Reaching a Congressional Consensus Will Likely Require Additional Deliberation
During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.
Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)the primary federal statute designed to protect private student informationmay not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.
As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.
Approach 1: Establishment of a Study Commission
Examine whether there is a need to provide or update standard definitions for terms related to student privacy, including: "(i) education record; (ii) personally identifiable information; (iii) aggregated, de-identified, or anonymized data; (iv) third-party; and (v) educational purpose"; Identify which federal laws should be updated and the appropriate federal enforcement authority to execute such laws; Address data sharing in an increasingly technological world, including evaluating protections in place for student data when it is used for research purposes; establishing best practices for any entity that is charged with handling, or that comes into contact with, student education records; ensuring that identifiable data cannot be used to target students for advertising or marketing purposes; and establishing best practices for data deletion and minimization; Discuss transparency and parental access to personal student information by establishing best practices for ensuring parental knowledge of any entity that stores or accesses their student's information; parental rights to amend, delete or modify their student's information; and the designation of a central contact in a state or a political subdivision of a state who can oversee transparency and serve as a point of contact for interested parties; Establish best practices for the local entities who handle student privacy, which may include professional development for those who come into contact with identifiable data; and Discuss how to improve coordination between federal and state laws. Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the...