Broad Congressional Proposal Would Raise Data Privacy Bar for Ed-Tech Companies
A recently released congressional proposal would trigger a swath of new requirements for how ed-tech companies handle K-12 student data they collect, and establish an independent auditing process for their data protection practices.
The drafter of the proposed measure, Rep. Lori Trahan, D-Mass., is seeking input from ed-tech companies and other members of the K-12 community on what language should ultimately be included in final legislation she plans to introduce later this year.
The proposal suggests limiting usage of student data collected by education businesses in several ways, including prohibiting targeted advertising involving students’ personal information, and banning the sale of student data except in cases of company acquisitions and sales of test-score reports for college recruitment.
Trahan presented the proposed language to allow commercial transactions for test score data as one of several points of discussion for parents, educators, students, and industry, as her office works to craft a final bill sometime around early winter, she told EdWeek Market Brief in an interview.
Sale of test score data can be a contentious issue.
Privacy advocates often argue that assessment companies don’t thoroughly inform students and parents when selling data to colleges and scholarship providers. On the flip side, some civil rights advocates assert that colleges’ purchases of test score data are useful for enrolling students from low-income school districts who may get overlooked by traditional recruitment efforts, Trahan noted.
“I believe that we can strike a thoughtful balance, and making this a point of discussion as we work on an updated draft of the legislation is key to achieving that,” she said.
Commenters have until Oct. 31 to provide input for final legislation to be introduced later this year.
In addition to prohibiting certain uses of student data, the draft legislation also outlines several allowable cases of student data disclosure for companies, including to ensure legal and regulatory compliance, participation in the judicial process, and research purposes allowed by federal or state law.
Trahan wants companies to share their views on the issue of allowable disclosure, including their experiences navigating state laws that trigger disclosure of student information, she said.
Small and midsize companies should also comment on the draft’s provision to establish “technology impact assessments” that examine the student-data collection practices of ed-tech companies, Trahan said.
The draft would task the Federal Trade Commission with organizing a process for technology impact assessments to be conducted by independent auditors of any education company deemed to host “high-risk” platforms for student data protection purposes.
The draft bill defines several criteria for what would constitute “high-risk.”
Those criteria include software platforms that pose a significant risk to privacy or security of students; store personal student information regarding race, national origin, political opinions, religion, sexual orientation, and criminal convictions; and, platforms that present the possibility of an inaccurate, unfair, biased, or discriminatory decision that impacts a student.
The independent technology impact assessments would be required to describe the data that companies collect, provide a risk analysis considering harms to students, discrimination, and accessibility; and, explain companies’ risk mitigation processes.
The draft bill identifies the provision for independent auditors to conduct technology impact assessments as a point of discussion for K-12 stakeholders to have in the leadup to a final bill.
Ed tech, including artificial intelligence-influenced ed tech, is not subject to the same certification requirements as other critical industries, such as the legal and accounting professions, which require many practitioners to undergo continuing education and outside auditing processes, Trahan said.
“Ideally, legislation like ours could provide the incentive to scholars and standards-making bodies to create a certified [ed tech] industry,” she said. “But you don’t arrive there until you hear from small and midsized companies so that we can understand the burden that may come with them hiring potentially expensive, and currently uncertified auditors.”
Though the draft bill has not been formally introduced in Congress yet, Trahan hopes to work across party lines, as well as with lawmakers interested in relevant tech topics like AI, as her office draws up final legislation. Twenty-seven House lawmakers compose the bipartisan Congressional AI Caucus.
The draft measure is “extremely comprehensive,” and the public participation process will allow the K-12 community to address any potential gaps they might see in the legislation, said Ariel Fox, senior counsel for global policy at Common Sense Media.
Fox lauded the proposal for establishing a formal process for external audits of companies’ data protection practices. In recent years, such provisions have generally been left out of ed-tech legislation proposed within the U.S.
The impact assessment provisions draw from language embedded in the EU’s General Data Protection Regulation, or GDPR, and the UK’s Age Appropriate Design Code. Both of those regulations direct companies covered by the regulations to deeply vet how their software impacts users’ privacy.
“A concept that we see a lot in international laws is this notion that companies should really take a hard look at what they’re doing with data, what they’re collecting, why they’re collecting it,” Fox said. “It’s exciting to see that in her proposal as well.”
Image by Getty