As more districts handle an increasing caseload of ed tech apps and tools, there are more opportunities for student data privacy to be at risk.
Just in Connecticut, the number of technology products used in schools has doubled since the pandemic began, said Doug Casey, executive director of the Connecticut Commission for Educational Technology.
“The average school district is using hundreds of ed tech products,” Casey said. “The process of COVID expanded that dramatically.”
The Federal Trade Commission doubled down in a May policy statement announcing it will scrutinize ed tech providers’ compliance with the Children’s Online Privacy Protection Act, or COPPA. Specifically, the commission plans to focus on the ban against mandatory collection of student data, laws barring the use of student data for commercial purposes like marketing and advertising, the time period student data is retained, and ed tech’s responsibility to maintain reasonable security measures.
This FTC message was applauded in a statement by Sara Kloek, senior director of education policy at the Software and Information Industry Association.
“The FTC’s policy statement is helpful in reiterating what has long been required by COPPA, FERPA [the Family Educational Rights and Privacy Act], and many student privacy laws at the state level: that education technology providers must prioritize data minimization, security and use restrictions. These are key priorities for SIIA members,” Kloek said.
Less than a week after the FTC released its statement on enforcing ed tech compliance with COPPA, a report by Human Rights Watch found 146 of 164 ed tech products — or 89% — reviewed by the nonpartisan international organization used data practices that potentially risked or infringed on students’ privacy rights.
As the FTC heightens its public focus on ed tech companies and more reports begin to reveal violations, experts in the data privacy and education technology field weigh in on three ways districts can securely sign contracts ensuring they don’t enable providers to violate student data privacy.
1. Take inventory of the ed tech you're using
As more districts sign contracts with more ed tech companies, Casey said it’s helpful for districts to do an inventory of all the applications and technology tools being used, and then consider consolidating them.
“Lay them out, categorize them, and ask yourself like, ‘Why do we have five, 10, 12 products that do the same thing,’” Casey said. “That’s part of what makes getting your arms around the whole data management thing a lot easier … The fewer trusted products that you have, the better when it comes to protecting student data.”
He also said while teachers may be excited to try new tools, perhaps those new tech programs are not frequently used. Or maybe a company’s data privacy terms have been overlooked, Casey said.
2. Know your state and federal laws
It’s important to use language requiring compliance with state and federal laws in contracts with ed tech providers, said Janis Kestenbaum, a former senior legal advisor at the FTC.
Casey said as districts review contracts, it’s helpful to have a checklist aligning with state and federal laws on children’s data privacy protections. If doable, there should be a district leader who is very knowledgeable about state and federal laws, particularly COPPA and FERPA, Casey said.
Some districts might have access to statewide clearinghouse data of trusted ed tech providers to tap into, as well, he said.
While the FTC statement reiterates that the responsibility for student privacy falls more upon ed tech companies than schools, Kestenbaum said schools should closely examine how the provider plans to use student data and information.
But in a lot of cases, schools are not equipped to thoroughly read a company’s terms of service or privacy notices, said Kestenbaum, who is now a partner at law firm Perkins Coie, where she advises clients on compliance with privacy, data security and consumer protection requirements.
Casey added it’s key for district leaders to ask questions and push back on ed tech providers when striking up a contract. He said districts should be skeptical of companies willing to offer services to schools for free.
“Just because something is free, does not mean that you don’t have to worry about data privacy,” Casey said. “In fact, if it’s free, your flag should be going way up. Because if they’re not charging for it, their business model is they’re doing something with that data.”
Correction: A previous version of this story included the wrong acronym for the FTC. We have updated our story with the correct acronym.