No Expectation of Privacy

A new federal student privacy bill leaves out higher education, a move some legal scholars describe as a mistake.

March 25, 2015
Getty Images

WASHINGTON -- The Obama administration briefly considered but ultimately decided against expanding a new student privacy bill beyond K-12 education, according to sources with knowledge of the drafting process. The resulting draft is a “missed opportunity” for the White House to address privacy in higher education, legal scholars say.

The Student Digital Privacy and Parental Rights Act of 2015, which will be introduced later this week by U.S. House Representatives Luke Messer and Jared S. Polis, seeks to limit how educational technology companies can use data they collect from students using their products. It builds on a proposal released by the White House in January, which in turn resembles a student privacy law passed in California last year.

The bill was supposed to be filed on Monday, but by the end of the day, lawmakers were “still working through some of the technical nuances of the bill,” a spokeswoman for Messer said in an email. Those involving in drafting the bill -- a joint effort between the White House and the two representatives -- were reportedly asking for outside input as recently as this past weekend, suggesting a difficult balancing act between concerns raised by privacy advocates and pressure from the private sector.

A recent draft of the bill attempts to strike a compromise, according to The New York Times. It would prevent companies from using educational data for marketing purposes, but allow data to be disclosed for student “employment opportunities.” While the bill would allow students and their parents to request to see and correct data -- and let schools request that those records be deleted -- it would also enable companies to change their privacy policies after schools sign a contract to use their services.

And as the name suggest, the bill has nothing to do with higher education. Although the White House made initial contact with at least one higher education organization earlier this year to discuss privacy issues, conversations about whether or not to expand the bill’s scope did not move past that stage.

The decision did not come as a surprise to legal scholars who have followed the administration’s recent privacy initiatives. When Obama in January outlined new privacy proposals, he focused on two groups: individual consumers and students under the age of 18. In his State of the Union address the following month, he called on Congress to “protect our children’s information.” Last year’s student data privacy pledge, which has drawn support from more than 100 education and technology companies and an endorsement from the White House, was also aimed at K-12 students.

Still, Elana J. Zeide, a privacy research fellow at New York University’s Information Law Institute, called the administration’s decision not to make a broader statement on privacy “myopic.”

“At least on the most basic level, federal privacy law recognizes that higher education students should have privacy rights as well,” Zeide said. “Even if they’re not as vulnerable, higher education students can still suffer the harm that drives privacy concerns in the K-12 space.”

Zeide acknowledged that the bill “reflects most of the privacy conversation, which has really focused on children and the K-12 space.” Apart from the frequent malicious attacks that target colleges and universities, most of the major student privacy concerns that have surfaced in the past year have been related to students under the age of 18. Collapses of companies such as ConnectEDU and inBloom have triggered debates about data stewardship, for example, while Google’s practice of scanning student email for ad keywords raised questions about the terms of service that come with the ed-tech products schools use.

Yet those incidents also had higher education implications. ConnectEDU offered both college and career planning services, and Google provides email for many colleges and universities.

Limiting the privacy bill to K-12 education may also be a matter of “political expediency,” Zeide said, as politicians may be more willing to pass protections for minors than for legal adults, then extend those protections, if necessary. “Sometimes it sets the pace for protections that then bleed into -- or are seen as appropriate for adults to have also,” she said.

But not including higher education in the privacy bill could promote a “chilling effect” at colleges and universities, potentially limiting emotional expression and political activism, Zeide and other legal scholars pointed out. Recent research suggests this year’s freshman class is spending more time on social media and less on face-to-face socializing, meaning more information about their life in college is being collected and stored.

“The process of learning and the pursuit of truth in research requires privacy,” higher education consultant Tracy B. Mitrano, former director of I.T. policy at Cornell University, said. “Surveillance, whether it’s governmental or commercial, chills that process.”

Mitrano, who also blogs for Inside Higher Ed, said it would be a “mistake” not to extend the protections in the bill to students at colleges and universities. “It’s not about age,” Mitrano said. “It’s about the missions of higher education.”

Even if higher education were included in the bill, chances are privacy advocates still would not be satisfied. After a draft of the bill was circulated earlier this week, privacy groups were quick to criticize what they saw as loopholes in the legislation -- such as the ability to change privacy policies after the fact.

Asked how she would improve the bill, Mitrano pointed to the Family Educational Rights and Privacy Act. “I believe that FERPA already covers the issues raised in this privacy bill, mainly gathering of data by ed-tech companies and using it for their commercial purposes,” Mitrano said. “Rather than have this bill, I would amend FERPA to make it crystal clear… and then add technology security regulations, damages and a private right of action.”

The bill may grant the right to view and correct records, but that provision requires students and parents to take an active role in protecting the information. Zeide suggested more proactive regulations.

“One thing that would have to be in the bill is it provides protection without respect to students' and parents’ consent.” Zeide said. “Even if parents and students can make informed and meaningful choices -- which they have a difficult time doing in general -- it’s important that there are baseline rules and baseline protections.”

Mitchell L. Stevens, director of digital research and planning at Stanford University, said one policy that attempts to regulate both K-12 and postsecondary education would be a "bad idea."

"For adult learners, privacy is the wrong place to start," Stevens, associate professor of sociology, said. "I think privacy is the word we use to voice anxiety about the purposes of data when we don’t know what other language to invoke."

Stevens last year helped organize the Asilomar Convention for Learning Research in Higher Education, a gathering of faculty members and researchers to discuss appropriate use of data in higher education. The goal of the convention was to find new ethical guidelines for the glut of data produced at colleges and universities.

On Tuesday, Stevens also challenged the idea that students above the age of 18 should by default have full control of the data they produce.

"If you think about any empirical trace of instruction -- K-12 or postsecondary -- they’re really joint products," Stevens said. "The learner plays a role, the institution plays a role and the particular instructor plays a role. I think it’s fairly simplistic to default to the presumption that the data that are generated through that venture are primarily owned by one party."


Back to Top