FPF’s Student Privacy Newsletter – April 2021

FPF’s Student Privacy Newsletter – April 2021


Good afternoon, and welcome to another issue of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced over the last several weeks. We saw new developments in many of the topics we’ve been monitoring over the last year, including student mental health, online learning and associated privacy challenges, and movement on children’s privacy issues around the globe.

Before we get to the news, here are a few updates from FPF:

  • We released a new youth privacy infographic providing an overview of particular opportunities and risks for youth online along with potential protection strategies to encourage global youth privacy protections that balance both protecting and empowering youth online while allowing them to gradually develop autonomy and resilience. Learn more in the accompanying blog post.

  • During FTC Acting Chairwoman Slaughter’s opening remarks at FPF’s February event Privacy Papers for Policymakers, she highlighted edtech as a priority area she is working closely on pursuing related to the pandemic.

  • We hosted a webinar discussing best practices and lessons learned from using video classrooms. Panelist Trevor Toteve, a high school teacher in Houston, was featured in an article by The 74, which also covered the webinar. For more on video and online learning privacy, you can read our Rethinking Video Mandates resource.

  • We published an analysis of a recent New York law that places a moratorium on purchasing and using biometric identifying technology in schools until at least July 2022.

  • Jasmine Park and Amelia Vance authored an EDUCAUSE article synthesizing findings from research over the past decade on college students’ privacy attitudes and expectations confirming that they do care about their privacy and that context matters. A more detailed white paper on this topic will be released later this spring.

  • We released three blog posts highlighting takeaways from our Student Privacy Communications Toolkit, which was published in January. The blog posts offer quick student privacy tips for students, parents, and educators

  • Come work with us! We are hiring two policy fellows and an events and communication assistant to join our Youth & Education team, and several other teams at FPF are hiring as well!  

On to the news…

Latest News

One year into the COVID-19 pandemic, many students are still learning virtually in some capacity. Even as schools begin to reopen, children will likely continue to spend more time online than they did pre-pandemic due to state restrictions, social distancing requirements, and potential long-term changes in remote learning.

  • On March 11, the House Subcommittee on Consumer Protection and Commerce held a hearing focused on children’s online safety during COVID. Representatives expressed significant interest in exploring updates to current children’s privacy regulations to better protect teens online, strengthen children’s privacy enforcement, and address manipulative design. To catch up on children’s privacy-related highlights, FPF’s Amelia Vance live-tweeted the hearing.
  • The Wall Street Journal reports that even as schools reopen physically, many are holding on to remote learning as a contingency plan to respond to fluctuating COVID-19 cases.
  • A RAND research report found that remote learning will exist after the pandemic, as 20% of school districts surveyed plan to offer fully remote options. This data, taken into account with surveys that show a decline in teacher confidence with edtech tools, highlights a need for additional professional development and support. EdSurge attributes this as a potential reason why data privacy is on the minds of state legislatures. For more on remote learning and balancing privacy considerations, see FPF’s webinar on “The Future of Video Mandates.”
  • Student perspective: A high school student wrote an article explaining why she hopes to continue online learning throughout high school. She believes online learning has helped her avoid social pressures like comparing grades and has also given her more space to explore her interests.
  • The Biden Administration filed an amicus brief in support of the school district in Mahanoy Area School District v. B.L., a case slated to go before the U.S. Supreme Court next month on whether public schools can regulate off-campus student speech. Both the Acting U.S. Solicitor General in the amicus brief and the school district in its petition to the court noted that the pandemic and online learning have made this issue especially relevant and in need of attention.
  • As New York City schools begin to reopen, the New York Times reports that there are “nearly 12,000 more white children returning to public school buildings than Black students — even though there are many more Black students than white children in the system overall.” Advocates argue that this stark racial disparityshould drive the city’s public school system to strengthen online learning programs.
    • A Nebraska superintendent wrote an op-ed noting that structural racism and inequities were a problem long before the pandemic, but the pandemic has highlighted these inequities. A McKinsey study found students of color could be 6 to 12 months behind in math, while white students will be 4 to 8 months behind.

We’ve continued to see increased technology-enabled monitoring of students during the COVID-19 pandemic, such as wearable technology to track students on college campuses. Students at some colleges are pushing back against some surveillance tools, citing privacy concerns. In particular, online exam proctoring remains a hot topic in education. And because the Biden administration is requiring states to administer standardized tests this year, the proctoring debate may become a bigger issue for schools that remain remote.

  • New America’s Open Technology Institute (OTI) released a report exploring the implications of monitoring students and workers during the pandemic. The report builds on an event that took place in October 2020 that featured remarks from FPF’s Anisha Reddy. OTI gives recommendations for schools and workplaces on mitigating privacy concerns about surveillance technologies.
  • As schools reopen, we’re also seeing an increase in the adoption of temperature-scanning devices. However, researchers have warned that thermal cameras and “temperature tablet” kiosks are ineffective. The Food and Drug Administration announced it was sending warning letters to some companies for “unapproved, uncleared, and unauthorized thermal imaging systems.” The New York Times reported that while many colleges are using these types of temperature scanners, colleges are unable to say whether the measures are effective at curbing the spread of COVID-19 (for more, read our issue brief from last summer on privacy issues related to thermal scans and temperature checks).
  • New America published a report highlighting college student perceptions of institutional data collection and use during the pandemic. The report findingsindicate that students place significant value on transparency, but generally trust their institutions.
    • A Harvard student penned an op-ed in USA Today arguing that students “need answers” as to why they are being increasingly asked to provide sensitive data. The student notes that edtech has many positive benefits, but edtech companies, governments, students, and universities must all be involved in the process of ensuring appropriate oversight and privacy safeguards.
  • A Northwestern University student filed a complaint alleging that the university failed to inform students about the collection and retention of biometric data through online exam proctoring, potentially violating Illinois’s Biometric Information Privacy Act.
  • At Miami University, some faculty opted to restructure their assessments to not require remote proctoring, given privacy and security concerns. However, they acknowledged that in courses such as foreign languages, it can be challenging to adequately assess students without online proctoring. Students in the University Senate passed two bills addressing proctoring: one advocating for faculty training on Proctorio and another advocating for impartial investigations into the use of remote proctoring services at the university.
  • Research from a recent EDUCAUSE article shows that nearly 63% of higher education institutions in the United States and Canada use proctoring software. The authors note that “the higher education community should take extra care” when using proctoring tools, as they can affect pedagogy outcomes.
  • This Vice article alleges that students are cheating on exams even with the use of proctoring software. Vice spoke to 10 students around the world who believed proctoring services were not effective, based on their experience skirting the surveillance measures.
  • In an article for The Chronicle of Higher Education discussing the proliferation of surveillance tools during the pandemic, Chris Gilliard, a professor studying privacy and inequality, noted that “For a long time, we’ve believed the myth that students didn’t care about these issues. Now, it’s impossible to ignore the way they’re pushing back.”
  • Security researchers found critical vulnerabilities in Netop Vision Pro, a student monitoring program popular in K-12 schools. Before Netop was notified of the issues, network traffic was unencrypted. Though still concerning, these issues are limited to network traffic in physical classrooms, rather than students connecting to their virtual classroom through their home internet.

As we flagged in our last newsletter, addressing self-harm and suicide risks among youth is top of mind for school districts and policymakers right now, and many school districts are considering monitoring software (for more, read our 2019 issue brief on student monitoring privacy issues).

  • Through surveys, a new CDC study found that virtual and hybrid learning settings have the potential to present increased risks “related to child and parental mental and emotional health” in comparison to in-person learning, because children have less access to school-based activities and services. The report acknowledges the limitations of the survey—including the fact that the assessment of emotional well-being was based off of parents self-reporting, which is “subject to social desirability, proxy-response, and recall biases.”
  • Grand Forks schools are concerned about not just the learning gaps due to the pandemic, but also the emotional and social growth that happens in a typical school year. One counselor drew comparisons to a 1997 flood that left schools closed, where the anxiety from the flood was felt long after it resolved. Another Grand Forks counselor considers the pandemic an opportunity for “a renewed focus on the importance of fostering relationships” and supporting students.
  • While some experts claim that the COVID-19 pandemic is a primary driver in the rise of youth suicide risks, others note that the data doesn’t quite match the headlines.
  • According to the Center for Collegiate Mental Health, about one-third of students who sought care from their college counseling center during the second half of 2020 said their visit was related to the mental health effects of the pandemic. The Center published five blog posts describing the impact of COVID-19 on college student mental health from multiple perspectives.
  • Common Sense Media published a report finding that even in the midst of steadily rising rates of mental health concerns and depression (since before the pandemic), “digital media has been a lifeline for many of them to access critical health information, stay connected to their peers, find inspiration, and receive comfort in a difficult time.”
  • Policymakers are continuing to consider investing in student monitoring software to help mitigate mental health risks. A Florida representative requested $2 million dollars for a pilot program that would give school districts participating in the pilot access to a subscription to Gaggle, a company that offers software to track and monitor students on school computers to identify potential self-harm or suicidal ideations. However, the budget request includes language that the technology could also be used to help reduce criminal acts and identify “indications of drug abuse,” leaving room for school administrators to extend monitoring well beyond student wellbeing efforts.
  • The Southern Poverty Law Center published a report on the state of Florida’s use of the Baker Act, which allows law enforcement to involuntarily commit Floridians, including children, to psychiatric facilities. The report includes anecdotes highlighting the harms that come from misuse and overbroad application of the law—in one instance, an 11 year old girl was held in a psychiatric facility without the consent of her parents for jokingly texting a friend “I have so much homework, I’m so stressed, I’m going to kill myself.”

As always, FPF has been tracking state student and child privacy bills. Here are some of the most interesting legislative updates from February and March:

  • Utah HB 243 was signed into law on March 16, 2021. The law creates a state data privacy officer and a privacy oversight committee with jurisdiction to review the privacy policies of government organizations, state and local. The law is significant because it could lead to an increased focus on privacy in the state, including a provision that allows the data privacy officer to report on privacy practices of government entities, such as schools.
  • Virginia HB 2307/SB 1392 (CDPA) was signed into law by the governor on March 2, 2021, making Virginia the second state to enact a comprehensive privacy law. FPF’s Jules Polonetsky noted its passage is “a significant milestone in the United States,” and our legislative team took a deep dive into the law and its implications, availablehere. The child privacy provisions of the law are similar to those proposed in the Washington Privacy Act, requiring controllers collecting data from a known child to collect verifiable parental consent prior to processing the child’s data and to perform a data protection assessment. Because the new law exempts government entities and data covered by FERPA, it is unlikely that the CDPA will have a large impact in the education context.
  • Utah passed a bill that would require new online devices sold in the state to automatically enable filters blocking content that is “harmful to minors.” The bill would take effect January 1, 2022 and require every new mobile device and tablet sold in Utah to have these adult content filters turned on. Internet policy experts argue that this proposal would raise significant First Amendment concerns because the state would be “mandating the filtering of lawful content.”
  • Oregon legislators introduced a bill that would ban school districts from using monitoring software “related to a student’s computer usage.” Although well-intentioned, this bill would present conflicts for most schools, as the Children’s Internet Protection Act requires almost all public schools to monitor student’s online activities.
  • Massachusetts HD. 3725 would create a student privacy law in the state that prohibits edtech companies from selling student data, using student data for targeted advertising, and disclosing student data without meeting certain criteria. Massachusetts legislators introduced a version of this bill in the last session, but it’s passage was likely halted due to COVID—there is a high likelihood that it will be enacted this session. The bill would mandate certain contractual requirements, create a state-level enforcer of the bill, who is authorized to issue statewide product bans, and fines. Beyond state-level enforcement, the bill includes a private right of action that would allow schools or students to bring an action to enforce a violation of the law.
  • Maryland HB 1062 would codify some of the recommendations made by the state’s Student Data Privacy Council, with some deviations. In addition to changing the definition of Operator, Covered Information, Targeted Advertising, and extending the term of the Student Data Privacy Council, the bill would require LEAs to report lists of authorized, unauthorized, and teacher adopted tools to the SEA. The proposed changes to the definition of Operator exclude portions of the Council’s recommendations, and would likely cover general audience companies that would not otherwise be subject to most state student privacy laws.
  • A Minnesota representative authored a bill requiring tech companies to inform schools of data breaches, “destroy or return” data once contracts expire, and prevent tech companies from disseminating student data unless authorized. The bill also limits a school’s ability to access student data such as cameras, searches, and locations.
  • In New York, a higher education package includes a bill that would prevent university employees from requesting details on a student’s immigration status.
  • A Florida legislator proposed an amendment that would require parental consent before student’s grades are shared with law enforcement in response to the Pasco County predictive policing program (as a reminder, FPF wrote this detailed analysis on the student privacy implications of Pasco County’s predictive policing program). Advocates continue to shine the light on this program: the Institute for Justice recently filed a lawsuit against Pasco County on behalf of affected families and the Electronic Frontier Foundation recently published a blog condemning the practice.
  • Texas legislators are considering a bill that would require Texas public schools and charter schools to add cybersecurity requirements to their contracts with providers, limit school district retention of distance learning recordings, and prohibit paying ransom in response to a ransomware attack.

Global News

  • On March 24th, the European Commission shared the EU Strategy on the Rights of the Child. The strategy acts as a complement to the proposed Council Recommendation establishing a European Child Guarantee, to promote equal opportunities for children at risk of poverty or social exclusion. Both initiatives highlight the need for equitable access to digital learning environments and the importance of a “digital environment” that is safe for children to navigate and utilize.
  • The Dutch government launched a “Code for Children’s Rights” similar to the U.K.’s Age Appropriate Design Code, setting forth ten principles for design and data protection to guide how developers should protect children online.
  • The Irish Data Protection Commissioner raised concerns over a proposed Facebook initiative that would alert health authorities if users expressed thoughts related to suicide or self-harm; the authority directed the platform to consult public health authorities in Europe before implementing the feature.
  • In January, the French data protection authority published a summary of the submissions it received in response to its public consultation regarding the digital rights of minors. Inside Privacy published a summary of the report in English, noting that in 2021, the authority will be focusing on exploring “(i) consent and age verification mechanisms; (ii) the conditions under which minors can be granted more autonomy online; and (iii) the exercise of digital rights by minors.”
  • India’s Personal Data Protection bill introduces new requirements for parental consent for users under the age of 18; this blog explores how the proposal would “upend internet usage.”
  • In last month’s newsletter, we shared that Italy’s Data Protection Authority (DPA) ordered TikTok to prevent users with unverified ages from accessing the app. On February 3, the DPA announced that TikTok would ban all Italian users until date of birth information is re-entered. Users under the age of 13 will have their accounts removed. TikTok will also work with the Irish Data Protection Commission to consider using AI as an additional level of age verification.
  • The European Consumer Organisation (BEUC) lodged a complaint with the European Commission against TikTok, arguing that TikTok fails to protect childrenfrom hidden advertising and “potentially harmful” content. They also note that TikTok’s age verification process is ineffective and cite a report that many TikTok users are children under 13. Consumer organizations in 15 countries have also urged their national authorities to look into TikTok’s breaches of EU law.
  • As part of a Singapore initiative to have devices in all schools, all devices, including student-supplied devices, must have software installed that will allow teachers to view students’ screens remotely, as well as restrict “objectionable content.” Affected students started an online petition that has over 6,000 signatures.
  • In Israel, the Education Ministry and Health Ministry clashed over access to dataof students and teachers who have received the COVID-19 vaccine. The Education Ministry sought the data in order to analyze and determine whether a school where someone contracted the virus could be opened, but the Health Ministry citedmedical privacy concerns. Ultimately, the Justice Ministry settled the dispute by allowing the Education Ministry to obtain the names of students who have been vaccinated, and only when someone at a school is infected will the Education Ministry contact the principal and share relevant information.

FYI: Quick Hits

  • House Representatives reintroduced the College Transparency Act, aimed at helping students and parents make informed decisions on colleges. The Act would establish a privacy-protected postsecondary data system and provide information to prospective students such as enrollment and post-college success.
  • The Campaign for a Commercial Free Childhood is urging the FTC to investigate Prodigy, a popular website that offers math games. Prodigy is free for schools, but when students play at home, it gives prompts and advertisements to subscribe to the annual membership.

  • The Wall Street Journal reports that Epic, a digital reading platform, relies on children’s reading data to develop narratives sure to engage children. According to WSJ, privacy advocates raised concerns about the platform, which “collects data every time a child turns a page on the screen or types a word into Epic’s search bar. The company uses the data to customize reading recommendations…” which plays “a role in shaping the plot, character and settings of Epic’s expanding line of more than 150 original books.”

  • On March 16, a Mississippi court partially denied Google’s motion to dismiss COPPA claims filed by the Mississippi Attorney General, which means Google must now defend the claims that it violated COPPA. (Note: linked motion is behind a paywall. The case is The State of Mississippi v. Google, LLC  and YouTube LLC and was filed in the U.S. District Court for the Northern District of Mississippi.) A similar lawsuit by the New Mexico Attorney General was dismissed last fall, but is currently being appealed.

  • Instagram announced that the tool would be integrating artificial intelligence and machine learning into the app to better determine the age of its users, in turn allowing the app to better protect minor users from age-inappropriate content and features. Additionally, reports are surfacing that the platform plans to introduce a “a version of Instagram that allows people under the age of 13 to safely use Instagram for the first time.”

  • An article from the Brookings How We Rise project provided recommendations to address disparate discipline policies, as Black students are three to six times more likely to be suspended or expelled from school. One of the recommendations was to create a data collection and analysis portal that would allow deidentified disciplinary data to be shared while maintaining student privacy. The recommendation notes that San Francisco Unified School District reduced suspension rates when data was at the core of its efforts.

  • In our previous newsletter, we wrote about a moratorium on schools’ use of biometric identifying technology. Despite the current ban, the NYCLU is arguing its case against the Lockport City School District’s facial recognition system should not be dismissed as moot. The NYCLU believes the court must still determine whether the system should have been approved by the state education department. For more on the New York moratorium, see FPF’s analysis on what this means for education stakeholders.

  • Student perspective: A high school junior penned an op-ed about the pressures from classmates to keep their video off during online learning. The student expressed concern about the changing learning climate and the lack of collaboration between classmates in online learning.

  • On February 24, YouTube announced new choices for tweens and teens using YouTube, in addition to the existing YouTube Kids aimed at younger children. Parents will now have three content settings to choose from. YouTube will also disable personalized advertising and in-app purchases for those using this feature.

  • Apple also recently unveiled a new “Apple for Kids” portal, which makes it easier for parents to manage Apple devices and disable in-app purchases. 

  • In early February, Chicago teachers were in a standoff with Chicago public schools and city officials over reopening plans. During this time, students missed instruction while teachers were locked out of online learning tools by the district. 

  • The Trevor Project implemented an A.I. tool named “Riley” that helps train volunteer counselors. The tool was developed to improve efficiency – training is time-consuming and limited to normal working hours, but many counselors volunteer on nights and weekends. While the hotline will still use human counselors, Riley helps counselors focus their time on those in need.

  • A new study examined more than 130 facial recognition data sets over 43 years and found  a gradual abandonment of asking for consent. Data sets included photos of minors, potentially without the knowledge of either the child or parent.

  • Santa Ana School District in California is piloting a program called “Rally Analytics Platform” that will allow teachers to view all student data collected in one place, including historical student data as well as results from a wellbeing survey the district asked students to complete in the fall.

  • The Washington Post noted that investigators believe that more children are being sexually exploited online because more children are online during the pandemic.

  • A JDSupra article notes that since 2015, universities have seen an increase in students requesting to view admissions records under FERPA. The article offers guidance on what universities must disclose.

  • On February 4, the UN Committee on the Rights of the Child adopted General Comment 25 on children’s rights in relation to the digital environment. Professor Sonia Livingstone explains that the General Comment provides countries with the what, why, and how for implementing children’s rights in the digital world.


  • ExcelinEd published “Pathways Matter,” a website illustrating the need for “K-12, postsecondary and workforce strategies [to] connect policies, programs and institutions to each other.”
  • Common Sense Media published a policy report entitled “Safe and Secure VR: Policy Issues Impacting Kids’ Use of Immersive Tech.” The report includes privacy-related recommendations for VR developers.

  • A new paper, Virtual Classrooms and Real Harms, discusses the platforms being adopted for remote learning.

  • IAPP published a comparison between the Children’s Online Privacy Protection Act (COPPA) and the U.K.’s Age Appropriate Design Code. The piece not only explains the distinctions between the laws, but explores the philosophical differences in approaches to children’s privacy. The goal of the Code is to put “the best interests of the child first.” The Code went into effect last September and companies have until September 2, 2021 to come into compliance.

  • The Better Business Bureau published a study examining the unique privacy risks teens face online, finding that “apps targeted to teenage users are more likely to engage in ad serving, include more third-party trackers, ask for more permissions, and offer more in-app purchases.”

  • The Digital Futures Commission and 5Rights Foundation published a report entitled “Child Rights Impact Assessment: A tool to realise child rights in the digital environment,” exploring the possibilities and benefits of introducing a children’s best interests analysis within technological innovations.

  • EDUCAUSE Exchange shared a new podcast episode on the different meanings of privacy used by privacy offers, and why this is important.

  • Last July, the Electronic Frontier Foundation launched the Atlas of Surveillance in collaboration with the Reynolds School of Journalism at the University of Nevada in Reno to provide a resource on surveillance technologies deployed by law enforcement across the country. While compiling this data, they found that many college campuses are acquiring surveillance technologies as well. This reporthighlights their findings on surveillance technologies being deployed on college campuses.

  • A resource we missed from last June: the University of Washington Privacy Office released a Privacy Policy Benchmarking Study that identifies privacy policy best practices and trends within higher education.

  • FPF released two infographics on understanding international data flows, one of which provides a simplified visual of data flows related to education technology.

  • ISTE and ExcelinEd offered best practices for states to support educators in implementing tools for online learning. One of the best practices mentions leveraging federal and state funding for professional development opportunities such as data privacy skills training.

  • The Cybersecurity & Infrastructure Security Agency, a government agency focused on improving cybersecurity across all levels of government, produced a fact sheeton Cyber Threats to K-12 Remote Learning Education to help with the rise of ransomware attacks during pandemic .

  • Australia’s eSafety Commissioner shared an infographic based on a survey of teens’ experiences and responses to encountering negativity online.

  • ConnectSafely shared Safer Internet Day lesson plans for elementary, middle, and high school students, including a topic dedicated to cybersecurity best practices for each age group.



Thanks so much for reading! Let us know if you have news or new resources we should include in future newsletters, or if we missed anything.

Related Resources

  • Uncategorized

    Checklist to Help Schools Vet AI Tools for Legal Compliance

    Apr 24, 2024

    Schools and districts around the United States are currently grappling with how to vet new edtech tools that incorporate generative AI. Whereas various groups …

    Learn More
  • EdTech Perspectives

    Demystifying the Consumer Privacy Patchwork

    Jan 18, 2024Randy Cantz

    What should edtech companies know about consumer privacy laws?As states continue to pass new consumer privacy laws, edtech companies may be left wondering what…

    Learn More
  • Higher Ed Perspectives

    Higher Education Compliance with Updates to the GLBA Safeguards Rule

    Jul 6, 2023

    Higher education institutions participating in the US Department of Education’s federal student aid programs need to be aware of recent updates to requirements…

    Learn More