The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Legislators Seeking Answers on Student Data Privacy

by Chris Brook on Tuesday August 20, 2019

Contact Us
Free Demo
Chat

Federal lawmakers are looking for answers from educational technology companies on how they collect and process student data.

With the public – and now the government’s - increased awareness around data privacy, individuals have become more cognizant of what companies and services have their data.

That concern has slowly trickled down to legislators, who especially in the wake of last year’s Cambridge Analytica scandal, have prodded corporations, asking them to explain their policies around customer data acquisition and storage.

As students gear up to go back to school this month, federal lawmakers have shifted their attention to educational technology companies, specifically organizations that handle data on K-12 and higher education students.

Three senators, Richard J. Durbin (D-Ill.), Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) asked over 50 companies last week, including bigger firms like Facebook and Google, exactly what data they’re collecting from students and how they're safeguarding it.

Companies like Blackboard, which runs a popular learning management system that K-12 schools and colleges use, McGraw-Hill and Pearson, two of the big educational publishers, Kaplan, Cengage, and The National Research Center for College & University Admissions (NRCCUA) all received letters as well.

“Beyond serious safety and security risks, students have little control over how their data is being collected and used. Students and parents are often unaware of the amount and type of data being collected about them and who may have access to it," the senators wrote last Monday. "From academic performance data and web histories, to location data and other personally identifiable information such as date of birth or address, it is imperative that we take steps to ensure students' data is being secured and protected."

The lawmakers have eight multi-part questions for the companies, most of them dealing with the collection of data, how its handled and used - i.e for advertising or sold to a third party, and whether students can opt out of data collection. The senators are also curious how the companies organize students' data, through labels or categories, whether they've offered personal data, like their date of birth or address, to view or sign a Terms of Service (TOS) or End-user license agreement (EULA), and how they view their obligations under the Family Education Rights and Privacy Act (FERPA) and Children's Online Privacy Protection Act (COPPA).

While the senators are asking questions, they're also interested if any of the companies have experienced a breach, if so, how many students were impacted, and whether the breach was disclosed to victims in writing.

The request comes almost a year after the FBI warned the public about the rapid proliferation of educational technologies and the vast array of data that companies can collect.

In a Public Service Announcement at the time the FBI warned that some EdTech services can collect:

  • personally identifiable information (PII);
  • biometric data;
  • academic progress;
  • behavioral, disciplinary, and medical information;
  • Web browsing history;
  • students’ geolocation;
  • IP addresses used by students; and
  • classroom activities.

The senators sent two different letters last week; one to bigger tech companies like Google, another to educational tech companies. One cites a Wall Street Journal report from March that detailed a hack which leveraged Slate, an online system that facilitates college applicant information, to steal prospective students' data at schools including Oberlin, Grinnell, and Hamilton College. Another cites Fordham University Law School research, via its Center on Law and Information Policy last year that found that some educational data brokers aggregate student data into lists, based on Grade Point Average, ethnicity, religion, and affluence.

In addition to Google and Facebook, the full list of EdTech companies who received a letter last week is as follows: Smart Sparrow, DreamBox Learning, ScootPad, ST Math, Curriculum Associates i-Ready, Realizeit, Macmillan, McGraw-Hill, Snapwiz, Kaplan, Wiley Education Services, the College Board, ACT, Pearson, Student Opportunity Center, Cognitive ToyBox, AdmitHub, Upswing, Formative, Flocabulary, BrightBytes, Hapara, Intellus Learning, Civitas Learning, Education Elements, NoRedInk, StraighterLine, Turnitin, Cengage, VitalSource, RedShelf, Barnes & Noble Education, Canvas Instructure, Blackboard, Sakai, Moodle, D2L Brightspace, Edmodo, Quizlet, Schoology Accurate Leads, American Student Marketing, AmeriList, ASL Marketing, Caldwell List Co., Complete Mailing Lists, DataMasters, DMDatabases, Dunhill International List Co., Exact Data, InfoUSA, Lake B2B, NRCCUA and Scholarships.com.

The senators are looking for answers to their questions right after Labor Day, no later than September 3.

Tags: Government

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.