Student privacy and the law of unintended consequences

In 2014, the Louisiana legislature passed a law to protect student privacy. It required parents to approve nearly any collection and sharing of student data. In other words, no student information — no accomplishments or addresses, no batting averages or GPAs — was to be shared without a parent’s express permission.

And the law wasn’t merely a suggestion. It had teeth. Violations — even accidental ones — by teachers or principals, carried with them the weight of fines and jail time.{mosads}

But protecting student privacy wasn’t the only outcome of passing this particular law. Facing the possibility of heavy fines or ending up in prison for even a well-intentioned mistake, teachers and administrators in a number of schools told us they were so afraid that they stopped collecting or sharing data for almost any reason. They stopped printing school yearbooks. They stopped announcing football players’ names at games. They stopped hanging student artwork in the hallways. Some even stopped referring students to state scholarship funds. All unintended consequences of a well-intentioned effort to protect student privacy.

The truth is, schools have always collected a wide range of information about students — because educators need to know about the students they serve. Administrators need academic information, assessments, demographics, discipline records, and teacher reporting to run schools and districts effectively. Teachers and principals use student data to inform effective instruction and individualized lessons. Parents use it to support academic growth at home. Policymakers use aggregate data to allocate resources and hold schools accountable.

Technology, too, is making it easier, faster, and less expensive to analyze data and learn from it — to the benefit of students. Some school systems can predict which students have the highest risk of dropping out before graduation. In Chicago Public Schools, over seven years, the rate of students on track to graduate rose from 57 percent to 84 percent — at least partly thanks to teachers and administrators using data-driven indicators to identify students who needed a little more help. Schools in Massachusetts use similar predictive analysis to identify students in danger of dropping out so educators can help them stay on track for college and careers.

Despite the positives, data breaches still feel like daily occurrences. In a world where only 28 percent of Americans believe tech companies can be trusted to do the right thing always or most of the time, and 83 percent think we need tougher regulations and penalties for breaches of data privacy, it’s easy to see the perspective of legislators, acting in what they see as the best interests of students — of their children. But there is such a thing as over-legislating — reacting to a perceived threat without fully appreciating the full breadth of the landscape that surrounds it.

Despite the best of intentions, some efforts to protect students inadvertently undermine our schools’ ability to best serve students. We hamstring our schools and their partners with unintended consequences when we’re just trying to keep our students safe.

Of course, privacy is especially important when it comes to our children. A breach of their information could lead to financial fraud and identity theft. Online, children may access inappropriate content, get bullied in their bedrooms, or not realize what they’re watching is actually a commercial. {mossecondads}

Because of the heightened risks to children, Congress has passed laws specifically to protect them. The federal Child Online Privacy Protection Act (COPPA) provides privacy protections for children that exceed adult safeguards, and the Family Education Rights and Privacy Act (FERPA) grants enhanced protections to students and their parents. Beyond federal law, policymakers in 39 states and DC have passed more than 120 new laws protecting student privacy since 2013. But laws are just words on paper until they are applied.

As we enter a year that promises to introduce more privacy legislation in the United States than ever before, it is time for state legislatures to fully fund and enforce the laws they have already passed.

In many states, there has never been an enforcement action over student privacy. If policymakers really want to protect student privacy, they should put their money where their mouths are and fund training so that every person who interacts with student data knows how to protect it — and the U.S. Department of Education, the Federal Trade Commission, and state law enforcers should commit more resources to investigating and prosecuting violations of existing student privacy laws. 

Finally, as state legislatures contemplate new student or child privacy laws, they should carefully consider all possible outcomes — and take the time to anticipate and avoid unintended consequences. Having people on-the-ground — teachers, administrators, parents, students, and ed tech companies — involved can help keep well-intentioned laws from limiting important uses of data and technology in the classroom. 

Jules Polonetsky is the CEO and Amelia Vance leads the education privacy project of the Future of Privacy Forum, a nonprofit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies.