A new law protecting student data in Delaware puts the onus on ed-tech vendors to keep identifiable student information private, and signals a continued emphasis on the issue by states.
Delaware’s Student Data Privacy Protection Act seeks to protect students’ personal identification by prohibiting education technology companies and service providers from selling student data or using it to market or advertise to students and their families. It was signed into law by Delaware Gov. Jack Markell on Aug. 7. The same day, the governor also signed the Delaware Online Privacy and Protection Act, aimed primarily at prohibiting companies from using a child’s personal information to market alcohol, tobacco, firearms and body piercing to minors online.
The bipartisan student-data privacy act models itself on a landmark California law, the Student Online Personal Information Protection Act, or SOPIPA, passed last year, and was introduced by Delaware state Sen. David Sokola, a Democrat. “We’re in a world now where marketers are good at what they do,” he said. “They’re very sophisticated and we need to stay ahead of them to protect kids.”
The act prohibits third-party operators of online educational services from selling student data, from using that data for targeted advertising, and from creating a profile on students using data they’ve collected, unless it is for educational reasons. It requires that vendors have security procedures in place to protect student data from unauthorized use and that data be deleted if requested by a school or district.
The Delaware law also sets up a Student Data Privacy task force to study the issue and to provide recommendations for improved security. The task force includes the state attorney general, state education officials, and the state secretary from the Delaware Department of Technology and Information.
Delaware’s law is part of a nationwide trend among states looking to control how student data is used, said Rachel Anderson, the senior associate of policy and advocacy for the Data Quality Campaign. Last year 25 states introduced bills modeled after the California law, she said, and some introduced several bills pertaining to various aspects of student data privacy. In all, 44 bills that addressed the issue were introduced in state legislatures and 11 have passed, she said.
“Regulating service providers directly as opposed to regulating states or districts ... is a huge theme this year,” she said. “It makes sense because districts or schools may not have the expertise or capacity to regulate service providers themselves.”
The federal government is also looking closely at the issue with an update to the main federal law covering student data privacy, in addition to the introduction of other legislation addressing the topic.
Proponents of the Delaware student data privacy law, and other similar pieces of legislation, say the act protects data while still allowing researchers and ed-tech companies to use “aggregate data"—data taken in a large form that doesn’t identify individual students or reveal specifics about them—to study student achievement and to help products evolve.
The law “doesn’t stifle innovation,” said JR Starrett, the director of advocacy for Common Sense Media. “App makers and curriculum makers can still use de-identified information to develop a better product.”
Vendors seem to agree. Brendan Desetti, the director of education policy at the Software & Information Industry Association, said his organization has been supportive of the California law because it’s not “totally cutting off companies or vendors from using data to help schools, but it provides protections for student information and addresses advertising concerns.”
Desetti said vendors may raise additional issues, however, as the California law comes into effect this coming school year. “The full impact on the ground is still to be determined,” he said.
And concerns remain about the security of student data, even in states that have passed laws like Delaware’s, said Pam Dixon, the executive director of the World Privacy Forum, a public interest research group. These laws do not address the issue of privacy surrounding student directory information, which includes more than what a parent might see in the paper reference that lists student addresses and phone numbers.
Student directory information can also include email and home addresses, photographs, and schools attended in the past and is available to any third party upon request—including for-profit companies and data brokers who routinely gather this information and sell their lists to marketers, Dixon said. That data is only kept private if parents opt out of opening up directory information, a process that can be confusing, she said.
Laws like Delaware’s don’t address directory information, she said. “It’s a positive step, but there’s still a problem,” she said. “The window has been closed but the front door has been left open.”
See also: