Student Privacy Pledge delivers neither privacy nor enforcement
Riddle me this: Which is more binding, the Student Privacy Pledge or a pinky promise?
Sadly, as of today, the answer is the pinky promise.
With the most recent “Trolls” movie – “Trolls World Tour” – prominently highlighting the binding significance of the “pinky promise,” the same cannot be said of the Student Privacy Pledge — a pledge taken by 400-plus educational technology (Ed Tech) companies stating a commitment to “carry out responsible stewardship and appropriate use of student personal information.”
Consider the recent Consumer Reports story about the College Board tracking students and sharing that information with Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and advertising network AdMedia — despite the pledge’s commitment to “[n]ot use or disclose student information collected through an educational/school service . . . for behavioral targeting of advertisements to students.” Yet when the Future of Privacy Forum, the group that administers the pledge, was asked about this violation, its response was that it was looking into the findings to ensure that the College Board is living up to its promises.
But how does one “ensure” anything, if there is no enforcement?
A 2018 Duke Law & Technology Review article entitled “Peeling Back the Student Privacy Pledge,” posited the same question when analyzing whether signatory companies were complying with the pledge, or “just paying lip service to its goals,” given the toothless nature of a pledge devoid of oversight or enforcement.
Perhaps the poster-child for the lack of accountability to which pledge signatories are held is Naviance by Hobsons — an Ed-Tech provider used by middle, high school, and college students that collects dates of birth, ethnicity, and other sensitive data — having reported at least three data breaches in 2019 alone. The first was a data breach in Virginia, involving sensitive information of 21 former students; the second was a breach in Pennsylvania involving 12,000 students, and the third involved close to 6,000 students attending Montgomery County, Md., public schools. With three breaches in a single year, one could argue that Naviance is not compliant with the pledge’s commitment to “[m]aintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks.”
Yet, almost a year later, Naviance is still displayed as a pledge signatory. No penalties. No suspension. Not even probation.
Relatedly, pledge signatories agree to “[n]ot use or disclose student information . . . for behavioral targeting of advertisements to students.” In describing the data it collects via technology, Instructure defines its use of “web beacons” as being used to “manage cookies, count visits, and to learn what marketing works and what does not.” While reasonable minds may differ, the use of technology, directed at a user, in order to determine whether marketing is or is not working, sure sounds a lot like “behavioral targeting.” Instructure says categorically that the company does not disclose student information for the purpose of targeting advertisements to students.
Even Google is a pledge signatory. Google is being sued by the New Mexico attorney general for sharing student’s personal information with other parts of its business, in apparent contravention of the pledge. Yet Google proudly boasts of its “compliance with rigorous standards,” to include the Student Privacy Pledge. A Google spokesman said the New Mexico attorney general’s claims were “factually wrong.”
To be clear, there are responsible Ed tech companies that have signed the pledge and that genuinely care about student data privacy. But unless all signatories are held responsible for complying with the pledge, the pledge becomes nothing more than a marketing stunt that means little and misleads many.
As the Duke Law & Technology article concluded, consumers of education software have limited power to hold pledge signatories accountable, and thus “the Federal Trade Commission (FTC), is best positioned to enforce compliance with the pledge.” After all, trade practices are their bread and butter.
Notably, in May 2020, when the FTC announced a settlement with Swiss-based Miniclip SA for claiming to be compliant with, and a member of, the Children’s Online Privacy Protection Act (COPAA) Safe Harbor Program, FTC Commissioner Rohit Chopra wrote that “[t]he commission must . . . revamp its approach to these third-party privacy policing programs,” because these programs don’t adequately fulfill their own oversight obligations.
Yet the need to police third-party programs designed to protect our children is the same, whether we’re talking about COPPA Safe Harbor or the Student Privacy Pledge.
With all the risks to privacy that students already face today — especially in this age of COVID-19, in which schools rely on Ed Tech for the entire (virtual) curriculum — a hollow pledge, with commitments that aren’t enforced, does nothing more than lull parents into a false sense of security, placing our children at greater — not lesser — risk.
Joel Schwarz is a Managing Partner at The Schwarz Group, LLC, where he works as a consultant and attorney, and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Department and New York State Attorney General’s Office. He was also counsel on e-commerce and privacy for MetLife.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.