U.S. needs to add student online privacy rules

As more of our children’s education moves online, there are increased opportunities for abusing the collection of their personal data. Last month, state Senate leader Darrell Steinberg (D-Sacramento) introduced a bill that would help close a loophole in federal regulations — at least in California — in an effort to safeguard personal information of public school students. The potential privacy violations could be significant, and it makes sense for the Legislature to act now.

Under the federal Family and Educational Rights Protection Act, schools that receive federal funding are rightly barred from making disclosures about students’ education records without permission. But schools and their direct employees are not the only ones with access to such records. These days, private contractors play an enhanced role in teaching, through online math and language-training games and other Web-based programs. To be effective, they often need to track performance by individual students. Many require students to create a personal online profile, and the resulting data caches often are stored off-site, out of the schools’ direct control.

Schools are supposed to be in charge of what private contractors do with student records, but there is significant confusion over what information and which contractors are affected by the law. In response, the U.S. Department of Education last week released new guidelines directing schools to review contracts on a case-by-case basis. Yet there is a general sense that many schools are ill-equipped to police their contractors or those firms’ subcontractors.

And that’s where the loophole comes in. According to the children’s advocacy group Common Sense Media, few mechanisms exist to preclude contractors or subcontractors from compiling students’ personal data and selling it to other businesses without the knowledge of the students, their parents or the schools that hired them. Yes, there should be school oversight, but that’s not enough. The Steinberg bill would bar contractors from sharing student data, placing the responsibility for complying with the contractors themselves, where it belongs. Experts say most such firms have privacy policies in place, but formalizing their responsibility is a sensible step.

Note, though, that this fix applies only to California. The federal government — either Congress or a regulatory agency such as the Federal Trade Commission — needs to address this issue as well. The online world is fast-evolving, and government tends to be slow to respond. But protecting the privacy rights of children should be a high priority.