Internet Association Raises Concerns Over Student-Privacy Bill
A proposed bill that would boost privacy rights for students is far too broad, according to the trade group that represents many online tech firms.
The issue of student privacy—particularly, what education companies and data miners can do with student information—has been getting a lot of attention in recent months.
At the state level, attempts to address student-privacy protections have proliferated: 182 student-data-privacy bills have been introduced in 46 states so far this year, according to edSurge.
A bill is also up for discussion in Congress, but a major tech group is crying foul over the measure’s ramifications.
The Internet Association, which represents Google, Reddit, Uber, and a wide array of other tech companies, has raised concerns about a proposed update to the Family Educational Rights and Privacy Act currently being debated by the House Education and the Workforce Committee.
IA says it supports the intent of the Student Privacy Protection Act, which would strengthen privacy rights for students and their families. But the group says the bill is too broad as drafted.
“We highlight these concerns since we believe that these provisions will create undue costs for our member companies without countervailing benefits to students, their families, and educational institutions,” IA President and CEO Michael Beckerman wrote in a letter to the committee [PDF] last week.
Beckerman suggested that a requirement in the bill to alert parents of data breaches within three days would create a significant burden because it is outside the scope of traditional security practices. And a “breach” as defined in the measure could be interpreted to include simple mistakes, he said.
“As currently drafted, the data security and privacy provisions of the bill impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign in a visitor or failing to log out of a computer when going to get coffee for five minutes,” Beckerman added.
A requirement that education technology providers adhere to “commonly accepted industry standards” would cause confusion, as the bill doesn’t define what those standards are, he said. Beckerman noted that such standards vary widely depending on how sensitive the specific student data is.
“Any effort to enshrine a strong national standard for data security must clearly outline the rules of the road for internet companies and their users,” Beckerman said in a news release.
The association has offered to work with the committee on a more workable plan for its member companies.
“The revisions are necessary to safeguard the user data and privacy of students and their families while creating a strong national standard that the industry can work with,” IA said in the release.