11323371164_a7afcabaa6_b

By Brian Heuberger

Many educational software and application programs help improve the efficacy of the learning experience for schools and students. However, the frequent use of educational programs also creates a problem in which software companies can collect and sell private information about students.

Colorado State Rep. Alec Garnett helped sponsor House Bill 1423 to address this pressing issue. The student data privacy bill prevents companies from collecting student information, protects children from having their private data exploited and features many provisions that are superior to any other privacy bills.

Numerous programs are currently being used in the educational setting. 

  • Schools can use technological programs to develop, evaluate and analyze tests.
  • Teachers can use programs to deliver course lessons and convey class information.
  • Students often use programs to learn material, complete assignments and improve their test scores.

Why Student Data Collection is a Problem

Image: Associated Press.

Although innovative educational programs have many advantages, the platforms also render students vulnerable to having their information used against them in the future. Companies can sell private information to:

  • Background check organizations, which use the data when making decisions regarding college admissions, insurance rates, home mortgages or financial loans.
  • Marketing firms, which can use the information to target individual students and customize advertisements according to their tendencies.

Garnett, a Denver-based Democrat, sponsored the student data privacy bill to circumvent these hazards.  

The situation raised concerns where profiles of students were being collected,” says Garnett, “and there are a lot of people in the marketplace who would be interested in the profiles. The possibilities for where they can sell the profiles are endless, and that is what was so concerning to the parents.”

How Colorado’s Privacy Bill is Tougher Than the Rest

While 12 other states have passed student privacy legislation, certain distinct features make the Colorado bill unique and superior to the bills passed by other states.

The bill provides a much more comprehensive definition of what constitutes personally identifiable information. Personally identifiable information relates to data that can identify a student, like name, birthdate, address and social security number. The bills passed by other states prohibit software companies from collecting and selling any personally identifiable information.

However, companies can also use general aggregate data to specify the identities of individual students. “Aggregate data is when you’re collecting information in bite-size chunks that can be tied to a class, school or district,” explains Garnett.

Colorado’s bill expanded the definition of personally identifiable information.

But they have sophisticated algorithms that can take a ton of aggregate data, combine the information, and then infer who the individual students are,” he says.

“So if everything you’re collecting is aggregate but can then be used to infer the identity and behavioral traits of an individual student, then you have to treat it as personally identifiable information.”  

As a result, the Colorado bill expanded the definition of personally identifiable information to include any aggregate data that can be used to establish the identities and behavioral patterns of individual students.   

The Colorado privacy bill is also more comprehensive regarding the types of software vendors who must adhere to the bill. Whereas other states only make the privacy laws applicable to mainstream software vendors who sign contracts with school districts, the Colorado bill also applies to other clickwrap vendors that many teachers and students utilize.  

Individual teachers or schools might find an application online that’s great at delivering the curriculum,” explains Garnett, “but the teachers and students click through the terms and conditions of those apps, and the reason the apps are free is because they are mining the data.”

This vendor specification helps teachers and administrators understand the extent of their use of software. “No other state identified between different levels of vendors, so we defined that those exist and defined what can take place with smaller clickwrap vendors.”

Demanding to Know “Why”

Transparency provisions were also included in the privacy bill. The law establishes that the software companies must report the information they are collecting and explain the reasons why they are collecting the data. Although the companies can gather data that would help them improve the quality of their products, the companies are prohibited from collecting any information that can relate to the identities of students.

The need for the companies to destroy their data is another essential aspect of the Colorado bill that is distinct from any other state bill. Whereas other states used the word “delete,” Colorado instead requires that the companies “destroy” the data.  

When you use the word delete,” explains Garnett, “firms don’t fully delete the data. They keep it forever, and when the contract ends with the school district they can just retrieve the data on the server later down the line.

This nuance sparked the need to be more clear about where the data is stored during and after a vendor contract. “So the word destroy is a stronger definition in terms of getting rid of the data. If a contract ends with a school district, the companies must get rid of the data so they cannot later pull it back up, use it for commercial purposes or sell it to another entity.”

Student Privacy Motivates Politicians to Cross the Aisle

Image: Wikimedia.

The unanimous passing of the Colorado student data privacy bill was an impressive achievement, especially since a similar bill failed to get passed last year. In contrast, the 2016 bill developed by Garnett received complete bipartisan support, moved seamlessly through each committee and then was approved with unanimous votes in both the House and the Senate.  

The bill came out of bipartisanship between me and Rep. Paul Lundeen,” says Garnett.

We kept each other more in the center as we got through the process. We also did our due diligence working with other members and making sure that the Senate knew where we were the entire time to limit having disturbances.”

Placating the software industry was another remarkable feat that assisted the unanimous passing of the bill. The previous bill failed because the software lobbyists impelled many House and Senate members to oppose and reject the bill.

However, with this bill Garnett was able to generate reasonable compromises, receive support from the software industry and avoid any opposition to the provisions.   

There were obviously tech firms that weren’t happy with the legislation,” explains Garnett.  

But we had taken the time to sit with them and go through the bill many times. In the end, they realized that we were knowledgeable enough on the topic to push back. They weren’t getting anywhere, they were losing the public relations battle and so they decided not to stir up a disturbance.”

On June 10, 2016, the Colorado student data privacy bill was officially signed into law by Gov. John Hickenlooper. With the bill being implemented, all contracts that schools or districts form with software vendors must accommodate the requirements established by the student data privacy bill.

Garnett now hopes that the many unique advantages of the Colorado bill can protect the privacy of students, relieve the concerns of parents and serve as a national model for a federal student privacy bill.