Just a few years ago, no one was talking about student data privacy, but now the issue is everywhere. Ed-tech companies are facing mounting demands from school districts and parents to protect students’ online information—even as K-12 officials and vendors are devising new ways to harness data with the goal of improving learning.

One of the voices encouraging industry to adjust to the new landscape is Jules Polonetsky, the executive director of the Future of Privacy Forum, a Washington think tank that describes itself as an advocate of responsible data use. Today, Polonetsky’s organization is co-hosting a two-day data-privacy “bootcamp” in the nation’s capital, along with ed-tech investor Rethink Education, aimed at providing more than 40 companies in attendance with a stronger understanding of how the changing laws and policies will affect them.

The event is being held in the offices of 1776, a business incubator and seed fund that backs companies in education and other areas. The organizers, encouraged by the strong interest in the bootcamp, are planning to schedule similar trainings, possibly in San Francisco and New York, over the next year.

The Future of Privacy Forum has been tackling the issue in other high-profile ways recently. It’s also the co-sponsor, along with the Software & Information Industry Association, of a “student privacy pledge” that asks companies to publicly commit to a set of principles for safeguarding online information. More than 100 ed-tech vendors, from startups to multinational corporations, have signed up so-far.

The forum would not release the names of the companies attending the “bootcamp,” and it has closed most of the two-day event to the press, arguing that it’s important for vendors to be able to speak freely and ask questions of the scheduled speakers—a Federal Trade Commission official and K-12 district leaders among them—without having that information aired publicly.

Polonetsky formerly worked as New York City’s consumer affairs commissioner, as a New York state legislator and as AOL’s chief privacy officer. Education Week interviewed him about his ambitions for the “bootcamp” and his views of the changing privacy expectations for industry, overall.

What do you hope to accomplish with the bootcamp?

We found this incredible pent-up demand in the startup community in particular, for complying with FERPA, COPPA and with general privacy practices. The discussion of legal codes, and the combination of federal and state law, can be a good deal to get on top of, while you’re also [a company] building your service, and selling and maintaining it. We find that most companies clearly get the big picture—you can’t sell student data, you’ve got to follow your contract with a school. But [there’s confusion] when it comes to some of the more complex issues—what happens when I have data that’s covered by both COPPA and FERPA, and, ‘What exactly do I need to do in terms of security?

Companies that don’t have an in-house lawyer aren’t researching legislation on the code or federal regulations. We’re telling them, here’s the regulation. Don’t just look at the law, look at the regulation, because it expands on the law. You may know and read COPPA, but that doesn’t tell you [things like] OK, if I have a social-sharing button, I better not use the one that is free in return for behavioral advertising, because I’m not allowed to have behavioral advertising on my apps under COPPA, so I’d better choose a sharing button that ensures that data is treated restrictively, not sold and shared. You may not know that. Quite frankly, if you’re a big company you might not know that.

What’s the makeup of the ed-tech companies attending the bootcamp?

They’re all over the map. There are small, one-to-two person startups and large companies that have contracts with hundreds and hundreds of schools. You can be pretty small company and have a pretty broad reach. I’d say everything from cloud-login services to back-end software to [curriculum providers and providers of online academic support for students..]… The goal is to help the companies who probably don’t have an in-house lawyer… and that’s a lot of companies. Or, if they have an in-house lawyer, he’s their general counsel, he’s probably raising their financing, or negotiating their contracts, so he’s not spending all day reading FERPA contracts.

 

When you talk to vendors about student-data privacy, what’s the biggest worry you hear about what’s being demanded of them?

A big concern I hear is that privacy and contracting across thousands of school districts is getting very complex. Everybody has privacy on their radar screen now, which is great, but every school and district has ideas about what ought to be in contract, or a different checklist. Good companies want to get it right, but it’s really hard to come up with different versions of your product, or negotiate different versions of contracts. Schools are taking contacts and sending it to lawyers and saying, ‘Make sure I have all the privacy stuff in here,’ and the lawyers are saying, ‘OK, I’ll put in everything I can think of. And oh, by the way, what [do laws in] California say, and Louisiana say?’ There could be clauses from those states that could be relevant, too.’ And we hear there’s going to be a federal bill… One of our goals, and this was a goal of the pledge, is to come up with general agreement on the big issues on which we agree.

[From schools’ standpoint, they] are dealing with people showing up with terms of service that are different, and they’re going through their checklist, and they’re saying to companies, ‘Why can’t I tell if you meet [our data-privacy requirements] or not? Here are the things I need to know.’ There’s been complexity on both sides that’s made it hard for good-meaning schools and good-meaning companies to have a meeting of the minds.

You’ve had more than 100 companies sign the privacy pledge. Among those who haven’t signed, what’s the best argument you’ve heard from them explaining why they’ve held out?

There are companies that have lots of contractors and subcontractors who said, ‘Look, I agree [with the intent], but if I’m going to be on the hook, I’ve really got to do a lot of due diligence and check with my vendors and subcontractors. The pledge says the contractors have to be on the hook, too… There were a lot of companies who said, ‘I agree in concept but my legal counsel wants to make sure this is really buttoned-down.’

 

There’s been some debate recently about whether the privacy pledge is legally enforceable. You’ve argued that it is. Why?

It’s certainly voluntary to sign. But once you sign and commit, Section 5 of the FTC act says the agency says [you can face penalties] if you mislead or do something deceptive… There’s some [misunderstanding about] how consumer protection law works. But the specific issue that was raised by [Fordham University law professor Joel Reidenberg, a leading researcher on data-privacy issues] was that the pledge has some notes that say if you specifically have an agreement with a school district … You could say something in the pledge, or say something in your policy, but then have a contract that lets you do something different.

Reidenberg testifies that FTC not equipped to enforce industry pledge on #studentdataprivacy

— FOSI (@FOSI) February 12, 2015

And what we’ve explained is, you can’t actually do that. Because A) You can’t sign a contract that doesn’t follow the pledge; and B) If you make a very clear commitment&mash;’I don’t sell data, I don’t do this-and-that’… and then you have a side agreement that says, ‘I can,’ you’re not off the hook.

We ran this language by the FTC, and they said, ‘Oh no, if someone makes a clear statement that they don’t do something, they can’t have some fine print elsewhere that completely contravenes what you said in your major statement… [For a company to try to argue that a local contract supersedes the pledge] would be a very risky argument to make.

Responses edited for space and clarity.