In 2021, a group of parents concerned about the hundreds of digital applications being used in classrooms founded a national group called the Student Data Privacy Project (SDPP) to push for protection of students’ data, led by cybersecurity expert and law professor Joel Schwarz of Bethesda, parent of three MCPS students.
After two years of appealing to the Department of Education for better protection without success, the SDPP is now turning to the Federal Trade Commission (FTC) for help.
“These for-profit companies are trojan-horsing right into the classroom under the nose of the district, under the auspices of education,” said Lisa Cline of Gaithersburg, an SDPP member and mother of an MCPS high schooler. “Their apps are free — and they’re free because the kid is the product. It’s predatory and persuasive by design.”
Schwarz and other members of the group met with the FTC’s Division for Privacy and Identity Protection in January and again on Wednesday to discuss ways of discouraging companies from collecting and selling children’s school data for marketing purposes.
“It was a very productive meeting,” he said. “This is definitely on their radar.”
He said the FTC is still exploring the topic and that conversations are ongoing. The FTC could not be reached for comment.
Montgomery County Public Schools currently approves between 300 and 400 third-party digital applications for use in schools, according to its website. The providers of these apps — called education technology vendors, or edtech — span everything from Zoom and Canva to LEGO and Minecraft.
The apps are capable of harvesting millions of datapoints on student users every year, and a 2022 report by the Human Rights Watch confirms that they’re doing so with great regularity. The data can be used to create intimate profiles of student users — including age, usage habits, socioeconomic status, medical diagnoses, race or ethnicity, personal interests and academic progress.
A recent study conducted by the Internet Safety Labs found that over 96% of edtech applications share children’s personal information with third parties, 78% of the time with advertising entities. Andrew Liddell, a lawyer and parent from Texas who co-leads the SDPP, said the data reveals an alarming problem that should spur more parents to action.
“Everybody’s eyes glaze over when you talk about data,” he said. “This is about liberty and democracy. When every single thing your kid does is logged and given away and used to make judgments about them without your knowledge, that’s a problem.”
MCPS spokesperson Jessica Baxter told MoCo360 in an email that the school district shares parents’ desire to protect student data from misuse, writing:
“We don’t believe that student data should be used for anything beyond its intended use within the application and for the improvement of instruction for our school communities.”
Schwarz said the district has a legal obligation to regulate and supervise all edtech vendors.
“When MCPS approves the use of a digital app, they’re responsible for maintaining the privacy of student data collected by that app. You can’t get away from privacy laws by passing the responsibility off to a third party,” he said.
Baxter wrote that the school district “does not centralize the management of mobile applications” but provides a central resource for staff and students to verify which applications have been vetted and approved for use.
When asked what steps the district takes to ensure edtech providers only use student data for educational purposes, Baxter wrote:
“The work we do with our legal and procurement teams before any agreements are signed, ensures that the terms and conditions offered by the third-party vendors and providers are only using the data for educational purposes. These are terms agreed to before engaging with third-party providers.”
The protection of student data falls under the Family Educational Rights and Privacy Act (FERPA), a federal law that gives parents right-of-access to their children’s school records. FERPA was enacted in 1974 and last updated in 2013. Cline says the law is severely outdated and ill-equipped to protect against a barrage of new digital threats.
“There’s been an onslaught of these apps in the last five years,” she said. “I just don’t think humans have caught up with the need to regulate and monitor them.”
Baxter wrote to MoCo360 that the school district works closely with its Office of General Counsel and its Procurement office to ensure all edtech providers adhere to school policies that protect student data, particularly as it relates to FERPA compliance.
The only government agency that can legally enforce FERPA is the federal Department of Education, according to the department’s website. The only real option for penalizing a FERPA violation is to take away federal school funding, Schwarz said—something the department has only done twice in almost 50 years, according to Schwarz’s research.
In July 2021, SDPP led a coordinated nationwide push for FERPA enforcement. Fourteen parents across the country — including three from Montgomery County — filed complaints with the Department of Education asking for access to the data collected by edtech vendors on their students and citing FERPA. Schwarz and Cline both filed complaints as members of the group.
Two years later, only one of the 14 parents has received a substantive response — a family from Alaska. Schwarz and Cline both said they never heard back about the status of their complaints. The department could not be reached for comment on the complaints.
When Silver Spring parent Mohit Chadha filed a similar complaint in 2020, he said the school district provided only his middle schooler’s Google and Zoom log-in credentials. Beyond that, he was told he needed to specify the data he wanted to access.
“This was frustrating because this is exactly what we want to know — what data they’re gathering. It’s a catch-22. How can we ask what we don’t know?” he said, adding, “I don’t want my daughter to be a datapoint for whatever financial schemes these Silicon Valley companies have.”
After two years of pushing for better FERPA enforcement, Schwarz’s group is shifting its focus to a similar law called the Children’s Online Privacy Protection Rule (COPPA), enforced by the FTC. It’s not a school-specific regulation, but it bans companies from collecting personal data on children under 13 without parental consent.
Edtech vendors tend to be exempt from COPPA, according to the language of the code, but there are notable exceptions.
“For example,” Schwarz said, “if edtech vendors are collecting student data under the guise of educational purposes and then marketing it for profit, should the FTC consider that a deceptive trade practice?”
He said that as conversations continue with the FTC, the SDPP’s goal is to recreate its 2021 initiative by rallying parents across the country to file requests for their students’ data, this time citing COPPA instead of FERPA.
“At the end of the day, there needs to be some disincentive to selling student data to marketing companies,” Schwarz said. “Right now, there’s no deterrent and a lot of money to be made.”