Privacy advocates worry about the impact students’ data could have on their lives decades later
What if a child’s performance in a fifth-grade gym class could be used to set the rate for a life insurance policy when they’re 50? What if a computer program advertised interactive tutoring when your child struggled with long division?
Privacy advocates worry these scenarios could become reality as schools increasingly rely on outside companies to collect, manage and analyze the massive amount of data gleaned from standardized tests, transcripts, individual education programs and even cafeteria purchases.
This subcontracting is not new or uncommon, but it has often left school districts without explicit control over students’ personal information. And it has left some parents, administrators and privacy advocates worried that those companies might one day sell or mine the data for a profit.
With few protections on the privacy of student data beyond a decades-old federal law, states have been scrambling to regulate how student data is collected and stored. More recently they’ve begun governing how third-party companies can use student information.
In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released.
By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes.
This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire, Tennessee, Utah, Virginia and West Virginia — have added 11 new laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor.
It’s impossible to know how companies could or would use the information they collect, said Joel Reidenberg, a privacy expert and law professor at Fordham University.
“What are they going to do with it? Are they going to use it for experimentation? Analytics?” he said. “Will it wind up 10 years down the road being used in an insurance underwriting decision?”