Should a university be able to edit a student’s Facebook profile or check his private tweets? Absolutely not, said the Delaware state legislature, as it recently passed the first state law to forbid schools from requiring students to divulge personal social media login information.
Signed into law by Gov. Jack Markell on July 20, HB309 [1] bans both public and private higher-education institutions from committing a range of student privacy violations.
Delaware colleges and universities cannot require or request that students turn over login information, nor can they ask students to log on to their personal social networking sites in the presence of a school representative.
The law also bars schools from tracking students’ personal online activities or requesting that the student add a school representative on a social networking site. A school could not demand, for example, that a student approve a teacher as a Facebook friend.
Originally written to include primary and secondary schools as well, the final version of the law limits its scope only to post-secondary institutions.
Legislators reconsidered the K-12 portion of the bill after hearing concerns that schools working with younger children would deal more frequently with cyber bullying problems, said Damian DeStefano, legislative aide to the bill’s sponsor, Democratic Rep. Darryl Scott. [2]
In the wake of several high-profile cyber bullying cases, schools have been under increasing pressure to monitor [3] instances of students bullying each other via social media.
“We wouldn’t want to handcuff a school in its ability to investigate cases of bullying,” he said.
Another factor that complicates student privacy laws in the K-12 space: the rise of “bring your own device” (BYOD) programs designed to get technology in the hands of more students.
When students are bringing their personal devices into the classroom for instruction, and teachers need to monitor those devices, “to what degree does that make everything on the student’s device available for school review?” said Nancy Willard [4], director of the Center for Safe and Responsible Internet Use, in a phone call with eSchool News.
“Should a student be able to password-protect access to their device? Should the school be able to demand the access password on those devices? Tricky issues,” Willard wrote in a subsequent eMail message.
The Delaware law was “definitely” necessary, because collecting students’ personal social media information is a “particularly invasive” violation of privacy, said Khaliah Barnes, open government counsel for the Electronic Privacy Information Center (EPIC [5]).
Barnes also noted a larger, hidden potential consequence: If students were to release private social networking information to schools, that information could spread quickly to the hands of many.
Under the Family Educational Rights and Privacy Act (FERPA), information gathered by schools receiving federal funding becomes an educational record. That record, in turn, may be released without the student’s consent to a wide net of eligible entities.
EPIC recently sued [6] the federal Education Department for issuing new changes to FERPA that allow student records to be disclosed to a “really expansive list” of entities not directly represented by the education secretary, attorney general, or controller general.
DeStefano agreed that establishing appropriate guidelines for K-12 education, distinct from those of higher education, would require more research. For this bill, he said, there simply wasn’t time to make the necessary changes, because it was “getting late in the [legislative] session.”
Rep. Scott did not introduce the bill as a result of any specific events; “there is no indication that any schools were doing this,” DeStefano said.
Rather, he said, the bill was intended as a preemptive form of legal protection. With the rise of personal social media, many institutions have become interested in looking at the online presences of their members.
DeStefano said the bill was inspired in part by similar moves to put legal limits on employers looking to screen applicants or check on workers via social networking sites.
Delaware legislators considered but did not pass a companion bill, HB 308 [7], which addressed online privacy at the workplace.
Data compiled by the National Conference of State Legislatures [8] show that in May, Maryland enacted legislation that prohibits employers from requesting or requiring an employee or applicant to disclose personal social media login information, and in June, Illinois followed suit.
In the past year, 14 states have considered similar legislation that would restrict employers from requesting social networking account information from applicants, students, or employees.
At the national level, U.S. Reps. Eliot Engel, D-N.Y., and Jan Schakowsky, D-Ill., in late April introduced the Social Networking Online Protection Act (SNOPA [9]).
Like the state laws, SNOPA would ban employers from requiring workers’ account information—but it also would apply to schools from kindergarten through college.
Willard said SNOPA would be better because it covers a greater scope, but she called the Delaware law a “good start.”
Barnes noted that SNOPA has explicit enforcement provisions for civil penalties that the Delaware law appears to be missing, although DeStefano said it is implied that students will be able to sue based on the new law.
Still, Barnes said she was hopeful that federal and state legislators can work in tandem to protect students’ privacy rights.
Federal action could establish a “permissible floor” for states to build on, she said, adding: “I definitely think Delaware is taking the right step with student privacy legislation.”