In 1998, when the World Wide Web was an exciting novelty, several government agencies and advocates raised alarms about the unregulated collection of children's personal information from website owners.
A Federal Trade Commission survey conducted at the time — when about 14% of children used the internet at home or at school — found 89% of websites marketed for children had collected personal information directly from young users. Most troubling, the FTC wrote in a report, was the ease with which predators could communicate with children in chat rooms or online forums.
These "deep concerns" led to the passage of laws to safeguard children's personal online data, with the aim to prevent the unintended exposure of the details of a child's life and to keep kids safe.
But more than 20 years later, educators, parents, researchers and lawmakers are continuing to sound alarms about the vulnerability of children's online personal data as nearly every child is now able to access the internet from home, school or a smartphone in their pocket.
Federal laws and regulations have brought oversight and the promotion of best practices, as well as partnerships between ed tech companies and school systems. But some of those laws are now outdated or misinterpreted, critics say.
The Children's Online Privacy Protection Act, for example, was enacted in 2000 and last updated in 2013, just as social media really took off.
"It's so vital to protect student privacy but far too often, legislators didn't talk to people on the ground about what were the best ways to do that."
vice president of youth and education privacy at the Future of Privacy Forum
Since then, most state education departments and legislatures have developed stricter policies to further protect children's online privacy. According to the Data Quality Campaign, 45 states and Washington, D.C., enacted new student data privacy laws between 2014 and 2020.
Yet while school systems are required to protect children's online data, at the same time they are encouraged or mandated to collect and keep a vast amount of information about each student.
These data points include students' academic standing, images and videos, creative content, discipline referrals, social-emotional and physical well-being, special education records, socioeconomic status, and much more.
And often, school systems are putting their trust into third-party ed tech providers to safeguard this student information.
Although monitoring for online threats against students and data breaches has become more sophisticated over the years, some privacy advocates worry about the potential for inequitable tracking of student online activity and the security of so much data.
A survey of district IT leaders from the Consortium for School Networking names privacy and security of student data as the No. 2 top technology priority after cybersecurity.
In fact, the management and protection of student online data was a system already under strain and conflicting missions, and then in 2020, when the pandemic forced every student to learn from home virtually, things got even more complex.
Safeguarding student data
Nancy Byrnes has been IT director of Fairfield Public Schools in Connecticut since 2000. Over the years, she's seen technology evolve from computer labs students visited a few times a week to a situation where every student in grades 3-12 and many staff have school-issued devices.
In total, the 9,300-student district is managing about 12,000 devices and 67 paid applications, as well as many free apps.
Before the pandemic, Fairfield had created a streamlined process for vetting new web-based tools that required consideration of each application's instructional value, as well as federal and state student privacy compliance.
"What we're trying to do is avoid babysitting apps," Byrnes said. "We really don't want to give a kid something to do that's not really directly related to their education."
"It really comes down to decisions about what to share should be driven by what's the need to know, what's the benefit to the teacher and the student of sharing every single data element?”
chair of the board of directors for the State Educational Technology Directors Association and executive director of the Connecticut Commission for Educational Technology
A districtwide online system, operated by ed tech company LearnPlatform, allows teachers and administrators to request new applications, which brings efficiency to the process and helps reinforce the message to educators about the need to protect student data, Byrnes said. The district publicly posts the names of companies operating district-use applications, along with each application's student privacy compliance status.
In Fairfield, the app approval process can take months as district staff verify collection of student information is only for the district's educational purposes and will not include gathering personally identifiable information for marketing or other noneducational purposes.
When the pandemic hit in March 2020 the Connecticut Department of Education implemented a provisional compliance pledge program allowing districts to use applications vetted at the state level rather than needing to also enforce their own agreements.
There was still a need for district-level oversight, but it helped simplify the process during those hectic months when learning pivoted online, Byrnes said.
Even when all the best practices are being followed, protection of student data is not foolproof. For instance, when the district ceases to use an application, the tool's owners are supposed to purge all student data as required by the compliance pledge. But it's hard to prove this actually happens, Byrnes said.
In rare cases, ed tech companies have folded, making it nearly impossible to ensure students' private data has been permanently deleted, according to Byrnes.
"Nobody knows where that data is," she said.
Navigating federal, state rules
Several federal laws require schools to protect student privacy and aim to prevent inappropriate online behavior. Each is administered by different agencies of the federal government:
- The Family Education Rights & Privacy Act (1974): This law gives certain privacy rights to parents over their children’s education records. When students turn 18, those rights transfer to them. The most recent amendment came in 2012. The U.S. Department of Education oversees this act.
The Ed Department also oversees regulations for the Protection of Pupil Rights Amendment (1984), which confer rights on parents and students in survey participation, such as notification and an opt-out option.
- The Children’s Online Privacy Protection Act (2000): The Federal Trade Commission has authority over this act, which limits operators of websites and online services from collecting personal data on children under 13 without parental consent.
- The Children’s Internet Protection Act (2000): This law requires K-12 schools and libraries using E-rate discounts to restrict children's exposure to obscene content. The law also requires schools to monitor online activity of minors and educate students about appropriate online behavior. The Federal Communications Commission oversees this law, and rules implementing it were updated in 2011.
Some student data privacy experts say some of the laws are outdated or misunderstood. A bipartisan bill in Congress would update COPPA by prohibiting internet companies from collecting personal information from anyone 13-15 years old without parental consent. The legislation, which has not yet been acted on, would also create an "eraser button" requiring companies to let parents and kids eliminate personal information from a child or teen when "technologically feasible."
In September, several organizations — including the American Civil Liberties Union, the Center for Democracy and Technology, and the State Educational Technology Directors Association — urged Congress to update CIPA by clarifying the law does not require schools to conduct "broad, invasive, and constant surveillance of students’ lives online."
Increased student online activity means districts' responsibilities for monitoring activity for bullying, potential violence and inappropriate content has grown, but schools need to be thoughtful about the negative consequences of collecting all this data, said Elizabeth Laird, CDT's director of equity in civic technology.
The groups are calling for clarification around CIPA because school systems should not be monitoring student online activity just for legal compliance purposes, Laird said. "They should be able to explain why they're doing it, connect it to some larger goal, and not have this kind of unintentional expansion and constant monitoring of students," she said.
Still others say the federal laws themselves aren't the problem — it's the mismatch of state laws and regulations that are financially and operationally burdensome to local school systems and ed tech providers.
Since 2014, more than 1,000 state student privacy laws have been introduced across the country, and about 130 have been enacted, according to Amelia Vance, vice president of youth and education privacy at the Future of Privacy Forum.
Some state student privacy laws, while well-intended, don't fit with practical applications in schools, data privacy experts say.
"It's so vital to protect student privacy," Vance said. "But far too often, legislators didn't talk to people on the ground about what were the best ways to do that."
In Louisiana, for example, some families had trouble accessing free meals at the onset of the pandemic because state rules prevented schools from sharing data about students who receive free or reduced-price school meals with agencies that helped distribute food during school closures. Several months later, the state legislature passed a bill giving schools temporary authority to share limited student information for this purpose.
Collaborating on data protections
Doug Casey, chair of the board of directors for the State Educational Technology Directors Association, said one of the most promising proposals in the COPPA legislation is the "eraser button" that would allow users to eliminate children's personal information in apps.
That kind of request to tech companies currently is easier said than done, he said, because it is difficult to simply delete data elements if they are commingled with other data points or if the data structure was redeveloped without delete capacity built in.
"To just sort of say, ‘Press the magic button and it all goes away,’ from an engineering perspective, it isn't all that easy," said Casey, who is also executive director of the Connecticut Commission for Educational Technology.
Responsible actor and intent of student data breaches
Fairfield Public Schools is working with Infinite Campus, the company that manages its student information system, to find solutions for purging student data that's no longer needed. "I don't want to have the exposure of information that I no longer need to retain, because that just gives the bad guys the opportunity to get information that we shouldn't have had in that file cabinet, if you will, because you no longer need it," Byrnes said.
In some cases, antiquated record retention laws are contributing to the difficulty for school districts in managing sensitive data, Vance said.
In New Jersey, school districts must keep certain student records for 100 years. Those records include former students' date of birth, name of parents, gender, health history and immunizations, standardized assessment results, grades, attendance, classes attended and more.
Casey said a positive trend over the last five years is a closer working relationship between educators and ed tech companies and developers. This relationship, he said, is important on both sides: Ed tech developers and engineers need to better understand districts' needs and responsibilities, and school systems need to understand ed tech companies' constraints.
"I think we tend to think about federal legislation, state legislation in school districts, but what we don't necessarily think so much about is the ed tech providers that we do depend on, and so they need to be part of the consideration," Casey said.
Sara Kloek, senior director of education policy at Software and Information Industry Association, a trade association representing the ed tech industry, said since the association's members consider school systems their clients, their business models rely on being responsive to schools’ needs, including student data protections.
Collaboration between educators, privacy advocates and ed tech companies has led to development of national best practices, and those have helped ed tech companies use common terminology and practices even as they attempt to meet different state regulations and respond to individual district priorities, Kloek said.
According to Vance, highlighting model approaches has been another effective way for school systems to learn about best practices. She points to Utah and Maryland as states that took deliberate approaches to understand their student data privacy challenges and find solutions. Utah also created several state-level positions to work on student privacy issues, including trainings for district-level staff.
Thoughtful data governance in school systems is a powerful way to protect student information, as is consistent training of teachers about safeguarding student data, Casey and others said. In the past, a school system's IT department would be the gatekeeper to all these student data elements. But now teachers have the ability to access student information systems and pull data fields to share with ed tech providers.
"It really comes down to decisions about what to share should be driven by what's the need to know, what's the benefit to the teacher and the student of sharing every single data element?” Casey said. “Because if there's no direct benefit to it, they shouldn't be sharing it."
Editor's note: This story has been updated to include Doug Casey's additional professional title as executive director of the Connecticut Commission for Educational Technology.