Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.
There are notable gaps in FERPA that make it largely ineffective in protecting student privacy in today’s digital age. For example, FERPA lacks meaningful enforcement. Students and their parents have no right to sue for FERPA violations. Only the Department of Education can enforce the law. FERPA only allows one sanction — the removal of all federal funding for an educational institution. This sanction is so impractical and severe that the Department has never used it in FERPA’s four-decade history. Thus, enforcement of the statute is essentially nonexistent.
Moreover, FERPA enforcement only applies to schools. Unlike HIPAA, which gives the Department of Health and Human Services (HHS) the authority to enforce against nearly all entities that receive HIPAA-regulated information, the Department of Education lacks similar authority. The Department of Education is unable to enforce against businesses that are not schools, but that receive FERPA-regulated data.
FERPA also says little about selecting a cloud provider or about the responsibilities of such an entity. The FERPA Regulations state: “An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.”
But FERPA does not have much more to say about the responsibilities of a cloud computing provider. In fact, it contains a potentially broad loophole. If a school discloses education records for outsourcing its functions, the FERPA Regulations allow the school to designate the cloud computing provider as a “school official” in order to facilitate the sharing.
When a school shares student data with a cloud service provider, the duties of the provider to protect the data are governed by the contract into which the school and the provider enter. Recently, Fordham School of Law’s Center on Law and Information Policy released a study of how public K-12 schools are handling privacy issues with regard to cloud computing. This report, Privacy and Cloud Computing in Public Schools, found that 95% of school districts use cloud services and share sensitive student data with these third party data service providers. At the same time, however, the contracts of the service providers with their providers were found to be derelict.
The weaknesses in the contracts were widespread. The Fordham Law School report found that only 25% of school districts provide adequate notice to parents about the use of cloud services. About “20% of the responding districts had no policies addressing teacher use of information resources.” Only 25% of the agreements “gave districts the right to audit and inspect the vendor’s practices with respect to the transferred data.” A quarter of the agreements failed to prohibit or limit “re-disclosure of student data or other confidential information.” None “specifically prohibited the sale and marketing of children’s information.” Finally, the Fordham Law study found, “Only one agreement (12.5%) required the vendor to notify the district in the event of a data security breach.”
FERPA is not getting the job done.
Congress’s Hibernation and the Awakening of the States
FERPA is in desperate need of reform. While Congress is asleep at the wheel, states are increasingly becoming active in education privacy.
State law can play an important role in education privacy because FERPA provides a floor of privacy protection, not a ceiling. It does not preempt more privacy-protective state laws.
As a general rule, when a state law is inconsistent with FERPA, the law that is more protective of privacy will govern. Moreover, most provisions of FERPA do not mandate disclosure or sharing of data – they merely permit it. Thus, there is no conflict if a state law restricts disclosure or sharing in non-mandated instances because FERPA does not require such disclosure. Finally, there is no conflict if state law requires additional requirements for contracting with third party data service vendors, or additional privacy rights to students or parents.
Recently, there has been increased media attention to education privacy issues as well as increased public concern and increased political involvement. Several states have enacted or proposed legislation to protect student data in an age of rapid growth in the market for educational technology software. California provides a good illustration of this trend.
California Law and Education Privacy
For the past two decades, California has led the way on privacy law by enacting some of the most privacy-protective laws in the country. Other states, the federal government, and international jurisdictions look to California for ideas regarding privacy legislation. For example, California created the country’s first data breach notification law, and now most jurisdictions have enacted similar laws.
In 2013, California continued this innovative path. It enacted an “eraser” law for children and young adults, which allows a right of deletion of posted content for registered users of an online service, mobile App’s, or certain other kinds of digital services. Note, however, the limited scope of this law compared to broader European proposals to create a broad “right to be forgotten” for everyone: the “eraser” law only applies to a limited group – namely, minor users who are registered users of certain sites or services. This statute also only limits operators of the regulated services and not third parties who might repost the original material.
What of educational privacy law in California? The core interest in this area of the state’s law is transparency. California law permits parents to access the school records of their children (see Cal. Ed. Code § 49069). It also requires schools to maintain a log of all individuals and organizations that request information from school records. Finally, California limits access to these logs and records to parents, school officials and certain kinds of governmental officials.
SOPIPA seeks to place strong restrictions on companies that operate K-12 online sites, services, and applications. The bill requires these entities to use student personal information only for school purposes. SOPIPA limits, in particular, any sales of student personal information to third parties, such as advertisers. It states that an operator of a regulated entity “shall not use, share, disclose, or compile personal information about a K-12 student for any purpose other than the K-12 school purpose and for maintaining the integrity of the site, service, or application.” The Bill also flatly prohibits use of “a student’s personal information for any commercial purpose, including, but not limited to advertising or profiling.”
SOPIPA requires deletion of a student’s personal information when it is no longer needed for the school purpose. The bill requires deletion when a “site, service or application is no longer used for the original K-12 school purpose”; the student requests deletion; once the information is no longer being used for a legitimate educational purpose; or the student ceases to be a student at the institution. In short, the proposed bill makes clear that online sites, services and applications cannot hold student information beyond the period or purpose associated with the original educational reason for collection.
Finally, SOPIPA would draw on general principles in California business law to create a private right of action. Here, is a clear contrast with FERPA, which does not grant private parties any such ability to enforce the law. The California Unfair Competition Statute allows individuals to sue for any unlawful, unfair or fraudulent business act or practice. A violation of SOPIPA would be an unlawful business practice under this statute. Pursuant to this ban in California on unfair competition, individuals and government entities could seek judicial remedies, including injunctions.
If enacted, SOPIPA would revolutionize the education technology market. SOPIPA is a striking example of how the absence of leadership on privacy issues by the U.S. Congress is inviting states to become more active.
* * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is the author of 9 books (including Understanding Privacy and Nothing to Hide: The False Tradeoff Between Privacy and Security) and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.
Paul Schwartz is the Jefferson E. Peyser Professor of Law at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology. Schwartz is also a Special Advisor at Paul Hastings, where he works in the Privacy and Data Security Practice. He is the author of numerous books and articles on information privacy and information law. With Daniel Solove, he is the co-author of Privacy Law Fundamentals.
The views here are the personal views of Professor Solove and Professor Schwartz and not those of any organization with which they are affiliated.