But some student-privacy advocates are saying it doesn't go far enough in restricting what private companies can do with student data.
"It is a start to try to get at a very complex issue," says Elana Zeide, an expert on student privacy at the Information Law Institute of New York University, who saw an earlier draft of the bill. "But it's not going to satisfy a lot of parent advocates, because it leaves a lot of discretion to schools and companies."
Mike Goldstein, who works with education clients at the law firm Cooley, says there's been an "explosion" of interest in privacy issues over the past five years. Technological advances have schools and universities outsourcing many more basic functions than in years past. Everything from grade books to tests to entire academic programs, he adds, is being handled by third-party, for-profit providers.
And these providers are capturing far more than names, addresses and end-of-term grades. In some cases, large amounts of student work, and literally millions of tiny interactions, are collected and stored in the cloud. Think of all the edits on a school paper written in Google Docs. Or all the interactions a student has with a Khan Academy math program.
The major federal student privacy law on the books, FERPA, doesn't have much to say about this avalanche of data. That's because it deals mainly with the security of basic demographic information collected and held by schools themselves. "There's been a shift in focus in terms of privacy laws and regulations affecting both schools and colleges — from a focus on what the schools do, to what providers do," says Goldstein.
To understand this issue, Goldstein and Zeide say, it's important to separate out several distinct, but related, concerns that fall under the broad umbrella of student privacy.
1. Security. My child's information will be stolen and misused by hackers. She will be a victim of identity theft or her information will be exposed in an accidental data breach.
Setting rules about how long data can be stored, and who can access the information, helps security. The draft House bill contains some broad security provisions, but security, says Zeide, is also determined by good training and protocols, not just regulation.
2. Transparency. My child's information is being collected, circulated, stored and shared, but I don't know where or by whom or why. I won't be informed if there's a data breach.
This bill includes some provisions on disclosure and parental notification.
3. Commercialization. My child's information will be used to target online advertising or otherwise exploited for commercial gain. My child will be marketed to while she's doing her homework — or her homework will be used to sell things to other students.
This is where the House bill focuses. It would prohibit the sale of student information and the targeting of advertising based on a profile of a student assembled over time. It contains an exception, though, meant for companies like The College Board, which sells information on students who take the SAT to colleges, which is then used to target scholarship offers.
4. Reputation. My child's information will be "out there," discoverable in the ether somewhere. Her youthful mistakes and foibles, her low-income or English-language-learner status will follow her around. One day, her "permanent record" could limit her options.
These "reputational" issues are much more complicated than the rest. They cover not only privacy, as it's been discussed here, but related situations, like the recent reports of Pearson's monitoring public posts on social media for mentions of the PARCC test by students. One day, student data could start to wield reputational power similar to what a bad credit record does for adults: It could limit your ability to get a job, not just your access to credit.