One takeaway worth emphasizing about a “student privacy pledge” circulating within the ed-tech community—and which received a high-profile plug recently from President Obama: Companies that sign up aren’t just making a symbolic commitment. They’re making a legally enforceable one, too.
Organizers of the effort—a privacy-advocacy group and a major ed-tech trade association—as well as others who know federal and state consumer-protection laws, say the promise means companies that sign could face government sanction if they are deemed to be deceiving consumers by going back on their word.
More than 90 companies have made the pledge at last count. That means they’re agreeing to safeguard students’ data on a number of fronts, including vowing to not sell student information, or use their online behavior for targeted advertising.
They can use data only for “authorized education purposes,” and they have to adhere to limits on retaining data. They’re vowing to not build personal profiles of students, other than to support educational purposes as authorized by parents or students.
Whether the language of the pledge is ultimately strong enough to satisfy parents and other advocates, and whether ed-tech providers are vigilant or lax in sticking to it remains to be seen.
But officials from both the Future of Privacy Forum and the Software & Information Industry Association, both of which organized the pledge, say the legal enforceability of the pledge adds to its heft. To be specific, companies that promise consumers one thing publicly, and then violate their word, can run afoul of Section 5 of the Federal Trade Commission Act, a law that bans deceptive trade practices and is enforced by the FTC.
Individual attorneys general in states that have consumer-protection laws comparable to the federal standard could also seek to penalize the ed-tech providers.
Company officials understand that once “I publicly put my name on this pledge,” said Jules Polonetsky, the executive director the Future of Privacy Forum, they are “making a legally enforceable commitment…This is the law of the land for you.”
Polonetsky is a former state lawmaker in New York and once served as New York City’s commissioner for consumer affairs.
Section 5 of the FTC Act forbids companies from engaging in “unfair or deceptive acts or practices in or affecting commerce.” A violation of the law must be shown to cause “substantial injury to consumers which is not reasonably avoidable” or “outweighed by countervailing benefits to consumers or to competition.”
But even with that standard, it would still be up to the FTC, or a state attorney general, to investigate a potential violation and make a judgment about whether to bring an action, noted Khaliah Barnes, the director, of the EPIC student privacy project at the Electronic Privacy Information Center, a nonprofit advocacy group in Washington.
That’s why she favors creating a stronger “binding law to govern company actions,” such as the Student Digital Privacy Act proposed by President Obama.
It’s worth noting that the FTC has targeted companies operating in the ed-tech space in the past when the agency believes they have misled consumers.
Google, a company that critics have accused of failing to ensure protection of students’ data, in 2012 paid a $22.5 million civil penalty to the FTC. The agency had accused the technology services giant of ensuring that it would not put tracking “cookies”—small pieces of computer text used to collect information from consumers—or target ads to users of Apple Inc.’s Safari Web browser.
In a settlement with the FTC, the company agreed to disable all tracking cookies it had promised not to use in those circumstances. The FTC argued that Google’s behavior broke an earlier consent order, and it said at the time that the fine amount was the largest the agency ever obtained for that sort of violation.
The agency also offered a detailed explanation of how it sees its enforcement authority under Section 5 in a letter explaining its views on how students’ data privacy should be protected in a case involving an education company that went into bankruptcty, ConnectEDU. (See my colleague Michele Molnar’s story on the implications of that case.)
The FTC also invoked Section 5 in a recent case against Snapchat, the developer of a mobile messaging app. The agency alleged the company deceived customers over the amount of personal data it was collecting, and failed to secure that information, allowing a breach of nearly 4.6 milllion usernames and phone numbers. Snapchat settled the case with the FTC, according to the agency.
According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.
Mark Schneiderman, the senior director of education policy for the SIIA, said in an e-mail that “we make the companies aware that the pledge is legally enforceable, and certainly their attorneys do as well.
“Either way, companies take seriously that their statements and practices must be consistent in the marketplace,” he added.