Student Data Concerns Give Rise to Proposed Changes in Federal Education Privacy Laws
It has been over 40 years since Congress initially passed the Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g), also referred to as the “Buckley Amendment” after its primary Congressional sponsor. Needless to say, since the 1974 enactment of FERPA there have been substantial changes in the manner in which schools, colleges and universities collect, maintain and use student information, with such changes notlimited to the switch from primarily paper files to electronic databases. In more recent years, there also has been a rapid expansion of third-party entities receiving personally identifiable information (“PII”) about students from school districts and postsecondary institutions, typically for legitimate educational purposes. The combination of increasing instances of electronic data breaches and concerns about recipients of personal student data using that information for unauthorized commercial purposes has led to the White House and members of Congress from both political parties calling for enhancements, if not wholesale reforms, to FERPA.
In a speech at the Federal Trade Commission (“FTC”) headquarters in January 2015, President Obama called for new federal legislation to protect student privacy. Over the course of this year, there have been five separate bills introduced in Congress to address bipartisan concerns about student data privacy, including two in the U.S. House of Representatives and three in the U.S. Senate. Below are summaries of these bills and their status as of this date.
Student Privacy Protection Act (H.R. 3157)
This bill would update and amend FERPA, and was introduced by Rep. Todd Rokita (R-IN) with important co-sponsorship from Reps. John Kline (R-MN) and Robert “Bobby” Scott (D-VA), the chairman and ranking minority member, respectively, of the House education committee. Rep. Marcia Fudge (D-OH) is also an original co-sponsor. Much of this bill mirrors current FERPA language, or is conceptually similar but updated to reflect current recordkeeping practices, but it also contains new requirements and restrictions in several key areas. Specifically, it imposes additional requirements for sharing student data with third party vendors performing school services and entities that perform college testing and financial aid analyses, including requiring education agencies/institutions to ensure such vendors have appropriate information security practices, requiring them to enter into written agreements with the vendors and mandating that such agreements are made available to parents. Additional key proposed changes from current law include: an express prohibition on the use of student information initially obtained to provide schools services for marketing or direct advertising to those students (with certain exceptions); a mandate to designate the school official responsible for education records security and establish a data breach notification policy; and a requirement that each State educational authority verify that institutions and local educational agencies under its jurisdiction have complied with the notice and procedural requirements of FERPA and certify to the U.S. Department of Education (the “Department”) that such institutions and agencies are in compliance.
With respect to enforcement, which under FERPA is largely limited to requiring corrective action, or the extreme sanction of suspending federal funding for egregious violations, the bill would allow the Department to impose fines of between $100 to $1,500,000 (but not to exceed 10% of the annual budget of the education agency, institution or State educational authority). Additionally, the Department would be required to refer to the FTC or the U.S. Department of Justice certain violations by parties other than educational agencies, institutions or State educational authorities, and such parties would be prohibited access to PII for a period of between 5 and 12 years.
Status: H.R. 3157 was referred to the House Committee on Education and the Workforce on July 22, 2015. Committee staff has verbally indicated that a markup may occur shortly after the Congress returns from its August recess.
The Student Digital Privacy and Parental Rights Act of 2015 (H.R. 2092)
This bill is sponsored by Rep. Luke Messner (R-IN) and co-sponsored by Rep. Jared Polis (D-CO). Rather than amending FERPA, it would impose new restrictions and requirements on educational “operators,” which would be defined to include entities that operate a “school service” but not educational agencies or institutions. A “school service” would include a website, online service (including a cloud computing service), online application or mobile application used and designed/marketed for K-12 purposes. The bill would prohibit an operator from (1) knowingly engaging in or permitting “targeted advertising” on a school service (i.e., presenting advertisements to a student or student’s parent where the advertisements are selected based on information obtained or inferred from the student’s online behavior or use of online applications or mobile applications or from covered information about the student maintained by the operator); (2) selling PII and other data that is linked or linkable to PII; (3) collecting, generating, using, or disclosing any covered information for purposes of targeted advertising; (4) collecting, generating, or using covered information (including using covered information to create a personal profile of a student) other than for K-12 purposes; or (5) disclosing covered information, unless the disclosure is made pursuant to certain processes specified in the bill.
This bill also would require each operator to (a) have reasonable security procedures appropriate to protect the confidentiality, security, and integrity of covered information; (b) delete a student’s covered information that is not required to be maintained by law within 45 days after a request from an educational agency, institution, or student's parent or within one year after the operator ceases to provide the service; (c) disclose publicly and to each educational agency or institution to which the operator provides a school service, the types of covered information collected or generated, the purposes for which the covered information is used or disclosed to third parties, and the identity of any such third parties; (d) facilitate access to and correction of covered information by a student’s parent or system user; (e) implement policies and procedures for responding to data breaches that occur on a school service; and (f) notify the FTC and, as appropriate, students, parents, educational agencies or institutions, or officials and teachers of such agencies or institutions of each such data breach. The bill would provide authority to the FTC to enforce this law and treat violations as unfair or deceptive acts or practices under the FTC Act.
Status: H.R. 2092 was referred to the House Subcommittee on Commerce, Manufacturing and Trade on May 1, 2015. The White House endorsed the bill in a blog post on May 1, 2015, calling the bill “an important bipartisan step.”
The Safeguarding American Families from Exposure by Keeping Information and Data Secure Act (S. 1788)
The “SAFE KIDS” Act was introduced by Sens. Steve Daines (R-MT) and Richard Blumenthal (D-CT), and is essentially the Senate companion bill to H.R. 2092. Like its House counterpart, this bill would not amend FERPA but instead create new requirements for operators that provide online educational services and similar services to educational agencies and institutions. One key difference between the two bills is that the SAFE KIDS Act would extend privacy protections to pre-kindergarten students. Otherwise, the provisions of the two bills are substantively similar. The SAFE KIDS Act would prohibit operators from (1) engaging in or permitting “targeted advertising” on a school service; (2) collecting, generating, using, or disclosing any PII and certain information that is linked or linkable to PII; (3) selling PII and certain information that is linked or linkable to PII to a third party; (4) collecting, generating, or using covered information (including using covered information to create a personal profile of a student) other than for PreK-12 purposes; (5) disclosing covered information, unless the disclosure is made pursuant to certain processes specified in the bill; or (6) disclosing covered information to a third-party service provider of a school service unless the operator contractually requires the provider to comply with all of the provisions of the Act.
Status: S. 1788 was referred to the Senate Committee on Commerce, Science and Transportation on July 16, 2015
The Protecting Student Privacy Act of 2015 (S. 1322)
This bill was introduced by Sen. Edward Markey (D-MA) and is co-sponsored by Sens. Orrin Hatch (R-UT) and Mark Kirk (R-IL). It would amend FERPA to regulate access by “outside parties” to student records. An “outside party” would be defined as a person who is not an employee, officer or volunteer of an educational agency, institution or government agency, and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity. Specifically, the bill would prohibit funding to any educational agency or institution unless the agency/institution (1) has implemented information security policies that protect PII from education records and require each outside party to whom PII is disclosed to have a comprehensive security program in place to protect such information; (2) does not use, release or provide access to PII to advertise or market services/products; and (3) has a practice that meets requests for student information with non-PII and requires that PII held by any outside party be destroyed when the information is no longer needed for the specified purpose. The bill would also require state agencies, educational agencies and institutions to ensure that any outside party with access to student records (a) provides parents access to any PII it holds about their students; (b) provides a process to challenge, correct or delete any inaccurate data via a hearing by the agency or institution providing the records to the outside party; (c) maintains a record of all persons and entities that have requested or obtained access to a student’s records; and (d) has in place information security procedures.
Status: S. 1322 was referred to the Senate Health, Education, Labor and Pensions Committee on May 13, 2015.
The Student Privacy Protection Act (S. 1341)
Sen. David Vitter (R-LA) introduced this bill, which would amend FERPA to restrict the release of student records to third parties, extend privacy protections to homeschooled children, prohibit psychological profiling of students and make other changes. The bill would prohibit funding of educational agencies or institutions that allow third parties to access student data unless (1) the agency/institution first notifies parents about the data that would be accessed, that the data will be made available to the third party only if the parent consents, that the parent has the ability to access and correct inaccurate data, and that the agency or institution and the outside party are liable for violations; (2) the agency or institution can ensure that the data cannot be used to determine the student’s identity; (3) the student data remains the property of the agency or institution and is destroyed when the student is no longer served by the agency or institution; and (4) the third party agrees to be liable for FERPA violations. The bill would also extend FERPA rights to parents of any students who have student data on file with an agency or institution, such as home-schooled students.
This bill would eliminate a current FERPA provision that allows agencies and institutions to permit the release of student educational records to organizations that study student aid programs, predictive tests and instruction, and would similarly eliminate the current exception for releasing student information to the GAO, the Department or state educational authorities for audits and evaluations of federally supported education programs or enforcement of federal legal requirements. This bill would also prohibit (a) the Department or educational agencies or institutions receiving federal funds from appending student data with PII obtained from federal or state agencies through data matches; (b) federal funds from being used to track a student’s education or career progression activities or obligate an elementary or secondary school student to involuntarily select a career or related job training; (c) psychological testing or predictive modeling of behaviors, beliefs, or value systems; (d) video monitoring or computer camera surveillance without a public hearing and consent of teachers and parents; and (e) surveys soliciting specified information about students or their families, including information on political affiliation, religious practices, or gun ownership. Additionally, it would require aggregation, anonymization, and de-identification of student data permitted to be released or collected under various exceptions; and it would make federal agencies and federal fund-receiving educational agencies, institutions, and third parties that fail to comply with FERPA civilly liable for a monetary award to affected persons.
Status: S. 1341 was referred to the Senate Health, Education, Labor and Pensions Committee on Committee on May 14, 2015.