Three Democratic senators have sent pointed letters to a long list of ed-tech companies asking that they turn over details of how they collect data on students.
Sens. Edward Markey of Massachusetts, Richard Durbin of Illinois, and Richard Blumenthal of Connecticut said they wrote to the businesses because of worries about the “vast amount of data being collected about our nation’s students, and to request more information about your company’s data-collection practices.”
The lawmakers sent two letters. One went out to a broad set of ed-tech companies in both the K-12 and higher education markets. The other letter was sent to what the lawmakers said were “data brokers,” who they described as creating lists of potentially sensitive information and making them available for commercial use.
Companies receiving a letter, according to the statement released by the senators, include not only major internet search giant Google and social media behemoth Facebook, but businesses focused on providing a broad mix of classroom or back-office administrative products. They include DreamBox Learning, Curriculum Associates, Flocabulary, ACT, Pearson, McGraw-Hill Education, Edmodo, Schoology, Blackboard, Moodle, Wiley Education, Turnitin, Canvas/Instructure, Kaplan, D2L, and Barnes and Noble Education.
The letter to ed-tech businesses asks them to provide an array of information to Congress, including:
- The age range of the students using their software, courseware, and devices;
- A description of the type of data collected through those tools, how long it is stored, and the process for deleting it;
- Information on whether parents have the ability to opt-out, correct, delete, or acquire any data collected by the companies;
- Whether the company sells or makes products or services that make use of the data collected through its various tools and software;
- Details on how the data collected would be protected, if the company went through a merger, acquisition, dissolution, or bankruptcy;
- Whether the company’s ed-tech tools group students into “labels or categories,” and if so, whether parents, schools and third parties have access to those labels and categories; and
- If the company has ever been hit by an unauthorized breach on its online servers or databases, or those of its subsidiaries or subcontractors. If so, they are asked to provide details.
The letter to data-brokers asks for companies to answer many of the same questions. The lawmakers pointed to revelations in a report released last year by the Fordham University Law School’s Center on Law and Information that vendors were making lists based on student information such as grade-point averages, race and ethnicity, religion, and wealth available for commercial use.
Concerns over data privacy laws have swept over the K-12 landscape in recent years, pushed along by concerns of parents, advocacy groups, and school officials. The heightened fears about data breaches have prompted a wave of state laws meant to put in place stricter protections on student information and tighter controls on vendors — though some advocates question whether those laws are having the desired effect.
But the collective angst has not resulted in the passage of any major federal legislation to protect data privacy, such as an overhaul of the Family Educational Rights and Privacy Act, or FERPA, despite the urging of advocacy groups.
A Senate aide told EdWeek Market Brief that the lawmakers’ interest in getting the information was initially focused on K-12 issues, then extended to higher education. The letter is not connected to any specific legislative proposal, though Sen. Durbin has an interest in drafting such a proposal, the aide said.
Linette Attai, who consults ed-tech companies on data-privacy issues, said several of the questions lawmakers want answered — particularly related to data retention and sharing — are curious, because those issues are already covered by FERPA. Other practices mentioned in the letter are barred by state data-privacy laws.
“If a technology company is aligned with FERPA and state laws, these questions are pretty easy to answer,” said Attai, the president of PlayWell LLC. “So I’m not sure what they’re looking for, and why.”
Other questions, such as those related to deletion of data, may be more complicated than the letter suggests, she said. For instance, the list of companies receiving letters includes those whose products are used directly by students, and other vendors don’t have a “direct relationship” with students, but rather with schools or districts that are charged with managing the data, Attai said.
Vendors in the second category may not have the right to delete data without school or district permission, said Attai.
Her company, PlayWell, LLC, represents both K-12 and higher education companies. She declined to say if she works with any of the ones who received letters.
Lawmakers have given the companies roughly three weeks to respond to the questions, setting a deadline of Sept. 3. But Congress is on a break in late August, through the first week of September, Attai pointed out.
“I’m not sure about the need for speed, when Congress is not is session,” she said. “I guess the question is what happens Sept. 4.”