Tech group takes issue with student privacy bill

Tech group takes issue with student privacy bill
© Thinkstock

A major tech trade group expressed concerns Thursday with a House student privacy bill that it said would “create undue costs for our member companies" without sufficient benefit to any involved party.

The legislation in question is an update of the Family Education Rights and Privacy Act, the main federal law that protects student privacy. The House version of the Student Privacy Protections Act includes provisions that require parties under the law, such as companies that provide technological tools to schools, to notify parents of data breaches.


But The Internet Association said in a Thursday letter to leaders of the House Education and Workforce Committee and the bill’s sponsors that the requirements were too broad.

“As currently drafted, the data security and privacy provisions of the bill impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign-in a visitor or failing to logout of a computer when going to get coffee for 5 minutes,” the group’s president, Michael Beckerman, said in the letter.

The group also took issue with a requirement that parents be notified within three days, which it called an “unprecedented” demand that “conflicts with commonly accepted security practices, and lacks an appropriate threshold for notice,” as well as the fact that the legislation does not preempt state laws. The latter element of the legislation, it said, could result in multiple notifications being sent to parents unnecessarily.

“The bill also requires ed-tech providers to adopt ‘commonly accepted industry standards on privacy protection’ without reference to those standards,” the group wrote. “In reality, these standards vary significantly according to the sensitivity of the personal information involved.”

The Internet Association represents high-profile companies like Amazon, Google and Uber — and told lawmakers that the bill could create confusion for its member companies.

“Any effort to enshrine a strong national standard for data security must clearly outline the rules of the road for Internet companies and their users,” Beckerman said in a statement.