Congresswoman Lori Trahan’s New Student Privacy Discussion Draft

Congresswoman Lori Trahan’s New Student Privacy Discussion Draft

In August 2021, Representative Lori Trahan (D-MA) released a “discussion draft” of a piece of student privacy and education technology legislation. Representative Trahan has asked stakeholders to submit comments by October 31st, 2021, particularly from students, parents, educators, and other parties who would be affected by the legislation.

Here is everything you need to know about the bill before diving in deeper:

Background: Relevant State Legislation

Student Online Personal Information Protection Act (SOPIPA)

California’s SOPIPA (SB1177 (2014)), signed into law in 2014, regulates “operators” and generally prohibits operators from using covered student information for targeted advertising, creating profiles of students, and selling or disclosing covered information. Many states used California’s SOPIPA as a framework for their own student privacy legislation.^[1]

Representative Trahan’s Bill

What are Key Differences between Trahan’s Bill and Other State Privacy Laws?

Expanded Definition of Operator

Trahan’s bill would govern “operators” – defined in its text as an “operator of a website, online service, online application, or mobile application with knowledge that the site, service, or application is used for K-12 school purposes or was designed and marketed for K-12 school purposes.”

The table below compares this definition to the definition of “operator” in California’s SOPIPA and in a couple of other representative state student privacy laws.

The operator definition in Trahan’s bill differs from SOPIPA and other existing state student privacy laws in the following ways:

• it lacks a requirement for actual knowledge;
• it lacks the specification that a product’s use for K-12 school purposes be a primary use; and
• it includes products used for K-12 purposes even if those products were not designed and marketed for those purposes, and it includes products designed and marketed to K-12 school purposes even if they are not used for those purposes.

The exclusion of the “actual” modifier preceding “knowledge” can end up covering more operators. Actual knowledge would cover an operator who, in reality, knows about or is aware of a product’s use for K-12 school purposes. “Knowledge” would cover an operator who has something less than actual knowledge, such as an operator who is presumed to know or should know about such use of their product. This is, in some regards, a good thing: it does not allow would-be-covered-operators off the hook by willfully burying their heads in the sand about where and how their products are used. On the other hand, even if an operator has a product that was not originally intended for the K-12 space but has some use in that space, it can be harder to keep tabs on it, which could raise questions about fairness.

The bill’s lack of specification that a covered operator’s product must be primarily used for K-12 purposes leaves a vacuum with regard to a use threshold. The wording of the bill’s current operator definition could cover any use at all of an operator’s product in a K-12 space. WIthout further definition and clarification, it could also present a challenge for vendors who make products used both in the K-12 and higher education spaces, especially when the same product is used in both. Issues of fairness are again present here: would an operator be bound by the proposed law if one teacher used the product in the classroom when the operator had no intention that that product be educational? This is certainly a situation that could arise, especially given there is no requirement that the products of covered operators be marketed or directed at schools. The drafters were likely trying to avoid situations possible under SOPIPA and similar state law language where a company could know full well that its app or web site was being used in schools, but claim that it was not designed for that space, and thus avoid liability under the law.

While aiming to address this issue in the current bill language could help foster trust in technology for schools and students, such broad language raises its own issues of fairness that could be stifling for companies. An operator definition that sits at a happy medium between the shortcomings of SOPIPA and the overbreadth of the discussion draft in this regard and that includes a threshold for use would be beneficial: it may be useful for the eventually introduced bill to make sure companies who have a lot of market share for K-12 schools are covered, and that those companies that are adopted in schools without proactive marketing toward schools are not.

Technology Impact Assessments

The one area where the Trahan bill significantly diverges from SOPIPA or otherwise similar state statutes is the proposal of technology impact assessments. Here are the highlights of this section of the bill:

• Technology impact assessments are only required from operators that deploy high risk automated decision making systems in their products.
• Technology impact assessments must be provided to the FTC and to customers, and a modified version must be published on the operator’s website.
• Within 18 months of the law’s passage, the FTC must provide guidance on standards and practices for technology impact assessments (and the public version of the technology impact assessments), which must include information on:
  • A description of the service provided by the operator, including the purpose, goals, and benefits;
  • A description of the data collected, including nature, quantity, frequency, retention, and the purpose for the use of the data;
  • A description of the components, data architectures, user interfaces, connections, dataflows, and automated decision systems;
  • Justification where student data is being used for research;
  • A risk analysis that must consider potential harm to the “cognitive, physical and socio-emotional health, and wellbeing of a student”; discrimination; and lack of accessibility for students with disabilities and English as second language students; the exploitation risk of a student; and data breaches and adversarial attacks.
  • A description of the risk mitigation processes and procedures, including consultation with stakeholders, parents, students, teachers, and experts on education, privacy, security, and technology;
  • Any other necessary information.

Though we do not know the drafters’ specific intentions for adding this section, some of the language provides insight. For example, assessing user interfaces could be in response to concern about children and dark patterns; assessing automated decision making systems could be trying to address the desire to regulate algorithmic decision making in education; and auditing impact on potential harm to student health could be trying to address concern and interest about the online influence on children’s health and wellbeing discussed in the Senate Commerce Committee hearing on mental health for teens,^[2] the Future of Privacy Forum’s Self Harm Monitoring paper^[3], and more. Awareness of and proactive responses to these issues would contribute to a safer, more responsible online environment for students, and would in turn build trust and accountability for education technology companies.

The proposed technology impact assessments do not come without challenges. The novelty of audits in this context leaves us without sufficient detail for effective evaluation– the placeholder for discussion left in this section demonstrates that this is one of the sections where comments are particularly important. Requiring a third party auditor is another point for discussion, as it would bring a certain COPPA-style auditing to K-12 education technology, but it would likely have all of the costs and none of the benefits of COPPA’s safe harbors. Also, the definition of “covered operator” could be confusing to companies: the bill only requires technology impact assessments for “covered operators,” which does not mean operators that collect the defined term “covered information,” but rather operators with a product that includes a high-risk automated decision system. This means that it is up to the vendor to determine if they qualify, so from the school and user perspective, it is impossible to know if the vendor does not do high risk automated decision-making or if they did not do the analysis. Further, the bill requires technology impact assessments for vendors that have products that do high-risk processing, rather than for products that do. The technology impact assessment needs to be at the product level, and there should not be a requirement for a vendor that has some products that do high-risk processing to perform data privacy impact assessments for all products.

Though there are challenges associated with the technology impact assessments as written, addressing these challenges is possible. We envision a system where if screening indicated the need to do a technology impact assessment, the vendor would complete something that looks more like a GDPR-style data privacy impact assessment. Ideally, all vendors that fall into the definition of providing an ed tech service would be required to provide a standard disclosure or privacy notice, similar to the financial privacy rule of the Gramm-Leach-Bliley Act, that would standardize the contents and the appearance of the notice. A requirement to disclose the screening or privacy threshold analysis for all operators would also be ideal, as would a privacy impact assessment for vendors where the privacy threshold analysis indicated that a technology impact assessment is required. A dedicated committee or evidence-based policy commission could be used to help make this section more useful for schools.

Private Right of Action

Trahan’s bill creates a private right of action for any individual who suffers harm as a result of a violation of the proposed law. Such an individual could bring an action against an operator in the appropriate district court for remedies including damages for actual harm, damages between one hundred dollars and seven hundred and fifty dollars per individual per incident, injunctive or declaratory relief, or any other relief deemed appropriate by the relevant court. In assessing statutory damages, the court would consider things like “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”

Other Notable Differences:

Trahan’s bill also provides rights to students’ parents, granting them direct access to or correction of data from companies. Protecting and prioritizing parental rights in connection with their child student’s data is an important aspect of child and student privacy legislation that helps increase parent trust and transparency; however, it should be balanced with practical implementation. In practice, this provision puts education technology companies in a difficult position. Companies do not always have data this specific and may be unable to trace which data comes from exactly which parent’s child in order to delete or access it when confronted with a request directly from a parent. This provision should be balanced to protect parental rights within the scope of what information companies have access to and what actions they would be able to take in practice.

The bill’s requirement that the operator or successor entity in the case of a merger or acquisition “notify each student, parent, and teacher, as applicable, of any covered information of that student, parent, and teacher that was acquired” raises similar logistical concerns. Notification of each of these groups specifically would be cumbersome and impractical for companies. Furthermore, the “as applicable” language also feels imprecise and does not provide helpful direction. Ideally, the operator or successor entity would notify whoever entered the relevant data, and then that account holder would have the decision of whether or not they want the data deleted.

Another notable inclusion in Trahan’s bill that we do not see in similar state student privacy laws is the requirement that an operator implement reasonable security procedures and practices that “disclose publicly and to each educational agency or institution to which the operator provides a school service, in a contract or privacy policy in a manner that is clear and easy to understand, each type of covered information collected or generated (if any), the purposes for which the covered information is used or disclosed to a third party, and the identity of any such party.” This is not without precedent in other spaces, though. It certainly leans into the GDPR-style approach of requiring a legitimate interest for processing data. It is not unlike the Department of Education’s model terms of service requirement that names of subcontractors be shared upon request,^[4] or the requirements in COPPA, where the operator must provide the school with the same type of direct notice regarding its practices as to the collection, use, or disclosure of personal information from children as it would otherwise provide to the parent.^[5]

Likelihood of Adoption

We can never say for certain whether or not a bill will be adopted, but there are influencing factors that make that adoption more or less likely. The discussion draft of Trahan’s bill is being introduced at a time where child online privacy is at the forefront of many minds, largely due to increased online educational activity caused by the COVID-19 pandemic. Though the infrastructure bill has taken the front burner, Congress, state legislatures, and the FTC have all still shown interest in child and student online privacy. This coupled with the fact that protecting children is a bipartisan issue increases the likelihood that a revised bill will be adopted.

Preemption

The proposed Trahan bill specifies that the legislation would not affect or alter protections and guarantees in FERPA, the Children’s Online Privacy Protection Act of 1998 (COPPA), or any other Federal statute relating to privacy protection. However, its relationship to state laws remains unclear. The issue of interplay with other state laws was left open for discussion in the bill’s draft. Obviously, this is a major implementation wrinkle that would need to be ironed out before adoption could be possible. A law that plays nicely with other laws would be most practical here: it would protect student privacy without imposing undue burdens on national education technology vendors that would hinder their ability to provide services to students.

Enforcement

The proposed Trahan bill provides for enforcement of the law by the Federal Trade Commission, as well as state attorneys general. The role of the Department of Education in the bill as written, which would provide for guidance and technical assistance related to data security, is minimal. The Department of Education is uniquely positioned to provide support to schools and companies in implementing student privacy law. At a minimum, the Department of Education has experience with aspects of the technology impact assessments, such as accessibility audits, and would be well-qualified to write sections of the assessments such as analysis on the value and effectiveness of the service and the merits of the research section of the assessments. The Federal Trade Commision would stand to benefit from relying on the Department of Education’s expertise regarding enforcement, and the bill drafters should allow them the ability to do so.

 Conclusion

The importance of protecting student privacy online is immeasurable. And as more and more students and schools use online education solutions through the COVID-19 pandemic, student privacy online is perhaps more important than ever. The Future of Privacy Forum is excited to see lawmakers taking on these issues — and as we are acutely aware of the intricacies involved in navigating student privacy, we are especially excited that lawmakers like Representative Trahan are making space for discussion and improvement surrounding proposed legislation.

The proposed bill will likely be introduced later this year or early next year, and there may be significant changes before Representative Trahan introduces it in Congress. Once introduced, the bill will be referred first to the House Energy and Commerce Committee. The bill also has potential for appropriation, as there could be a significant amount of money needed in training, enforcement, and more.

Key Resources and References

• The Bill Discussion Draft
• The Accompanying Discussion Guide
• Discussion Draft Summary
• Where to submit comments

[1] Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Washington, D.C., Georgia, Hawaii, Illinois, Iowa, Kansas, Maine, Maryland, Michigan, Nebraska, Nevada, New Hampshire, New York, North Carolina, Oregon, Tennessee, Texas, Utah, Virginia, and Washington.

^[2]https://www.commerce.senate.gov/2021/9/protecting-kids-online-facebook-instagram-and-mental-health-harms

^[3] https://studentprivacycompass.org/wp-content/uploads/2021/09/FPF-Self-Harm-Report-R4.pdf

^[4] “Provider agrees to share the names of these subcontractors with User upon request.”

https://studentprivacy.ed.gov/sites/default/files/resource_document/file/TOS_Guidance_Jan%202015_0%20%281%29.pdf

^[5] https://www.ecfr.gov/current/title-16/part-312