A large majority of American adults are becoming increasingly concerned that student data collected by school districts could be used by third-party companies to market to students, rather than being used to enhance academic achievement.
In a recent survey from the nonprofit organization Common Sense Media, 89 percent of 800 adults polled said they were at least somewhat concerned about advertisers using students' personal data to market to them.
"There's no question that, partly because of the attention to the NSA stuff in the past few months, that the public is way more concerned about privacy issues," says Jim Steyer, chief executive officer of Common Sense Media. "And the major new place this is occurring now is going to be in schools."
The survey also found that nearly 6 in 10 parents have heard little or nothing about the fact that many school districts contract with private companies to collect student data.
But Kristin Yochum, director of federal policy at the nonprofit Data Quality Campaign, says there are very strict guidelines governing what private companies can and cannot do once they receive certain student data.
The Family Educational Rights and Privacy Act (FERPA) prohibits private companies from using data found within a student's official educational record, stipulating the data can only be used for evaluation, audit and compliance activities, Yochum says.
"For example, doing the analysis to pull out data to report out to the federal government or to do analysis for teachers to use in the classroom to improve student achievement on a daily basis," she says. "They are absolutely prohibited from using that data for marketing purposes under FERPA."
But the new survey draws on a recent study from Fordham University's Center on Law and Information Policy, which found that when schools contract with third-party service providers, there often are gaps where there should be specific regulations governing what data the service providers can and cannot share with marketers.
While certain student information – specifically anything contained in a student's educational record, such as dates of birth, addresses, grades, test scores and disciplinary records – is protected under FERPA, there are many other data sources that are not protected under the federal regulation, says Joel Reidenberg, a law professor at Fordham.
"One of the things that we found in our study is that schools are using cloud service providers for a whole variety of functions," Reidenberg says.
If a school uses a cloud service provider for email, for example, the content of that email is not protected under FERPA, Reidenberg says.
If the service provider searches for keywords in a student's email, finds the particular student is interested in a certain product – like bicycles – and confirms that the information is available for sale, FERPA "would not preclude the sale of that information," Reidenberg says.
Other information that might fall into that unprotected category might include data collected when students use prepaid ID cards to pay for their cafeteria lunches, or data collected by schools to outsource planning bus routes.
"The busing company now has data that a third-grader is standing on the corner at 7 a.m. waiting for the school bus," Reidenberg says.
Even still, Reidenberg found in his study that many schools do not maintain acceptable control over student data – even information included in an educational record – when they deal with third-party providers.
School districts are allowed to share data protected under FERPA with service providers – such as a student's transcripts to be used for data analytics purposes – as long as they set a contract spelling out the restrictions on the use of the data, Reidenberg says.
But fewer than 10 percent of the contracts Reidenberg reviewed explicitly prohibited the sale of student data for marketing.