In classrooms across the country, students as young as kindergarteners are turning on school-issued devices and logging into their online school accounts. While students and teachers can benefit from educational apps and services, behind the scenes edtech companies are inhaling troves of data on students, often without the awareness and consent of students and their families. Over the past year, EFF has fought for the privacy and security of student data on multiple fronts.
A year ago, EFF filed a complaint with the Federal Trade Commission (FTC) urging the agency to investigate whether Google violated public promises to protect student privacy in its deployment of Chromebooks and Google Apps for Education (now called G Suite for Education) “cloud” services in schools. As one of 300 signatories to the Student Privacy Pledge, Google publicly vowed, among other things, to “Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student,” as well as to “Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.” Yet, it appeared Google was tracking and recording students’ online activity, without parental consent, and for non-educational purposes.
Unfortunately, the FTC has yet to take action on our complaint. However, our FTC complaint inspired an inquiry from Sen. Al Franken (D-MN) this year, a response from Google, and a subsequent change in Google policy, or at least a clarification of Google policy. While Google continues to collect data, without parental consent, on students who are logged into their school accounts and use non-educational Google services, Google has made public assurances that it is not using collected data to target ads to student users.
Google still has room for improvement. The company’s policy of not targeting ads only applies to K-12 student accounts, not those of college or university students, and of course Google could limit the collection of student data in the first place. Additionally, Google’s G Suite for Education Privacy Notice asks parents, teachers, and school administrators to cross-reference three legal documents, rather than putting policies related to student data in a “one-stop shop” document.
While the FTC has so far failed to take steps to enforce the Student Privacy Pledge, in 2016 we critiqued the pledge itself and recommended ways to strengthen the language to better hold edtech companies accountable.
This year we also began analyzing information from our student privacy survey. We shared the concerns of a school administrator in rural Indiana, who struggled with understanding what Google’s complex privacy policies mean for his school, all while balancing the resource needs of teachers, the educational needs of individual students, and the technological preferences of their parents. Case studies like this highlight the need for edtech companies to take the privacy concerns of students, parents, teachers, and school administrators seriously and we plan on writing more of them.
Finally, in 2016, EFF consulted with the California Attorney General’s office about student privacy. In November the Attorney General released a set of best practices to help edtech companies better protect the privacy of student data.
This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.