A “landmark” student data privacy bill aimed at strengthening protections for students whose data is being collected by software companies was introduced in the House Wednesday — and would give the Federal Trade Commission new authority to penalize wrongdoers.
The highly anticipated Student Digital Privacy Act, introduced by Reps. Luke Messer, R-Ind., and Jared Polis, D-Colo., was slated to be unveiled last month, but was delayed after privacy advocates and parent groups argued that the bill didn’t crack down strongly enough on education technology companies that routinely collect student data.
This is “the most significant federal attempt to protect student data in decades,” the bill’s sponsors said in an announcement released Wednesday, adding that the bill has the support of nearly two dozen education groups, parent associations, industry leaders and privacy advocates.
“The status quo surrounding the protection of our student’s data is entirely unacceptable,” Polis said in a statement. “It’s like the Wild Wild West — there are few regulations protecting student’s privacy and parental rights, and the ones that do exist were written in an age before smartphones and tablets.”
Messer added that he and Polis tried to “find the right balance between using technology to improve education outcomes and supporting a parent’s right to protect their child’s personal information. I think we’ve struck that balance with this bill.”
The bill would give significant oversight powers to the FTC, which would have regulatory authority along with the Education secretary over edtech companies, with the ability to enforce penalties on companies that abuse student information. The FTC would also be tasked with issuing reports on data breaches to Congress and on its website.
Privacy advocates hailed the revised bill. “Today’s bill introduction is recognition that everyone who has a stake in education, including the federal government, has a role to play in ensuring that we protect the personal information of our students,” said Aimee Guidera, president of the Data Quality Campaign.
But other experts at the National Association of State Boards of Education cautioned that this bill covers only a swath of service providers in schools – it does not address bus or food service companies that also take in student information.
The Software & Information Industry Association, which has been critical of the need for a new federal policy about student privacy, issued a more cautious statement.
“Congress must avoid unnecessarily adding to the patchwork of state laws and federal regulations that already govern schools and service providers,” said Mark MacCarthy, vice president of public policy. “Doing so could limit student access to advanced learning technologies that are essential to modern education.”
To date, 38 states have introduced more than 100 bills about student privacy, according to DQC. There is also an effort underway to update the Family Educational Rights and Privacy Act, which protects students’ emails and other information, but it is unclear when lawmakers will take it up again.
As more high-tech products make their way into classrooms, parents and privacy experts have sounded the alarm about whether companies are misusing students’ data, or selling the information to third-party vendors who could potentially advertise merchandise to kids. The new law expands the definition of “covered information” to include metadata – data about data, like where a child’s computer is located in a building – and other residual footprints students leave when they use educational products.
If edtech companies do use third-party vendors, the subcontractors would have to sign a document pledging not to use student data for any new purposes and not to release the data to anyone else. The companies would be required to delete most of a student’s covered information within 45 days of receiving a request from school officials or parents — and they have to erase the data entirely within a year of ceasing to provide services to the student or school district.
Liz Hill, a spokeswoman for Messer, told FedScoop the original draft had to be scrapped to make sure stakeholders were happy with the final result.
“There were obvious concerns with the first draft that we circulated with different stakeholders,” she said. “We continued working on the bill until we got it to a place where everyone was feeling comfortable, from tech groups to privacy groups to parent advocates. We spent the last month trying to work out the kinks.”
Polis and Messer will try to drum up support from more of their colleagues. Sens. Richard Blumenthal, D-Conn., and Steve Daines, R-Mont., are working on a similar bipartisan bill.
This article has been updated with comments from various associations.