agency, accounting for role-specific responsibilities and capabilities in the AI system lifecycle.
3. Data Retention and Privacy: Data retention and record-keeping requirements should be reasonable and align with California consumers’ rights to data privacy and data minimization.
4. Additional AI Governance Measures: The Council should conduct additional inquiries about the use of ADS and existing civil rights laws, including assessing whether automated systems are fit for purpose.
Each is summarized below in brief. For more information, you can read FPF’s full comments to the Council here.
Definition Alignment
With at least four California state governing bodies—the Council, California Privacy Protection Agency, California Government Operations Agency, and the California Legislature—considering regulatory actions on automated decision-making technology, consistent terminology across regulations enhances AI governance and prevents conflicts that could arise from divergent definitions. To ensure focus and regulatory efforts are targeted toward technologies that play an impactful role in individuals’ rights, FPF recommended alignment with definitions from Government Code § 11546.45.51, the CPPA Draft Regulations, and Assembly Bill 2930 that require the ADS role be “substantial” to the decision-making process.
A computational process that screens, evaluates, categorizes, recommends, or otherwise makes a decision or facilitates human decisionmaking that impacts applicants or employees.
Any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decisionmaking.
“High-risk automated decision system” means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.
A system or service that uses artificial intelligence and has been specifically developed to, or specifically modified to, make, or be a substantial factor in making, consequential decisions.
Role-Specific Responsibilities
ADS governance structures and corresponding accountability mechanisms should account for developers’ and deployers’ role-specific responsibilities. As explained in FPF’s Best Practices for AI and Workplace Assessment Technologies, “Developers and Deployers each have important roles in ensuring that Individuals understand when — and to what extent — AI tools have Consequential Impacts…[and p]articular disclosures should be provided by the entity that is best positioned to develop the content of the disclosure and communicate it to Individuals.” Establishing a legal standard in the proposed modifications would help clarify the degree of involvement, control, and influence required for an AI developer to become accountable for discriminatory outcomes based on the role and capability-specific responsibilities of developers and deployers and their relationship with one another.
Data Retention and Privacy
To minimize the risk of individuals’ personal data being misused or breached and uphold California citizens’ privacy rights, FPF recommends the Council should align and clarify the proposed regulations’ record and data retention requirements with existing privacy rights and obligations under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and regulations set forth by the CPPA. As proposed, the modifications’ retention requirements for employers and developers may not only violate California data minimization principles, but they also raise questions about whether they are meant to override or cede to existing California privacy rights to delete such data or opt-out of automated decisionmaking technology.
Additional AI Governance Measures
Finally, ADS should not perpetuate discrimination or exacerbate harm, but updates to existing employment regulations may not be enough to mitigate all forms of discriminatory conduct or provide sufficient guidance. We recommend that the Council make additional inquiries to understand the use of ADS and the impact of existing civil rights laws. To prevent discriminatory effects and overall harm, AI tools must be validated and tested to ensure they solve the problems they are designed for. FPF acknowledges that discrimination can arise not only from faulty or inaccurate systems but simply because an AI system is not fit for its intended purpose. Accordingly, the Council should consider existing AI governance measures, such as “fit for purpose” tests, that further support civil rights protections and account for the limitations of AI.
FPF Responds to the Federal Election Commission Decision on the use of AI in Political Campaign Advertising
The Federal Election Commission’s (FEC) abandoned rulemaking presented an opportunity to better protect the integrity of elections and campaigns, as well as to preserve and increase public trust in the growing use of AI by candidates and in campaigns. When generative AI is used carefully and responsibly, it can reach different segments of the population and address the needs and concerns of specific groups and populations. However, generative AI also carries the potential to erode public trust and damage the integrity of campaigns, elections, and campaign communications. The FEC must consider opportunities to encourage the responsible use of generative AI to mitigate the risks that it may pose to democracy, including its potential to amplify pre-existing discrimination and inequitable practices.
– Amie Stepanovich, VP for U.S. Policy, Future of Privacy Forum
FPF previously submitted comments to the FEC on the use of AI in campaign ads, drawing from an op-ed by FPF’s VP for U.S. Policy, Amie Stepanovich & Policy Counsel for AI, Amber Ezzell, in which they explained how generative AI can be used to manipulate voters and election outcomes, and the benefits to voters and candidates when generative AI tools are deployed ethically and responsibly.
Singapore’s PDP Week 2024: FPF highlights include a hands-on workshop on practical Generative AI governance and a panel on India’s DPDPA
From July 15 to 18, 2024, the Future of Privacy Forum (FPF) participated in Personal Data Protection Week 2024 (PDP Week), an event organized and hosted by the Personal Data Protection Commission of Singapore (PDPC) at the Marina Bay Sands Expo and Convention Centre in Singapore.
As with PDP Weeks of previous years, programming during PDP Week 2024 combined PDPC events with the International Association of Privacy Professionals (IAPP)’s annual Asia Privacy Forum. However, for the first time, the PDPC also scheduled its annual Summit on Privacy-Enhancing Technologies (PETs) in the Asia-Pacific (APAC) region during PDP Week.
Throughout the week’s events, FPF fostered robust discussions on data protection issues arising from new and emerging technologies, including generative AI. Below is a comprehensive summary of our participation and key takeaways from these significant engagements.
1. FPF, with the support of PDPC, hosted a hands-on workshop to equip regional privacy professionals with practical knowledge on the complexities of generative AI governance in the APAC region.
On July 15, 2024, with the support of PDPC, FPF hosted a hands-on workshop titled “Governance Frameworks for Generative AI: Navigating the Complexities in Practice.” This event aimed to equip members of the regional data protection community with practical knowledge on the operational and implementation complexities of generative AI governance. It drew upon the findings from FPF APAC’s year-long research project, “Navigating Governance Frameworks for Generative AI Systems in the Asia-Pacific,” (FPF’s GenAI Report) which explored emerging governance frameworks for generative AI in APAC.
With a full house of 70 attendees, the workshop addressed rising concerns surrounding generative AI deployment risks, particularly in AI governance and data protection, highlighting guidelines and frameworks issued by data protection regulators across the APAC region. Participants engaged in dynamic discussions regarding AI and participated in a practical exercise, gaining invaluable insights into navigating the intricate landscape of generative AI governance.
Josh Lee Kok Thong, Managing Director of FPF APAC, hosted the entire event, which began with an introduction to FPF’s Center for AI by Anne J. Flanagan, FPF’s Vice President for AI. The event was structured in two parts: (1) an informational segment featuring presentations and a panel discussion; followed by (2) a practical, hands-on workshop.
1.1 The informational segment featured presentations by FPF and IMDA, as well as insights from industry and practice.
The informational segment included two presentations:
Dominic Paulger, Policy Manager for APAC at FPF, shared key findings and takeaways from FPF’s GenAI Report.
Darshini Ramiah, Manager (AI & Data Innovation) at the Infocomm Media Development Authority of Singapore (IMDA), provided an overview of Singapore’s Model AI Governance Framework for Generative AI, released in May 2024.
The industry sharing session that followed focused on key aspects of generative AI governance and deployment. The experts featured in this segment included:
Barbara Cosgrove, Vice President, Chief Privacy Officer at Workday;
David N. Alfred, Director and Co-Head of Data Protection, Privacy, and Cybersecurity at Drew & Napier; and
Lee Matheson, Senior Counsel for Global Privacy at FPF.
The experts discussed strategies for selecting AI service providers, emphasizing the importance of internal policies and risk assessment. The panelists argued that while AI introduces new technologies and applications, it ultimately functions similarly to other systems and services, allowing companies to leverage existing frameworks for compliance and risk management. The panelists additionally noted that many existing laws and regulations will remain applicable to AI systems, including those governing the professional liabilities of users of AI systems.
A key theme from the discussion was identifying red flags when engaging with AI service providers. A major red flag raised by one panelist was when a buyer or seller lacks a thorough understanding of the AI system they are discussing. The panelists agreed that it is crucial for both sides to be well-informed about the technology and its implications, and to beware potential AI vendors that could not provide in-depth explanations of their products.
The discussion emphasized the need for transparency and communication between companies and their vendors. Companies should seek vendors willing to engage in open conversations about their practices, rather than those claiming 100% compliance without discussion. Instead of relying solely on standard certifications, companies should request detailed information, such as data sheets or labeling, to understand the specific practices of their AI service providers.
Further, panelists considered transparency and communication crucial at multiple levels within the AI ecosystem. When AI service providers purchase hardware to run AI models, both buyer and provider need to be aware of the data sources and datasets involved, as these factors could impact their liability.
For effective use of generative AI products, the panelists agreed on the importance of establishing a governance framework within an organization. This includes having clear guidelines for the responsible use of AI, such as for managing confidential and personal information. If a company has an acceptable use policy, it should ensure that its communication strategies are consistent with such a policy. Panelists also noted that managing vendor relationships can be complex, necessitating clear contractual agreements and governance structures.
Panelists highlighted early-stage considerations for companies developing or deploying AI systems. They considered that security-by-design and privacy-by-design should be starting points for AI development and deployment. Engaging legal, regulatory, and compliance teams early in the process is essential for comprehensive risk management.
The discussion highlighted the similarities between data protection principles and AI governance. Key data protection concepts, such as accuracy, minimization, and purpose limitation, are also relevant to AI data governance. Panelists emphasized that while data scientists and analysts may not always view their work through a legal lens, their activities often fall within data protection requirements.
The discussion concluded with insights on managing training data and model improvement while balancing innovation with ethical and regulatory compliance across international jurisdictions.
Photo: Industry sharing segment of the workshop on key aspects of generative AI governance and deployment, July 15, 2024. (L-R) Barbara Cosgrove, Lee Matheson and David N. Alfred.
1.2 The hands-on portion of the workshop engaged participants in a group exercise based on a realistic hypothetical scenario.
The final segment of the workshop engaged participants in a practical group exercise exploring the implementation of a hypothetical generative AI application modeled after ChatGPT by a fictitious private education services provider. Participants were divided into groups representing specific stakeholders relevant to the AI deployment lifecycle, such as the developer, deployer and user of the application, or a regulator, employee or in-house legal counsel. Each group was tasked with identifying and addressing potential concerns and risk areas from the perspective of their stakeholder. These discussions fostered a comprehensive understanding of the challenges posed by generative AI applications and provided valuable insights and a hands-on experience for organizations aiming to develop or deploy generative AI responsibly and in compliance with regulatory frameworks in the APAC region.
Photo: Participants presenting major takeaways from their table discussions, July 15, 2024.
Photo: Closing the workshop with a group photo of the FPF team, July 15, 2024. (L-R) First row: Bilal Mohamed, Anne J. Flanagan, Josh Lee, Sakshi Shivhare, Brendan Tan. (L-R) Second row: Lee Matheson and Dominic Paulger.
2. At the IAPP Asia Privacy Forum, FPF organized a panel to examine India’s landmark data protection legislation, and also participated in a panel on data sovereignty.
2.1. On July 18, FPF organized a panel titled “Demystifying India’s Digital Personal Data Protection Act”.
This panel was moderated Bilal Mohamed, Policy Analyst for FPF’s Global Privacy Team, and featured as panelists:
Rakesh Maheshwari, formerly Senior Director and Group Coordinator (Cyber Laws and Data Governance), Ministry of Electronics and IT of India (MeitY), providing a regulator’s perspective;
Nehaa Chaudhari, Partner and head of the advisory and public policy practice at Ikigai Law, providing perspectives from the legal sector; and
Ashish Aggarwal, Vice President, Public Policy at nasscom, providing industry perspectives.
The panelists examined India’s landmark legislation, the Digital Personal Data Protection Act 2023 (DPDPA), covering familiar concepts like notice and consent, data subject rights, data breaches, and cross-border data transfers, as well as new features of the law like significant data fiduciaries and consent managers.
Rakesh Maheshwari provided insights into MeitY’s thinking behind several key provisions of the DPDPA. On children’s privacy, he explained that the Government was concerned with ensuring the safety of children who access online platforms and so set the threshold for parental consent at 18 by default. However, he also highlighted that the DPDPA’s children’s privacy provisions are flexible: if platforms demonstrate that they process children’s personal data safely, then the age threshold could potentially be lowered. Rakesh also explained that consent managers are intended to centralize management of consent across multiple, fragmented sources of data, such as health data from various sources like labs, hospitals, and clinics, while ensuring data protection and providing data subjects with control over how their data is processed. He further addressed the relationship between MeitY and theData Protection Board, clarifying that while the Government will establish subordinate rules to the DPDPA, the Board will act independently as an adjudicator. He emphasized the importance of close cooperation and harmonized operations between the Board and the Government.
Nehaa Chaudhari discussed the industry’s proactive approach to compliance, noting that many businesses in India have already started the compliance process, focusing on data mapping and proactively obtaining consent from data subjects. She highlighted the industry’s hope for clarity on certain aspects of the DPDPA, particularly concerning children’s data and verifiable parental consent. She described two key aspects for verifying parental consent: obtaining the parent’s consent and establishing the parent-child relationship. Businesses are exploring various models and technological tools to address these requirements, such as the adequacy of using checkboxes for consent. She also pointed out that the DPDPA does not impose explicit duties on data processors and instead, allows data controllers and processors to determine their respective responsibilities through contractual arrangements. While the DPDPA provides a baseline for compliance, Nehaa emphasized that sector-specific regulations might impose heightened obligations.
Ashish Aggarwal provided insights into how ready nasscom’s 3,000+ member companies are to comply with the DPDPA. He explained that business-to-business (B2B) companies that already comply with the GDPR could become DPDPA-compliant in around six months as such companies should already have completed data mapping. However, he noted that for business-to-consumer (B2C) companies, GDPR compliance alone may not be sufficient as there are significant differences between the GDPR and DPDPA. He highlighted that some provisions of the DPDPA (especially breach notifications) still require clarification under forthcoming subordinate rules to the DPDPA. However, he did not expect that these rules would be as comprehensive as GDPR.
Overall, the panel provided substantial insights into the challenges and opportunities presented by the DPDPA, offering actionable advice for navigating this new regulatory landscape.
Photo: FPF Panel on Demystifying India’s Digital Personal Data Protection Act, July 18, 2024. (L-R) Bilal Mohamed, Ashish Aggarwal, Rakesh Maheshwari, and Nehaa Chaudhari.
2.2 On July 17, FPF APAC Managing Director Josh Lee Kok Thong contributed to a panel on “Data Sovereignty: Nebulous and Evolving, But Here to Stay in 2024?”.
This panel delved into the complexities of data residency, data sovereignty, data localization, and cross-border data transfers within APAC’s evolving governance structures. The speakers explored the impact of data and privacy laws, noting the complexities added by data localization requirements and the diverse approaches of countries like China, Indonesia, India, and Vietnam.
Josh provided an overview of cross-border data flows in the APAC region, highlighting the concept of data sovereignty. He drew a distinction between “data sovereignty” – a conceptual framework for looking at data transfers – and “data localization” – a set of requirements rooted in laws or policies.
Photo: FPF APAC represented by Josh Lee on a panel on Data Sovereignty: Nebulous and Evolving, But Here to Stay in 2024? July 17, 2024. (L-R) Charmian Aw, Josh Lee, Darren Grayson Chng, Wei Loong Siow, and Denise Wong.
3. FPF was represented in two sessions at the PETs Summit held on July 16, 2024.
3.1. FPF Vice President for AI, Anne J. Flanagan, spoke on the panel “Architecting New Real-World Products and Solutions with PETs.”
The panel discussed how companies have leveraged PETs for various use cases to innovate and create new products and solutions by participating in the IMDA’s PET Sandbox – a regulatory sandbox initiative set up by the PDPC to offer companies the opportunity to collaborate with PET digital solution providers to develop use cases and pilot PETs. Panelists offered valuable insights into the business cases for integrating PETs and how it contributed to sustained success in an increasingly data-driven business environment.
Anne discussed the integration of PETs in AI product development, highlighting their potential to balance innovation with privacy protection. She emphasized that PETs are not a one-size-fits-all solution but rather a tool to address various privacy challenges. Anne stressed the importance of incorporating PETs within a comprehensive company framework to effectively tackle these issues. She also announced the launch of FPF’s recent report on Confidential Computing. This report offers an in-depth analysis of the technology’s role in data protection policy, detailing its fundamental aspects, applications across various sectors, and crucial policy considerations.
3.2. FPF APAC Managing Director Josh Lee Kok Thong chaired a roundtable titled “Unleashing The Data Economy: Identifying Challenges, Building Use Cases & How PETs Help Address Generative AI Concerns.”
This session focused on exploring privacy challenges in specific use cases and the application of PETs to mitigate these concerns. The roundtable delved into the data economy, individual use cases, privacy challenges, and the intersection of PETs with generative AI. Key highlights included building an AI toolbox, identifying challenges and use cases, choosing and implementing PETs, and using PETs to balance innovation with privacy.
4. FPF organized exclusive side events to foster deeper engagements with key stakeholders on July 18, 2024.
4.1 FPF hosted an invite-only Privacy Leaders’ Luncheon at Marina One West Tower.
This closed-door event also provided a platform for around 30 senior stakeholders of FPF APAC to discuss pressing challenges at the intersection of AI and privacy, with a particular focus on the APAC region. During the session, FPF Vice President for Artificial Intelligence Anne J. Flanagan introduced FPF’s new Center for AI to APAC stakeholders, highlighting our ongoing commitment to advancing AI governance.
4.2 FPF co-hosted a networking cocktail event with Rajah & Tann at Marina Bay Sands Expo and Convention Centre.
Later in the evening, on July 18, FPF APAC toasted with old and new friends and discussed the challenges and opportunities in AI and privacy. At the event, we were privileged to have the following distinguished speakers share brief remarks:
Denise Wong, Deputy Commissioner, Personal Data Protection Commission of Singapore.
Steve Tan, Deputy Head, Technology, Media & Telecommunications and Partner at Rajah & Tann.
Anne J. Flanagan, Vice President for AI at FPF.
Josh Lee Kok Thong, Managing Director of FPF APAC.
This event facilitated meaningful connections and discussions among the attendees, further strengthening FPF’s partnerships and friendships within the data protection community.
5. Conclusion
FPF is proud to showcase our significant participation in PDP Week 2024, the IAPP Asia Privacy Forum 2024, and the PETs APAC Summit, driving forward discussions on data protection and AI governance in the APAC region. FPF’s workshop on generative AI governance, insightful panel discussions, and exclusive networking events underscored our commitment to fostering collaboration and knowledge-sharing among industry, academia, regulators, and civil society.
As we look ahead, FPF remains dedicated to advancing the discourse on privacy and emerging technologies, ensuring that we continue to navigate the complexities of the digital age with a balanced and informed approach. We are grateful for the support of the PDPC, IAPP, and all our members, partners and participants who contributed to the success of these events.
Consumer Health Data Privacy Notices by the Numbers
Today, FPF is releasing an infographic that provides insights into how organizations are responding to the transparency requirements of recently enacted U.S. state health privacy laws. The infographic reflects a survey of privacy notices on the websites of 180+ companies across a variety of industries and sectors, from pharmaceutical to apparel.
Two key laws enacted on March 31, 2024 formed the basis for the survey, Washington’s My Health, My Data Act, and Nevada’s SB370. Both laws create specific obligations for online transparency notices on websites requiring detail about what health information is collected, although each law has a slightly different definition of health information (including reproductive and gender-affirming care information).
The Washington ‘My Health, My Data’ Act (“MHMDA”) establishes a duty for regulated entities to maintain and adhere to a “consumer health data privacy policy” that makes a specific set of disclosures and to “prominently publish” a link to this policy on its homepage. WA MHMDA defines health information as “personally identifiable information that is linked or reasonably capable of being linked to a consumer” and “identifies the consumer’s past, present, or future physical or mental health status.”
Chapter 603A of the Nevada Revised Statutes (“NV SB 370”) establishes a duty for regulated entities to develop and maintain a consumer health data privacy policy that “clearly and conspicuously” makes a specific set of disclosures. The law defines a use-based range of “consumer health data” that applies to information that a regulated entity “uses to identify the past, present or future health status of the consumer,” excluding certain personal information concerning consumer shopping habits and interests.
Of the 180+ companies surveyed, 40% of the websites surveyed had a consumer health data notice or policy. When consulting the general privacy notice or policy, 62% of organizations provided notice that some form of health data was collected within the relevant statutory definitions. Several policies explicitly stated that no health data was collected, used, or sold per “as defined by state laws”. Although many consider WA MHMDA to require a standalone notice, 40% of the websites that had a notice bundled information related to MHMDA and NV SB 370 into the same text (ex. MHMDA “and similar laws”.)
Other findings:
All industries, when taken separately, reflected an even or nearly even split in having a notice or not (ex: In a subsample of ten retailers, 50% would have a notice and 50% would not.) The exception to this was pharmaceutical and life sciences companies, where 90% of surveyed websites had notices.
For 70% of surveyed websites that included notices, those notices were linked in the homepage footer; with two websites also linked notices from the consent or cookie banners
15% of websites with notices had entirely separate and explicit policies for WA MHMDA and NV SB 370.
87% of companies surveyed that are headquartered in Washington State had notices on their websites.
This data provides a birds-eye view of the landscape of approaches to transparency around consumer health data. Privacy leaders may use these metrics to compare their approaches in publishing privacy notices to broader industry norms, or to initiate discussion in their organizations, including on decisions to either create bundled or standalone notices, standalone notice webpages, or to link to notices on homepages.
The data in this survey were collected April 12-17, shortly after the enactment of the two relevant laws. The sampled organizations represent a highly diverse range of companies, with an emphasis on companies with a health focus or a wellness component. Many thanks to Niharika Vattikonda, Angela Guo, and Jeter Sison for the tireless data work on this project!
Limitations: Data was limited to websites accessed via desktop. App interfaces were not included in the survey. No virtual personal networks (VPNs) were used (ex. a VPN based in Washington state.)
Please reach out Jordan Wrigley, Data and Policy Analyst for Health & Wellness ([email protected]) to discuss these findings or to learn more about FPF Health & Wellness projects!
CPDP LatAm 2024: What is Top of Mind in Latin American Data Protection and Privacy? From data sovereignty, to PETs
On July 17-18, the fourth edition of the Computers, Privacy, and Data Protection Conference Latin America (CPDP LatAm) was held in Rio de Janeiro, Brazil. This year’s theme was on “Data Governance: From Latin America to the G20,” highlighting Brazil’s current presidency of the international cooperation forum. As in previous years, FPF participated on the ground – this year, FPF organized a panel on the adoption and deployment of privacy-enhancing technologies in the region. This blog will cover highlights from both the plenary sessions and FPF’s panel.
During the opening plenary session, panelists discussed the relevance of data governance for informational self-determination and the sustainable development of technology. The panel argued that data sovereignty and data governance should be central values in the development and regulation of technologies in a way that empowers both nations and individuals. Panelists cautioned that in recent years some technologies have been developed without data governance frameworks and limited accountability, leaving self-determination to individuals and without a sustainable development future. As a result, panelists agreed data governance is likely to remain a recurring theme in G20 debates, and regulators will play an increasingly critical role in monitoring the sustainable and ethical development of technology.
During the closing plenary session, panelists reminded the audience that approving laws and regulations is just the first step in the regulatory journey. For instance, while discussing Brazil’s AI Bill (PL 2338/2023), panelists commented that the proposal provides a strong framework to regulate and monitor the deployment of AI technologies. Regardless of potential amendments to the current proposal, regulators must be aware that active implementation is the most relevant aspect of the regulatory journey.
On a separate note, panelists also discussed data governance as an essential component of digital public infrastructures (DPIs)1. For instance, they noted DPIs became relevant after India included them as a priority during its G20 presidency. Although digital public infrastructure is still an evolving concept, it can be explored as an alternative to develop and deploy technology, while keeping a critical approach and understanding the normative values embedded in this concept. The introduction of this concept offers a reminder that other jurisdictions and regions, including Latin America, can benefit from the knowledge and experience shared by other regions like the Asia-Pacific. At the same time, panelists agreed that these references should not prevent policymakers in Latin America from thinking, analyzing, and deciding standards and mechanisms for data governance in consideration of the region’s unique social, economic, and cultural dynamics.
FPF’s Panel: Exploring the Potential of PETs in Latin America
FPF’s panel focused on the potential of privacy-enhancing technologies (PETs) to advance privacy and data protection in Latin America. During the discussion, the goal was to cover three main points: i) the state of deployment of some of these technologies; ii) policymaking and regulatory priorities; and iii) opportunities and potential limitations.
First, panelists discussed the growing popularity of PETs in recent years as a result of progress in research and computational capacity. Global policy efforts for the adoption of PETs have included the release of guidance, the creation of sandboxes, and increased investment in PETs research and development. Latin America has not been the exception, as regulators have begun to discuss the potential of PETs to help mitigate privacy risks and reduce the identifiability of data.
For instance, Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) recently conducted technical studies on anonymization and pseudonymization as a basis for its forthcoming guidance. The ANPD also acted as an observer of OpenLoop, Meta’s global initiative connecting policymakers and companies to develop policies around emerging technologies and AI, a project developed separately in Brazil and Uruguay. One of the project’s findings in Brazil identifies a gap in most data protection laws (including the LGPD): a lack of an express provision covering PETs. In some cases, the connection between the law and these technologies relies on achieving data protection principles such as data minimization or complying with anonymization obligations. Panelists agreed that the need to define clear standards for anonymization is an important step for PETs adoption.
[Photo description: Pedro Sydenstricker (Nym Technologies, Brazil); Pedro Martins (Data Privacy Brasil); Maria Badillo (FPF); Thiago Moraes (ANPD); Camila Nagano (iFood)]
Relatedly, panelists discussed use cases where PETs can help with business development while preserving the privacy and utility of the data. For instance, in the food delivery service industry, panelists discussed how different techniques help obscure or eliminate personal data retrieved from customer interactions. If properly implemented, businesses can keep relevant data for analysis and improvement of services while preserving the privacy of their customers. Panelists agreed that organizations investing time and resources to integrate these types of tools not only open up new opportunities to improve user engagement and drive strategic decision-making, but also build trust, an essential component in digital transactions.
Finally, panelists briefly addressed the relevance of PETs in addressing privacy risks generated by AI. Acknowledging that AI can bring new ethical and legal challenges, they agreed on the importance of exploring the potential of different tools and techniques when adopting or developing AI models. Panelists agreed that organizations should make efforts to approve internal governance programs and guidance, invest in education and training for staff, and keep track of regulation. This, however, must be complemented with more legal certainty and guidance from regulators on how to implement PETs and AI governance more generally.
To foster dialogue and collaboration around PETs and policymaking, FPF supports the Global PETs Network for Regulators, a forum that exclusively convenes regulators worldwide. If you are interested in participating in the Network, please reach out to [email protected] or [email protected]. You can also learn more about FPF’s PETs-related work here.
According to the United Nations Development Programme, there is growing consensus on defining DPIs as “a combination of (i) networked open technology standards built for public interest, (ii) enabling governance, and (iii) a community of innovative and competitive market players working to drive innovation, especially across public programmes.” Digital public infrastructure | United Nations Development Programme (visited July, 2024). ↩︎
FERPA Exceptions: A Study in Studies
The Family Educational Rights and Privacy Act, or FERPA, protects personally identifiable information from education records from unauthorized disclosure. The Law has been affording parents privacy rights over their children’s education records for almost half a century now; indeed, the fiftieth anniversary of FERPA’s passage is this August 2024. As FERPA’s golden birthday approaches, FPF is taking a closer look at some of its finer points and how they are functioning in practice fifty years later. This blog post examines one of FERPA’s exceptions to the requirement to obtain parental consent before disclosing student personally identifiable information, the “studies exception”. [1]
Schools and Research Data Access
Given the wording of the phrase “studies exception” and that the exception allows for sharing student data with researchers under certain conditions, conflation of the studies exception with the idea of a general “research” exception is not uncommon. Perhaps this blog post even reached your attention following a search for school research laws or how research operates under FERPA. Some may be surprised to learn that there is no research exception under FERPA at all: no provision of the law allows for the general sharing of student information for research purposes without parental consent.
Though no general research exception exists under FERPA, varying types of student data remains imperative for a number of research objectives. Researchers may be interested in original data created and collected specific to a particular research project (primary research), such as interviews, focus groups, observations, and surveys,[2] or data collection through third-party applications. They may also be interested in using existing datasets (secondary research) collected as the byproduct of natural educational processes, such as administrative records or assessment records. Using primary or secondary research to inform longitudinal or correlative studies may be the first that comes to mind when thinking about using student data for research; however, an incredibly broad range of uses exists beyond the purely academic purposes often associated with researchers. Any role in the process of improving instruction may handle student data research. Studentdata can help inform the effectiveness of a particular assessment product. It can help EDTech vendors or community partners determine whether learning objectives are met using their product or program. It is even important for teachers conducting action research as a requirement for Masters in Education degree or writing dissertations. School employees may be responsible for designing or approving extracts of data that researchers use. A broad range of research uses for student data all benefit from access to it; we will examine the requirements for security and privacy necessary to reap the benefits.
FERPA and the Studies Exception
In order to access the education record data needed for research purposes, a researcher must meet the requirements of FERPA, any state-specific laws, and district and state policies. The general rule under FERPA is that parental consent is required prior to disclosing personally identifiable information from a student’s education record unless an exception applies. Written parental consent must specify the records that may be disclosed, state the purpose of the disclosure, and identify to whom the disclosure may be made. If a researcher would like to collect new data from students, more detailed consent may be appropriate, even if an exception applies. [3]
FERPA exceptions refer to conditions or situations where it is not necessary to first obtain parental consent before disclosing personally identifiable information from a student’s education record. Parental consent is not needed to share student data under the studies exception, given that specific requirements are met. Personally identifiable information from education records may be disclosed in connection with certain studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions. In order for the FERPA studies exception to apply, those studies must be for specific purposes:
the purpose of developing, validating, or administering predictive tests;
the purpose of administering student aid programs;
or the purpose of improving instruction.
Furthermore, there must also be a written agreement between the school and the researcher performing the study. The written agreements must do several things, including:
specify the purpose, scope, and duration of the study and the information to be disclosed;
and require the receiving organization (or researcher) to:
use personally identifiable information only to meet the purpose(s) of the study;
conduct the study in a manner that doesn’t permit the identification of parents or students by anyone other than representatives of the organization with legitimate interests; and
destroy the personally identifiable information upon completion of the study and specify the time period in which the information must be destroyed.
Compliance with these requirements is imperative, and noncompliance can come with repercussions. For example, if the Department of Education determines that the researcher improperly re-disclosed personally identifiable information from education records, the educational institution from which the personally identifiable information originated may not allow that researcher to access personally identifiable information from education records for at least five years. [4]
Even if requirements for the FERPA studies exception are met, researchers are not entitled to a right to access student data. The FERPA studies exception does not function in the way that a public data request or Freedom of Information Act (FOIA) request does: there is no absolute public right for an aspiring student data researcher (or anyone, for that matter) to demand the student information they need from a school. A public data or FOIA request would not require a school to generate data not already in existence – which would even include creating new reports for existing data – that many proposed studies would necessitate. The FERPA studies exception makes clear that the educational institution authorizing the study is not required to initiate a study, meaning the school can respond to a researcher’s request and/or approve it. However, they are not required to approve all research requests: the school may also deny them. And even if a school authorized the use of student data for a study, the school is not required to agree with or endorse the conclusions of the study.[5]
Written Agreements
School districts tasked with creating a written agreement that complies with the FERPA studies exception requirements need not start entirely from scratch: excellent resources exist to help with this task. The United States Department of Education has provided guidance on best practices for the written agreements required under the studies exception to FERPA. Their guidance includes a number of recommendations for navigating these agreements, such as recommending that the written agreement bind not only an organization conducting the research, but also individuals; include an agreement not to redisclose data collected or used for the relevant study; and specify data custodians or stewards [6]who are directly responsible for managing the relevant student data. Other best practices include clarifying ownership of the personally identifiable information from education records, identifying clear penalties for misuse or breach of contract, setting responsible and appropriate terms for data destruction, and allowing the school to review and approve reported results. Informing the public about written agreements related to school studies is also a best practice, as it promotes transparency and builds trust. The Student Data Privacy Consortium’s National Research Data Privacy Agreement (NRDPA) is a model written agreement specifically designed to standardize the various required components for the studies exception, for secondary research. The NRDPA is intended to be part of, not a replacement for, a district’s broader research data approval policy. Before simply adopting the NRDPA, districts should review it with their general counsel to see how it will support their existing research policies.
School District Research Policies
Administrative procedures already exist in many cases to support compliance with FERPA for research data requests. Most schools already have policies in place for research approval. Though researchers may be versed in research ethics, they may not know the basics of student privacy. They may not be fully aware of the student privacy and security risks, or of the potential for harm of misusing or improperly sharing student data. And though a university study will likely be guided by an Institutional Review Board (IRB) policy to ensure that the research conducted is legally compliant, ethical, and protective of its participants, this may not be enough to protect student privacy. IRBs may interpret FERPA narrowly [7], and some types of research, such as big data research, may be exempt from IRB approval and nearly impossible to acquire informed consent. Robust school district research policies are one way to help protect student data privacy while still benefiting from student data research.
Research policies may include guidelines for conducting primary research data, requesting secondary data, creating strong definitions, and providing applicable legal frameworks, such as in Chicago Public School District’s Guidelines for External Research and Data Collection. Policies may also indicate who may conduct research, what to do in the case of a conflict of interest, and how the research proposal and approval process works, such as in Boston Public Schools’ Policy and Guidelines for Conducting Educational Research. As the risks of harm from misusing student data are high, some districts’ policies – such as Palm Beach County Schools’ research policy – even require researchers who will be collecting or accessing students’ personally identifiable information to undergo background screening and provide evidence of good moral character.
Researchers hoping to work with a specific school district should search for or inquire after the district’s research policy. School districts without existing research policies should strongly consider creating one, paying close attention to FERPA requirements and to supporting student data privacy and security: the National Forum on Education Statistics has guides for supporting data access for researchers, both from a Local Education Agency Perspective and from a State Education Agency Perspective.
In Conclusion
Research conducted using student data is done for a wide range of purposes and, when done well and safely, can provide an equally wide range of benefits. Research can support individual learners and student success, and better inform decision-making, such as building a curriculum or developing a new instructional program. Before working with a school to collect new or use existing data, researchers should think critically about the type of data they want, and more importantly, the type of data they really need. Is student personally identifiable information really necessary for the study, or would aggregate data be sufficient? Would de-identified data? [8]. Researchers should work closely with schools to support student data privacy, strictly abide by school research policies, and implement recommended best practices under the FERPA studies exception. School districts that agree to share student data with researchers should develop and maintain strong research policies developed with both FERPA compliance and student data privacy and security in mind. Fifty years of FERPA has taught us that commitment to these practices from both participating schools and researchers can help support student data privacy for the next fifty years, as well.
Contextualizing the Kids Online Safety and Privacy Act: A Deep Dive into the Federal Kids Bill
Co-authored by Nick Alereza, FPF Policy Intern and student Boston University School of Law. With contributions from Jordan Francis.
On July 30, 2024, the U.S. Senate passed the Kids Online Safety and Privacy Act (KOSPA) by a vote of 91-3. KOSPA is a legislative package that includes two bills that gained significant traction in the Senate in recent years—the Kids Online Safety Act (KOSA), which was first introduced in 2022, and the Children and Teens Online Privacy Protection Act (“COPPA 2.0”), which was first introduced in 2019. KOSPA contains new provisions and a variety of provisions that would amend, and in some cases augment, the United States’ well-established existing federal children’s privacy law, the Children’s Online Privacy Protection Act (COPPA).
KOSPA’s passage in the Senate marks the most substantial advancement in federal privacy legislation in decades. In just the last two years, the children and teens’ privacy and online safety landscape has seen a flurry of activity. The federal executive branch has been active through efforts such as significant FTC enforcement actions and a report released just two weeks ago from the Biden-Harris Administration’s interagency Task Force on Kids Online Health and Safety. Most notably, many states have passed laws providing heightened protections for kids and teens online, some of which have been the subject of litigation.
Amongst all this activity, the Kids Online Safety and Privacy Act takes a new approach that is unlike much of what we have seen before. Like other proposals, the bill would create heightened protections for teens, and new protections for design and safety. However, KOSPA also contains a novel knowledge standard, limited preemption, and a novel “duty of care,” along with requiring particular design safeguards and prohibiting targeted advertising to children and teens.
1. A novel knowledge standard
Similarly to COPPA, the Kids Online Safety and Privacy Act (KOSPA) would establish a two-part threshold for when companies are required to comply with various data protection obligations, such as access, deletion, and parental consent, for when a service is “directed to children” or when services have “actual knowledge” that an individual is a child. However, KOSPA would modify the standard in a novel way: its protections for minors would apply when a business has “actual knowledge or knowledge fairly implied on the basis of objective circumstances.”
This language is based on the FTC’s trade regulation rules, which use the “knowledge fairly implied” standard to determine if a company knew it violated a trade rule. While the FTC is experienced in using this standard, it is new when applied to children’s privacy and online safety. Currently, there is little guidance or comparable laws to help understand how “knowledge fairly implied on the basis of objective circumstances” applies specifically to the narrow question of whether a user on a website is a minor. This standard is arguably closer to constructive knowledge and may even be broader than the “willful disregard” standard used in state comprehensive laws.
COPPA’s knowledge standard, or the question of what obligation a business has to figure out who on their website is a child, has long been debated. On one hand, critics of the existing standard argue that it is too narrow and that needing actual knowledge incentivizes companies to avoid evidence that might suggest children are on their websites. On the other hand, proponents of keeping the existing standard argue that broadening the threshold would require companies to engage in too much data collection, creating an unintended result of age-gating even general audience, age-appropriate websites. In recent years, most state comprehensive laws have taken the approach of using actual knowledge or willfully disregards,” which attempts to strike a balance between the two sides of this debate.
2. Narrow preemption of state laws
Preemption, or the question of which state privacy laws will be superseded by a federal standard, is one of the biggest sticking points in federal privacy debates. Under KOSPA, preemption is narrow and would explicitly supersede only state laws that directly conflict with the Act. Additionally, the Act includes a savings clause explicitly allowing states to enact laws and regulations that provide “greater protection” to minors than those under KOSPA.
While any federal law is likely to have some uncertainty when it comes to preemption of state laws, this language bodes well for states who have enacted heightened privacy and online safety protections for children and teenagers in recent years, such as Maryland, Connecticut, and New York. Some of the thinking with a federal privacy law is that it would afford one national standard for privacy rather than a “patchwork” state-by-state approach. However, with KOSA and COPPA 2.0, these would be additional protections layered on top of existing state compliance obligations.
3. A novel “duty of care” to prevent and mitigate harms to children and teens
One of the most discussed new provisions in KOSPA (arising from KOSA) is its duty of care. The proposal would require covered platforms to exercise “reasonable care” in the “creation and implementation of any design feature to prevent and mitigate [harms] to minors.” Specifically, KOSPA identifies six categories of harm, including explicitly stated mental health disorders, violence and online bullying, and deceptive marketing practices. (See Table 1)
Online services owing a duty of care to minors is a novel aspect of child-focused privacy laws a trend that has popped up in recent years – seen in the currently-enjoined California Age-Appropriate Design Code, Maryland Age-Appropriate Design Code, and recent amendments to Colorado and Connecticut’s comprehensive consumer privacy laws. Design codes require an affirmative duty to act in the best interests of children, whereas KOSA, Connecticut, and Colorado require a duty to avoid harm.
Overall, KOSPA/KOSA’s approach to a duty of care is both broader in scope, and at the same time more specific in its enumeration of specific harms, compared to existing state approaches. As comprehensive consumer privacy laws, Connecticut and Colorado are focused on how processing personal data may be used to facilitate harms whereas KOSA applies broadly to preventing and mitigating harms. Connecticut and Colorado also require an assessment of any service, product, or feature, while KOSA is focused only on “design features.” Lastly, Connecticut and Colorado’s list of harms is shorter and more narrowly focused on more traditional privacy harms, while KOSA enumerates specific concrete harms related to modern kids’ and teens’ well-being, such as anxiety, bullying, and abuse.
None of the state laws with duties of care are yet in force, so it remains to be seen how these provisions will be implemented by companies or enforced by regulators. However, the alignment of KOSA with the specificity and narrower scope of Colorado and Connecticut, could mitigate risks of legal challenges over restrictions on content, like those seen in the California AADC litigation.
KOSA’s duty of care
Connecticut & Colorado’s duty of care
A covered platform shall exercise reasonable care in the creation and implementation of any design feature to prevent and mitigate the following harms to minors:
Controllers shall use reasonable care to avoid any heightened risk of harm to minors caused by such online service, product, or feature.
(1) Consistent with evidence-informed medical information, the following mental health disorders: anxiety, depression, eating disorders, substance use disorders, and suicidal behaviors. (2) Patterns of use that indicate or encourage addiction-like behaviors by minors.
(3) Physical violence, online bullying, and harassment of the minor.
(4) Sexual exploitation and abuse of minors.
(5) Promotion and marketing of narcotic drugs (as defined in section 102 of the Controlled Substances Act (21 U.S.C. 802)), tobacco products, gambling, or alcohol. (6) Predatory, unfair, or deceptive marketing practices, or other financial harms.
Heightened risk of harm to minors means processing minors personal data in a manner that presents any reasonably foreseeable risk of: (A) any unfair or deceptive treatment of, or any unlawful disparate impact on, minors (B) any financial, physical or reputational injury to minors, or (C) any physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if such intrusion would be offensive to a reasonable person (D) unauthorized disclosure of the personal data of minors as a result of a security breach [note: this fourth harm is in CO, but not CT]
4. Changes to Verifiable Parental Consent (VPC)
KOSPA would expand the existing requirements for verifiable parental consent (VPC), requiring companies to collect it at an earlier stage than might often be obtained under COPPA. Interestingly, both provisions of KOSPA (the COPPA 2.0 and KOSA parts of the bill) address VPC separately. KOSA would require a covered platform to obtain verifiable parental consent (VPC) before a known child’s initial use of the service. While a covered platform may consolidate this process with its process to obtain VPC for COPPA, KOSA’s VPC requirement seems to still apply even if a covered platform’s personal information practices do not necessitate VPC under COPPA.
KOSA may also differ in its approach to children who already use a covered platform. Because KOSA requires VPC prior to a known child’s “initial use”, it is unclear whether a covered platform must obtain VPC from a child whose initial use happened before the bill’s effective date or when the platform knew they were a child. Comparable state social media laws include provisions that prevent a minor from holding an account they could not create: Florida’s HB 3 would require a social media service to terminate all accounts that likely belong to minors younger than 16, and Tennessee’s Social Media Act would require age-verification of an unverified account holder when they attempt to access their account.
5. Other Privacy and Safety Safeguards
KOSPA includes a number of requirements for companies to establish safeguards aimed at addressing “the frequency, time spent, or activity of minors” on platforms, including the ability to opt out of personalized recommendation systems. The proposal would also establish a flat ban on personalized advertising to kids and teens under the age of 17.
Design Safeguards for Time Spent and Recommendations
KOSPA requires covered platforms to “provide readily-accessible and easy-to-use safeguards” to any user or visitor that the platform knows is a minor. These safeguards must be on the most protective setting by default. KOSA requires a covered platform to make parental tools available, although a minor can change their own account settings without VPC.
Two of KOSPA’s safeguards have key differences compared to state social media laws with similar provisions. KOSA requires a covered platform to limit by default “design features that encourage or increase the frequency, time spent, or activity of minors.” State social media laws which regulate design features tend to do so narrowly such as Utah’s SB 196, which would prohibit the use of infinite scroll, autoplay, and push notifications for minors, or New York’s SAFE for Kids Act, which would require VPC to enable overnight notifications for minors. Once again, KOSA’s scope more closely resembles state privacy laws: Colorado and Connecticut both have a broader prohibition against the use of any “system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature” without a child’s VPC or a minor’s consent. But unlike all of these laws, KOSPA would allow minors, including children, to change any of these settings without VPC.
The second notable safeguard is a requirement for a covered platform to include controls to adjust or opt-out of any personalized recommendation systems, which are suggestion or ranking algorithms that incorporate a user’s personal information as defined in COPPA. This category appears to be narrower than New York’s SAFE for Kids Act, which would limit feeds which rank or suggest content based on any information associated with a user or user’s device.
Prohibition on Targeted Advertising
Finally, the COPPA 2.0 portion of the bill creates a flat prohibition on targeted advertising to children and teens 16 and under. While comparable state laws have moved in the direction of creating additional restrictions on advertising to minors, the federal approach goes the furthest by creating a ban rather than allowing for opt-in consent. Notably, the bill takes the approach of creating and defining the term “individual-specific advertising.” The combination of the targeted advertising ban and the broader, constructive knowledge standard used is likely to have significant impacts for the adtech ecosystem.
Reporting Mechanism
KOSPA requires a covered platform to incorporate a reporting mechanism, through which minors, parents, or schools can report harms to minors. The platform must have an electronic point of contact specific to these matters, and the platform must substantively respond to a report within at most 10 or 21 days, depending on the size of the platform and the imminence of harm to the minor. KOSPA’s attention to detail regarding reporting mechanisms stands out when compared to the Maryland AADC’s single requirement that a service’s reporting tools be “prominent, accessible, and responsive.”
Looking ahead
While KOSPA passed the Senate by an overwhelming vote of 91-3, its future in the House of Representatives is uncertain. The House started its August recess just days before the Senate vote, and the earliest KOSPA could be taken up in the House is September 9, which will be just under two months until the November election. Whether that helps or hurts the bill’s chances is subject to speculation. No matter Congress’s next move, states are poised to keep forging ahead on youth privacy and online safety.
School Fundraising in the Digital Age: Policy, Privacy, and Pitfalls
Fundraising is deeply rooted in school communities, serving as a vital means to supplement limited budgets. These efforts are often led by parent organizations, athletic boosters, student groups, or the school itself. Traditionally, fundraisers were dominated by product sales – cookie dough, candy bars, and kitchenware – often involving students soliciting support door-to-door or from family and friends. In recent years, however, the rise of online platforms has significantly transformed how schools fundraise. Fundraising campaigns now include crowdfunding, peer-to-peer giving, online product sales, and online sweepstakes and raffles. Solicitation has shifted from face-to-face to social media, personalized webpages, email and text messaging. This shift introduces new considerations related to student safety, data privacy, and regulatory compliance.
Legal and Compliance Considerations
As fundraising increasingly leverages digital tools and online engagement, school leaders must navigate a new set of risks and responsibilities. Digital campaigns often collect and share student images, names, grade levels, and performance metrics to personalize appeals. Some platforms encourage or enable the use of student text messaging or personal social media accounts for promotion, heightening the risk of disclosing sensitive information such as phone numbers or private profiles. These practices raise significant concerns about consent, exposure, and data sharing. In addition, the use of third-party vendors introduces complexities about data ownership, security practices, and compliance with federal and state regulations, including the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Act (PPRA), the Children’s Online Privacy Protection Act (COPPA), and various state consumer protection regulations.
Fundraising initiatives must align with existing district policies, particularly those governing the use of student information in marketing or promotional contexts. School leaders should clearly determine whether any data shared falls under the definition of a student education record or directory information as defined by FERPA, and ensure that proper consent and opt-out mechanisms are in place. Even directory information – such as names, grade levels, or photos – used in digital campaigns may pose privacy concerns when aggregated or used for public appeals.
In addition, schools must comply with the Protection of Pupil Rights Amendment (PPRA, 20 U.S.C. §1232h), which requires that parents be notified and given the opportunity to opt out when student information is collected for certain purposes, including marketing. While PPRA does not prohibit the use of student data for school-related fundraising, it does restrict the collection, disclosure, or use of personal information from students for the purpose of commercial marketing or selling that information, or providing it to others for that purpose. Districts should carefully review platform agreements to ensure student data is not repurposed for commercial targeting or sold to third parties, and that appropriate privacy protections are in place.
Data security remains a critical concern. Schools should assess vendor practices around data collection, storage, and breach response. A 2024 data breach involving a student-focused fundraising platform, exposed over 700,000 student records—including names, photos, and contact details—underscoring the importance of due diligence before approving any digital fundraising tool (VPNMentor Report). [Updated]
Equity, Access, and Reputational Considerations
Beyond regulatory compliance, digital fundraising introduces challenges related to equity, access, and public perception. For example, crowdfunding campaigns that highlight individual student needs can inadvertently pressure families, create competition among students, or draw unwanted attention to a student’s circumstances. Some campaigns may exaggerate school deficiencies or portray only negative conditions to attract donations, potentially harming the school’s public image and stakeholder trust. Additionally, digital campaigns often rely on access to social media, mobile phones, or internet-connected devices, which may disadvantage students without consistent access to these tools, further widening participation gaps. Campaigns driven by incentives, such as prize-based competitions for top fundraisers, can also reinforce inequities by rewarding students based on personal networks or family resources. In light of these challenges, district leaders are increasingly called to evaluate platform terms, develop internal review protocols, and ensure fundraising practices align with data governance, equity, and communications policies.
Establishing Guardrails: Policy and Oversight Considerations
To responsibly manage evolving fundraising practices, school systems should establish clear policies that define permissible tools, set expectations for data handling, and outline approval procedures. When planning or evaluating digital fundraising efforts, district leaders can reference the Fundraising Tool Implementation Checklist to ensure alignment with privacy, equity, and compliance priorities. Districts are encouraged to:
Implement a Fundraising Policy: Develop and adopt a comprehensive policy that outlines roles, approval processes, data use expectations, and safeguards to ensure compliance, transparency, and equity across all fundraising efforts. Refer to the Fundraising Policy & Procedure Development Checklist to guide this process and ensure consistency with district priorities and legal requirements.
Require Administrative Review: Implement a review process for any fundraising initiative involving student data, likeness, or participation, regardless of who initiates the campaign.
Vet Third-Party Platforms: Ensure all fundraising vendors meet district data privacy standards, including adherence to FERPA, PPRA and provide transparent terms of service. Determine if parental consent is required under COPPA.
Clarify Consent Protocols: Develop procedures to obtain informed consent from parents or guardians when student information is used in promotional materials or shared online.
Provide Staff and Volunteer Training: Educate stakeholders, including parent organizations and booster clubs, on legal obligations and ethical considerations related to digital fundraising.
Document and Monitor Activity: Maintain centralized records of all fundraising campaigns, platforms used, and data shared, and periodically audit for compliance.
As fundraising tools and technologies continue to evolve, schools have an opportunity to harness innovation in ways that strengthen community engagement and expand support for students. However, this progress must be guided by thoughtful oversight, inclusive practices, and a commitment to safeguarding student well-being. By establishing clear expectations for fundraising activities and proactively addressing risks, district leaders can foster a culture of responsible innovation, one that empowers communities without compromising privacy, equity, or trust.
Fundraising Tool Implementation Checklist
Planning and Alignment
Does the fundraising activity align with the district’s mission, values, and equity goals?
Has the purpose of the fundraiser been clearly defined and communicated?
Are there established district policies governing fundraising, and does this effort comply with them?
Has leadership approved the use of the digital tool(s) or third-party vendor?
Platform Evaluation
Has the fundraising platform been vetted for data privacy and security practices?
Does the platform comply with FERPA, PPRA and relevant state privacy laws?
Do contracts confirm that the district retains ownership and control over student data, with limitations on vendor use?
Are the platform’s terms of service and privacy policy transparent and acceptable?
Is there a process for assessing potential reputational risks associated with the platform?
Equity and Accessibility
Will all students have equitable opportunities to participate regardless of access to devices, internet, or social media? Are there alternative ways for students or families without digital access to support or engage? Does the campaign avoid highlighting individual student needs in a way that may cause harm or embarrassment?
Student Data and Consent
Is any student data (e.g., name, photo, grade, performance) being collected or shared?
Have parents/guardians provided informed consent for any student-identifying information used?
Is student participation voluntary, and are opt-out options clearly provided?
Oversight and Documentation
Is there a designated staff member responsible for reviewing and approving fundraising campaigns?
Are all fundraising efforts logged, including platform used, data shared, and campaign duration?
Has the campaign been reviewed for compliance with procurement policies?
Are digital records (e.g., campaign pages, communications, data shared) archived according to district records retention policies?
Communication and Transparency
Have school leaders, staff, and parent groups been informed of expectations and safeguards?
Are families clearly informed about their rights, including how to opt out of data use or participation, how student data will be used, and how to ask questions or raise concerns?
Is the fundraising impact reported transparently to the school community?
Download the Fundraising Policy & Procedure Development Checklist
A Critical Line of Defense-The Security.txt File’s Potential to Mitigate School Cybersecurity Attacks
Current Cybersecurity Challenges in Schools
All it takes is somebody opening up an attachment for cybercriminals to infiltrate a school’s data system. And it’s not just educational data at risk of being exposed. Schools collect and store vast amounts of sensitive information about students, employees, and alumni: grades, student behavior notes like suspensions, social security numbers, physical addresses, contact information, health data like allergies, alumni records, and donations. That is why implementing standardized ways of detecting and communicating educational systems’ vulnerabilities is so essential.
Every year, schools across the United States face constant cyber threats like phishing, ransomware, and denial-of-service attacks. The cascading impacts of these attacks are vast. Schools and school districts must address the financial losses of replacing computer hardware and removing students’ data, and the disruptions may cost students lost time learning in the classroom. Moreover, it’s much harder to detect when children’s identity is stolen because parents do not monitor their children’s credit, allowing cybercriminals to exploit their data by setting up loans and bank accounts for years to come.
Schools face unique challenges in protecting their cybersecurity infrastructure. “Humans are considered the weakest link” is a common adage in cybersecurity circles. As more educational activities transition online, there is a greater chance that students, parents, or staff may accidentally click on malicious links or use weak passwords. Moreover, schools frequently rely on multiple third-party educational vendors who process students’ personal information. This reliance contributes to more significant risks of phishing attacks, where cybercriminals use social engineering tactics to access sensitive information or install malware. For example, they may craft an email masquerading as a job offer from a professor or an email asking students to input login credentials to access a service. From 2005 to 2021, there were 2,691 data breaches in U.S. K-12 districts and colleges. Educators fear these numbers will rise since cybercriminals’ messaging tactics have become more sophisticated with artificial intelligence; this risk is why more schools’ IT departments are running fake phishing tests to educate community members and assess the community’s vulnerabilities.
Another challenge schools face is that their technology may not be as up-to-date since they have relatively low IT budgets compared to large corporations or federal government agencies. Cybercriminals exploit these vulnerabilities by targeting schools with ransomware, a form of malware designed to encrypt files on a device and block access to computers or data systems. Cybercriminals then demand ransom in exchange for decryption. According to anit-malware company Emsisoft, in 2021, 62 districts and 26 colleges and universities were impacted by ransomware attacks. In 2022, 45 school districts, as were 44 colleges and universities, were affected. Unfortunately, The rates of attacks continue to rise, prompting the White House and the U.S. Department of Education to launch a “government coordinating council” that will facilitate formal collaboration among all government and school districts to help strengthen schools’ cybersecurity.
Importance of Reporting Schools’ Vulnerability
Schools can strengthen their security defenses by making it easier for researchers and ethical hackers—also known as “white hat” hackers—to report vulnerabilities. This approach mirrors social media platforms’ reporting features, which allow users to help moderate harmful content through crowdsourcing. The more people monitoring the system, the more secure it becomes.
To report a problem for school websites, you first need to know who to report it to. Timing is everything to addressing cybersecurity vulnerabilities and attacks; without a streamlined process, security researchers may need multiple emails and phone calls to the organization, delaying the notification process.
Security.txt File’s Role in Disclosure Process
Fortunately, there is a consistent reporting method that can be added to a school or EDTech vendor’s website. The security.txt file concisely advertises an organization’s vulnerability disclosure process. The security.txt files sets clear guidelines for researchers on how to report security issues. For example, it provides contact information for entities to report security vulnerabilities, such as an email, phone number, or a web page.
However, adoption of the security.txt is alarmingly low- not just for schools but across the board. Researchers at Carleton University discovered that only about half of a percent of the world’s top one million websites publish a security.txt file. United Kingdom government banks possess the highest adoption rate, and large tech companies, including Dropbox, Meta, and Microsoft, are following suit. There is a tremendous opportunity for schools to take advantage of this stand. Only nine (0.06%) U.S. K-12 School Districts and 15 Higher Education institutions (0.65%) possess a valid security file. Organizations that are part of the Future of Privacy Forum’s Student Privacy Pledge represent a slightly higher rate, with 4.68%.
List/Sector
Count
Valid Security.txt
Percent
U.S. Government Websites
979
12
1.23%
Fortune 500
500
31
6.20%
Student Privacy Pledge
440
18
4.09%
Common Sense Media Education Privacy Ratings
1133
53
4.68%
US Higher Education
2298
15
0.65%
S & P 500
500
19
3.80%
K12 School Districts
15348
9
0.06%
Hospitals
2282
12
0.53%
UK Banks
21
5
23.81%
Clever EDTech list
1191
34
2.85%
Spread the Word about Security.txt
The premise of the security.txt file is simple: make it easy for cybersecurity researchers to notify an organization of their security vulnerabilities. We encourage all organizations to adopt this measure, especially K12 School Districts and universities, which already experience many security risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that all schools implement the “security.txt” standard to streamline the notification process and mitigate cyber threat risks. For more information about steps your school can take to enhance your cybersecurity, visit the CISA’s K-12 Cybersecurity Report and Toolkit.
Connecting Experts to Make Privacy-Enhancing Tech and AI Work for Everyone
The Future of Privacy Forum (FPF) launched its Research Coordination Network (RCN) for Privacy-Preserving Data Sharing and Analytics on Tuesday, July 9th.
Industry experts, policymakers, civil society, and academics met to discuss the possibilities afforded by Privacy Enhancing Technologies (PETs), the inherent regulatory challenges, and how PETs interact with rapidly developing AI systems. FPF experts led participants in a workshop-style virtual meeting to direct and inform the RCN’s next three years of work. Later that day, senior representatives from companies, government, civil society, and academia met at the Eisenhower Executive Office Building to discuss how PETs can be used ethically, equitably, and responsibly. Among the major themes:
Privacy Enhancing Tech can support socially important data-driven research while protecting sensitive personal info;
In some contexts, there are hard questions about how to implement PETs while preserving data that is crucial for assessing and combating bias, especially when it comes to AI decision-making systems;
Greater clarity about how regulators apply data protection laws to information subjected to PETs safeguards could increase the use and effectiveness of Privacy Enhancing Tech;
Analysis of existing PETs implementations can yield important insights into the opportunities and challenges of particular tech and approaches.
Virtual Kickoff
FPF hosted a Virtual Kickoff event where over 40 global experts helped shape the RCN’s work for the next three years. There were three main areas of discussion: How can we broadly define a PET while still having a clear scope? Second, what can we learn from the opportunities and challenges encountered by existing PETs implementations? Third, what are the most important requests for policymakers?
Here’s what the experts had to say:
Broadly Defining PETs
Deciding what is and isn’t a PET is essential for making any recommendations for their use, but forming a definitive list is inherently fraught with complexity and counterexamples. Some participants suggested building a framework and series of questions to ask about a given use case with an applied technology could be a helpful way to move forward. Participants also noted that usability is essential in defining a PET—without understanding and building for the end users, we risk PETs losing their intended value. Relatedly, participants noted a sociotechnical system aspect of this work and emphasized the need to think about the human pieces that attach to technologies
PETs Possibilities
Participants identified many areas of opportunity for PETs usage, such as in the social sciences, medical research, credential verification, AI model training, behavioral advertising, and education. At the same time, there are several known issues, including balancing the tradeoff between privacy and data utility, a lack of policy clarity and economic incentives to use PETs, computational overhead, ethical considerations, and, for some, a lack of trust in the technologies. Experts advised that for more people to use PETs, the tools must become more accessible and provide additional training and support for new users. Participants identified AI as a contributor to both the opportunities and challenges while agreeing that AI technologies are a key part of some aspects of the PETs landscape moving forward.
Policy Asks for Regulators
The most frequent request was for more regulatory clarity around PETs. For example, experts wanted to know what legal and technical obligations organizations have using PETs, what regulators need to see to support the development of PETs as a mechanism for meeting data minimization and other requirements, and what the legal definitions of de-identification or anonymization are when using PETs. While some suggested regulators needed specific use cases to make such determinations, others indicated that no one wants to “go first” and suggested general use cases representing common PETs uses could be instructive. Regardless of how clarity is achieved, experts want lawmakers and regulators to provide specific measurements for how organizations can comply with various legal regimes, accurately estimate risk, and make informed decisions about PETs deployment.
A White House Roundtable Event
The Roundtable meeting, hosted by the White House Office of Science and Technology Policy at the Eisenhower Executive Office Building’s ornate Secretary of War Suite, marked the beginning of a collaborative effort to advance Privacy Enhancing Technologies and their use in developing more ethical, fair, and representative AI. The meeting commenced with an overview of the project’s goals. Hal Finkel, Program Manager for Computer Science and Advanced Scientific Computing Research at the Department of Energy, and Greg Hager, Head of the Directorate for Computer and Information Science and Engineering at the National Science Foundation, expressed their agencies’ commitment to ensuring technology benefits every member of the public, emphasizing the critical role of PETs in maintaining data privacy, especially in AI applications that require extensive data collection.
Participants discussed the global momentum behind PETs driven by new data protection laws from the local to international levels. They highlighted the necessity of creating robust governance frameworks alongside technological innovations to ensure ethical use. Additionally, they articulated the complexities of studying AI’s societal impacts, particularly involving vulnerable populations, highlighting the need for governance frameworks to accompany technological solutions to privacy preservation.
Artificial Intelligence
The group also dove into some of the challenges and opportunities posed by foundation models: machine unlearning, balancing privacy with utility in personalized assistants, and identity/personhood verification. These issues underscore the necessity for advanced PETs that can adapt to evolving AI capabilities. Several people shared practical insights from the deployment of PETs in large-scale projects, such as the U.S. Census, conveying the importance of starting with a clear use case and ensuring equal footing for PETs teams to ensure success.
Specific opportunities for PETs in AI system testing were outlined, such as enabling organizations to disaggregate existing data internally and facilitating private measurement. Challenges included the need to relate metrics to life outcomes without extensive data sharing and understanding the impact of AI systems on individuals. Participants noted coordination challenges in setting up technical elements at this early stage and the gap from theory to practice.
Business Cases
Attendees also focused on the role of government in supporting business cases for PETs and the need for broader dissemination of PETs expertise beyond academia and big tech. Many people underscored the importance of public trust and consumer advocacy regarding PETs. As consumer sentiment shifts towards greater awareness of privacy issues, a unique opportunity exists to root efforts in democratic consensus and ensure that marginalized groups are adequately represented and protected.
The discussion also touched on the economic and other forms of feasibility of PETs, noting that deployment and operational costs can be prohibitive. Several people reaffirmed the need for public trust in PETs, highlighting that consumers are increasingly aware of privacy stakes and expect technologies to protect their data. They also reiterated the importance of centering public trust and consumer advocacy in these efforts.
Supporting Additional Deployment
The meeting concluded with a focus on the FPF RCN’s future direction, maintaining the need for ongoing collaboration to accelerate progress toward a privacy-preserving data-sharing and analytics ecosystem that advances democratic values. By bringing together a diverse group of experts, the RCN will foster convergence, address persistent differences, and support the broad deployment of PETs. Based on expert input such as this Roundtable, FPF will explore various mechanisms for deployment, including new technology, legal and regulatory frameworks, and standards and certifications, particularly in use cases that support privacy-preserving machine learning and the use of AI by U.S. federal agencies.
As the meeting wrapped up, participants expressed optimism and a shared commitment to ongoing collaboration. The future of AI and privacy lies in the collective ability to innovate responsibly, govern wisely, and earn the public’s trust, paving the way for a new era of privacy-preserving technologies.
Next Steps for The RCN
FPF is gathering all of the participants’ feedback, suggestions, and ideas, and we’ll send out a roadmap for the first year shortly. The two main groups (Experts and Regulators) will meet regularly to provide substantive feedback on our progress. About 18 months from the RCN launch, we’ll bring both groups together for an in-person event in Washington, D.C., for an in-depth working session.
Want to Contribute?
If you’re a subject matter expert on PETs or use PETs and want to contribute to their future use and regulation, we want to hear from you!
Sign up here to be considered for the Expert or Regular Sub-Groups. For questions about the RCN, email [email protected].
The Research Coordination Network (RCN) for Privacy-Preserving Data Sharing and Analytics is supported by the U.S. National Science Foundation under Award #2413978 and the U.S. Department of Energy, Office of Science under Award #DE-SC0024884.
