Since the lockdowns, K–12 schools’ reliance on online education technology (Ed Tech) companies has grown exponentially, yet the laws that protect students’ online data are antiquated. Currently, parents have no legal recourse when student data privacy laws are violated.
Parents believe that school districts are required by student privacy laws to get parental consent to have students use online applications and SEL-infused technologies, but this is not always the case.
In addition, the pace at which Ed Tech companies are gathering and using student online data is on hyperdrive, much of it gathered through Social-Emotional Learning (SEL) focused platforms and surveys, but school districts’ online data privacy infrastructure has not adapted.
According to privacy and cybersecurity expert Joel Schwarz, districts are not prioritizing parental rights and student privacy.
SDPP
Mr. Schwarz is the co-founder of the organization Student Data Privacy Project (SDPP), which has been pushing school districts to release student data and metadata to parents and working to get the U.S. Department of Education (DOE) to penalize districts that do not comply with federal student data privacy laws and provide all the metadata to the parents.The federal laws that were designed to protect student data and allow parents to see all student records are outdated or insufficient.
The DOE’s Family Educational Rights and Privacy Act (FERPA) is supposed to protect the privacy of student’s educational records and limit how educational institutions can disclose personally identifiable information (PII), and the Protection of Pupil Rights Amendment (PPRA) is there to limit the collection of PII through surveys, analyses, or DOE backed evaluations.
There is also the Children’s Online Privacy Protection Act (COPPA), which covers data privacy for online collection of PII from children under the age of 13.
FERPA
FERPA should be enough to allow parents to easily acquire their child’s school records, whether online or written. However, the law was created 1974 before the internet and concerns about metadata. It was meant to limit how student records were used, and to whom and how they were disclosed, but in its current form, it allows student data to be shared more easily with the Ed Tech companies than with parents.“Fast forward now … and the schools use the ‘school official exception’ designation to disclose data to the Ed Tech companies without parent’s consent,” Mr. Schwarz said.
This designation gives Ed Tech companies the same status as principal or teacher, allowing them to access and use student data.
Some school districts claim that because these student records are not “centrally stored” by the school district, they are not FERPA records, said Schwarz, making it so that “they don’t have to tell you what is stored by the Ed Tech providers.”
Mr. Schwarz said the more important question is not where the data is stored but who has direct control over the entity that keeps the students’ data and metadata.
SDPP filed a series of FERPA complaints in 2021 across the country to obtain student metadata, but to date, none of them have been resolved, said Mr. Schwarz.
“Nobody’s had their case resolved, and in fact, the DoE “told us point blank the only option they have, if they find a school violating FERPA, is to take away the federal funding, and they don’t want to do that. So, there is no other penalty structure under FERPA,” Mr. Schwarz said.
“You can’t just not enforce it because you don’t like the penalties,” Mr. Schwarz said. Their FERPA complaints got a variety of unhelpful responses.
Some school districts responded to SDPP’s FERPA complaints by attaching their agreements with Ed Tech companies, stating that student data is protected under FERPA. Some districts claimed that FERPA does not apply to PII held by Ed Tech providers because the Ed Tech records are not “centrally stored.” Some parents were provided with ID and password information for the platform, which they already had but which did not give them access to child’s metadata, or there was no response at all, said Mr. Schwarz.
Mr. Schwarz believes the reason districts were not able to resolve SDPP parents’ FERPA complaints is because the FERPA Law is outdated and doesn’t fit the districts’ shift to primarily online/virtual education. In addition, Mr. Schwarz suspects that school districts may also be running into obstacles when they reach out to these Ed Tech providers on behalf of parents.
“But the problem is the schools have the contracts with the Ed Tech providers, the schools and the FERPA [DOE] are responsible for directly controlling them [Ed Tech], so they need to get the data from the providers,” said Mr. Schwarz. “I think it’s a lot of confusion over how this works.”
No Legal Recourse
Ed Tech companies need to be held accountable for mining and exploiting student data, said Mr. Schwarz.According to Mr. Schwarz, parents have no legal avenue to hold Ed Tech companies accountable because the school districts have contractual agreements with the Ed Tech providers, and districts must take action. State attorneys general cannot defend parents because they are obligated to defend the state education department in a lawsuit, and FERPA is not an option to sue under either, because the statute does not allow a private right of action.
Further, parents cannot sue Ed Tech providers directly because parents do not have the contract with the EdTech providers; the contract is with the school. Moreover, even in states that have their own privacy laws, those state laws don’t necessarily recognize the use of student data by these companies as a violation, because consent was given by the school district, even though their parents were not consulted and the students did not consent.
“Until DOE updates its regulations, Congress updates the law, or an Executive Order is issued, parents are left with no recourse,” said Mr. Schwarz.
Mr. Schwarz’s organization has spoken to a number of members of Congress, including Sen. Ron Wyden’s (D-Ore.) office, to discuss how to amend FERPA. Because FERPA is under DOE, the DOE could enforce the current rules, creating a precedent that the only penalty currently available under FERPA—taking away schools’ funding—is too harsh, after which Congress would have the impetus to amend the law.
Until DOE decides to enforce FERPA, Mr. Schwarz said his organization is talking to the Federal Trade Commission (FTC) about enforcing COPPA.
The long-term solution needs to be that FERPA is enforced and then amended.
Meanwhile, as privacy laws fail parents, data collection from students has increased, and parents are dismayed at being kept in the dark about surveys that collect PII, said Mr. Schwarz. In particular, districts find loopholes to justify why parents were not informed before and given the choice to opt out.
Top-Down SEL Mandate
The U.S. Department of Education 2020 report titled “Supporting Child and Student Social Emotional Behavior Mental Health Needs” (pdf), directs schools to establish an integrated framework for SEL and advocates for universal mental health screenings, saying “Districts are encouraged to adopt a structured and comprehensive universal screening process to catch internalizing and externalizing child or student needs.”Personal information is gathered through a variety of means under the banner of SEL, with surveys being implemented throughout the year in most schools. Some of them are federally mandated, with labels like school climate surveys, health surveys, and behavior risk surveys.
The American Rescue Plan Act (ARPA) and recent state policies have provided money to expand mental health and wellness services in schools, including $122.8 billion allocated for the Elementary and Secondary School Emergency Relief (ESSER). More recently, Congress passed the bipartisan Safer Communities Act, which also allocates funds to support school-based mental health services.
The “School Official Exception” designation allows schools to disclose children’s data to an Ed Tech provider for educational purpose, without parental consent, so long as the school maintains “direct control” over the provider, said Mr. Schwarz, which emboldens Ed Tech companies.
Most school districts contract with or use hundreds of online apps and programs, for which they technically have direct control but do not maintain oversight of that direct control to see how student data is being used, said Mr. Schwarz.
“Fact is, schools are not maintaining ‘direct control’ over Ed Tech providers, nor are they holding those providers accountable, which explains why 67% of public schools share children’s personal data with 3rd party advertising and analytics companies,” Mr. Schwarz said in a 2022 written testimony.
Cycle of Indoctrination
Ed Tech providers are permitted to administer invasive surveys to students, sometimes without parental knowledge or consent, depriving them of their PPRA rights of access and the ability to opt their children out.“This data is tied to their climate rating and the money that they get,” Rhonda Thomas, president of The Truth in Education, told The Epoch Times. “This data is being used by third-party organizations and to reinforce the need for more social emotional learning in our schools.”
“They’re giving them a survey, if that child is not on the track they want them to be on they can change the algorithm based on the surveys, they know what they need to do, to change the algorithm to start moving them either individually or as a group,” Ms. Thomas said.
Ms. Thomas said a lot of new legislation is written to support universal mental health screenings, which allows schools to bypass parental consent.
“HB 1013 has in there that we can do universal mental health screenings on everyone beginning infancy,” Ms. Thomas said.
Barbara Bush, an education consultant for Truth in Education, told The Epoch Times that schools are not teaching students to think critically but training them to react.
“Educating is presenting information in its proper context. In a way that it can be applied in multiple ways,” Ms. Bush said. “Whereas training is designed to eliminate the reflective critical thinking. It is to give you many responses that become reactions and our reaction is void of thought.”
According to many parental rights groups, including Courage is a Habit, the online surveys and SEL curriculum have the same end goal which is to collect student data and perpetuate a cycle of indoctrination. This allows the Ed Tech companies to continue to profit and for school districts to cheat students out of a rigorous academic education.
Scope of Data Mining
“The schools give children evaluations that measure mental health based on highly personal questions about sexuality, depression and anxiety, family life, risky behaviors, and attitudes and beliefs about divisive issues like race and gender. The results are stored in the child’s dashboard, creating a permanent psychological profile that follows them as they change grades or even schools through SLDS [statewide longitudinal data systems],” states the Truth in Education report.The PII data collected by students is very detailed and specific.
A factor that allows this level of data collection is that FERPA does not limit Ed Tech in their use of the data because there is a lot of room for interpretation of the law, said Mr. Schwarz.
“It’s a gray area,” Mr. Schwarz said, adding that he has heard Ed Tech providers say “that FERPA doesn’t explicitly prohibit advertising,” said Mr. Schwarz. “It doesn’t say you can’t use educational data for purposes of refining your product and building new products to service students.”
In addition, The Markup revealed that Naviance is owned by PowerSchool, which is owned by a private equity firm Vista Equity Partners, which stores data on more than 75 percent of the nation’s K–12 students.
Children’s personal information collected from their activities at school is being used to create personality profiles that may land them on lists used by law enforcement to identify potential criminals. Florida’s Pasco County Sheriff’s Office used student data to target “at-risk” youth.
Statewide Longitudinal Data
According to a 2019 Pioneer Institute report called “Social-Emotional Learning: K–12 Education as New Age Nanny State,” by Dr. Karen Effrem and Jane Robbins, in 2000, the DOE began to develop statewide longitudinal data systems (pdf) through a grant program. Since then, many states have received federal funding to develop and improve their SLDS infrastructure.Since 2002, the DOE incentivized the collecting and storing of student data.
“Whatever parents know about their child, the SLDS probably knows it, too,” the Pioneer Institute report states.
A state’s SLDS may contain massive data points on each student (including mental health and SEL data) and would be stored at least to the end of a student’s K–12 years. And with interoperability, that data could be shared universally.
Interoperability is a huge component to education data collection, whistleblower and California parent Lisa Logan told The Epoch Times. School divisions can link with other districts across the United States for easier data sharing but create a greater risk to privacy, she said.