The need for Privacy in Edtech

This blog post is a cherry-pick of great information from the article Edtech and Student Privacy California Law as a Model by Dylan Peterson published in 2016.

“Rob Curtin, a long-time employee at Microsoft and current chief privacy officer at an edtech startup, has warned that comprehensive restrictions on the collection and sharing of student data could “stifle innovation” and limit the educational benefits of edtech data. Curtin claims that historical data profiles of an individual student’s performance on assessments can be used to personalize lesson plans and instruction. Some policymakers and parents are susceptible to the knee-jerk reaction of maximum privacy protection for students, and some involved in the education industry are concerned that broadly written legislation could eliminate the many benefits of edtech and student data.

The Future of Privacy Forum developed the pledge with the help of the Software & Information Industry Association. Initially, fourteen companies agreed to take the pledge, including Microsoft and Houghton Mifflin Harcourt. Similar to SOPIPA, companies that took the pledge are “publicly committing themselves not to sell information on kindergartners through 12th graders.” The signatory companies also agreed not to use student data to target students with advertisements and not to create profiles of individual students without school or parent permission. In this way, the pledge is largely taking the core provisions of SOPIPA and extending them across state lines. Prior to publicly acknowledging their commitments, the initial signatories ensured they already complied with the requirements of the pledge in their business operations. And while the pledge is not legally binding, failure to uphold their commitment could land signatory companies in hot water with the Federal Trade Commission due to violations of their own public representations of their privacy practices.

Critics of the Student Privacy Pledge note that in the absence of concrete federal protections, these types of voluntary efforts can often lack oversight. Some have criticized the privacy pledge for failing to require specific security measures, “such as encryption of logins for sites that collect personal details about students.” Some companies that have signed the pledge do not even have basic encryption for their login process.”

-Dylan Peterson, Berkeley Technology Law Journal