A look at student-data issues as the 2023-24 school year approaches

By Dani Tietz

Prospects for the 2023–24 school year are on the horizon.

With just a month of summer vacation remaining, parents throughout Champaign and Vermilion counties are registering their children for school. In a tradition that used to take place with paper, pencil, and a checkbook at each school, districts across the nation are now using digital registration systems, such as Skyward, to handle student enrollment.

Online registration tools are just one example of the digital world in today’s education system. Instead of books, pens, and paper, many students now have access to district-provided devices for use throughout the school day, and sometimes even at home. This is the case in the Mahomet-Seymour School District, where each K-12 student has a district-issued device. 

The school registration process requires parents and guardians to sign an Acceptable Use Policy Agreement that lays out the student’s responsibilities while the device is in their possession. The documents lay out guidelines as to how they are to care for the equipment, not tamper with security measures, use the device in an acceptable manner, and not share personal information. 

This policy is not unique to Mahomet-Seymour. Parents registering their child in St. Joseph’s two school districts or the Oakwood School District acknowledge their liability for district-issued devices, too. 

But what may not be at the forefront of every parent’s mind when they go through the registration process or when they are helping their child with a math problem during the school year is the service agreement the district signs with a technology company, outlining what data the company can collect from students and their parents.

In fact, parents may not even know where to get the information. That’s because you have to know where to look. St. Joseph CCSD #169, St. Joseph-Ogden High School, the Oakwood School District, and the Mahomet-Seymour school district have their Data Privacy Agreements linked with the SOPPA information required by law.

According to Illinois’ Student Online Personal Protection Act (SOPPA), school districts are required to post a list of all operators of online services or applications utilized by the district, all data elements that the school collects, maintains, or discloses to any entity, and post subcontractors for each operator for parents to see. 

For the Mahomet-Seymour School District, that’s 105 companies that collect data from students and their parents. A few of those companies include Khan Academy, College Board and Peeble Go. In a district like Oakwood, a K-12 school district, there are 27 companies collecting student data while they work online while at St. Joseph CCSD #169, a K-8 district, there are 53 agreements and at St. Joseph-Ogden High School, there are 49 agreements. 

Districts with different structures, elementary and junior high, or K-12, needs vary. Usually, teachers request a platform that suits their classroom needs. Each district has their own process for approving online resources for students, but that process usually ends with a data privacy agreement between the school district and the technology company. 

Student data collection often begins during registration. 

For example, Mahomet-Seymour’s platform, Skyward, has indicated that they collect IP addresses and cookies, standardized test scores and observation data, student daily attendance, online communications, behavioral data, demographic information, course information, low-income status, health data, living situations, student-generated content and responses to surveys and questionnaires, grades, and transportation data, including pick-up and drop-off locations, among other information. 

Several laws come into play when discussing student information. School districts are bound by FERPA (Family Educational Rights and Privacy Act), a Federal law that protects personally identifiable information in student education records. In order for the school district to release personally identifiable information to a third party, the parent or legal guardian must agree. 

There are some exemptions, though. Data that is shared for educational purposes, including data shared on online platforms, meets that requirement. 

COPPA (Children’s Online Privacy Protection Act) reinforces that measure, permitting schools to act as substitutes for consent when the website or application is solely used for educational purposes and not for any commercial intentions. It also governs the manner in which website operators or online services can gather personal data from children under 13 years old.

These guidelines, issued and enforced by the Federal Trade Commission (FTC), give parents control over what information is collected online from children under the age of 13 and require school districts to give parents ample opportunity to understand who is collecting data, what data each company collects, and what their rights are. 

COPPA prohibits digital businesses from requesting more information from children than is legitimately required for them to participate in an activity. Businesses also cannot demand that schools and parents give up children’s privacy rights in return for access to learning resources.

Understanding that parents and students have no other choice but to allow tech companies to collect their child’s data within a school setting, the FTC warned education technology companies that stricter laws were coming in 2022. 

“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in an online statement.  “Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”

Rules like these have to be in place to protect children. Still, some companies, including some that work with school districts, are using data from children to profit. 

Common Sense Media, an organization that reviews and provides ratings for media and technology with the goal of providing information on their suitability for children, claims that even if they pretend otherwise, the majority of the most widely used kid-targeted apps and internet platforms are probably making money from user data. 

Local school districts do not use all 200 of the Common Sense Media reviewed apps, but some of the most used educational websites, including Remind, Khan Academy, Class Dojo, Quizlet, and ABCya, received “warning” labels, while websites like Google Classroom, Seesaw, and Kahoot received a “safe” rating. 

According to a study by Internet Safety Labs, a nonprofit organization that conducts product safety testing and research, nearly all apps (96%) share children’s personal information with third parties, and 78% of the time with advertising and monetization entities. This sharing of information typically occurs without the knowledge or consent of the users or the schools.

Companies get away with this because they scrape personally identifiable information from the data and use metadata. By monitoring a child’s, or their family’s online activities, including clicks, viewed content, and duration, from the student and parent profiles, the educational tech companies are able to package a product to sell to third parties. This information encompasses both in-app behavior and, in certain cases, extends to their internet usage beyond the specific application. 

Student data is not just exposed through a company’s willingness to share data, but as schools widen their scope of providers, data breaches have also become more common.

According to a report by the Identity Theft Resource Center, there were 1,073 data breaches affecting educational institutions in 2021, up from 824 in 2020. The report also found that the average cost of a data breach affecting an educational institution was $8.2 million.

According to a report by Comparitech the US has experienced 2,691 data breaches, affecting nearly 32 million records since 2005. 

An instance of this can be seen in Consumer Reports’ investigation, where it was discovered that the College Board, the nonprofit entity responsible for administering the SAT test and Advanced Placement exams for high school students seeking college credit, shares student activity information with no less than seven technology companies that capitalize on advertising. Among the recipients on the list are Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and an advertising network known as AdMedia.

While school districts may not have much control over what companies do with student data as it enters the systems of tech agencies, they are required to monitor if the companies have a data breach and notify parents.

Within the last decade, Pearson, Knewton and McGraw-Hill Education have been found guilty of data breaches. Additionally, Pearson, Knewton, and McGraw-Hill Education have all faced criticism for their excessive student data collection practices and the utilization of such data in ways that may not align with students’ best interests, including tracking students’ behavior. Furthermore, concerns have been raised about the lack of transparency regarding the amount and purpose of data collected.

School districts frequently adopt single sign-on solutions, which provide users a single login to access all of their apps, to lower the number of cybercrimes. In addition to making it simpler for instructors and kids to access programs, this move gives district IT workers control over who has access to specific systems and data. With a single set of issued credentials, the end user can sign in to numerous programs and tools at once.

Single Sign-On (SSO) effectively minimizes the number of attack surfaces by enabling users to log in just once per day using a single set of credentials. This streamlined approach significantly enhances enterprise security since it eliminates the need for multiple logins with different credentials. By reducing the complexity of authentication to a single set of credentials, SSO fortifies the overall security posture of the organization.

They also provide student-monitoring software, like Go Guardian and Securly, to scan students’ online activities and content, looking for concerning indicators like self-harm, suicide, violence, bullying, pornography, profanity, or illegal behavior. Student activity can lead to an alert, a blocked feature, and sometimes even punishment. 

Another tool is a secured wifi network that filters and monitors activity while a user, whether its a student or not, is connected. 

In a world where the boundaries between the classroom and other areas of a child’s life are often blurred, these monitoring systems, which can access devices and browsing data, pose questions about personal autonomy. With device-based monitoring, district officials can access more precise location data, record application usage, or provide teachers with the means to remotely shutdown, restart, and log-in to a student’s school-issued device.

Schools also have to think about their legal responsibility to comply with the Children’s Internet Protection Act (CIPA). Once the device leaves the building and is on a different, oftentimes less secure network, students have access to additional features that they may not have during school hours. Chromebooks, for example, are a favorite in school districts because they have default settings for phishing and malware alerts. Each district’s Acceptable Use Policy also requires students not to change school settings. 

While Chromebooks generally provide a safe platform for students to learn on, part of the agreement parents sign when agreeing to register their child for school or when they agree to the district’s handbook, allows for the district to provide the child with an email address. 

These emails addresses give students access to platforms, like Google Classroom on a Chromebook. Not too long ago, students completed school work on paper, whereas today, most assignments are completed through forms or documents on a district-issued device. 

In the past, the paper model allowed students the liberty to choose whether to retain or dispose of their work as they pleased. However, the current approach grants students access to their work through the district’s device, effectively giving the district the power to decide whether to retain or delete the student-produced data.

In a 2019 school board meeting, Mahomet-Seymour revealed that student data collected through district-issued devices was never destroyed. St. Joseph CCSD #169 deletes all student Google accounts and their data the month after they transfer from the district or graduate.  In contrast, Heritage keeps student accounts active for a few years after the student graduates in case the child needs access to information regarding their next stages in life. 

The expansive and continually growing online educational platforms have raised flags in the past, and continue to call for legislation to consider the impacts on students and their families. 

In a nation with limited internet regulations, the United States Senate Commerce Committee approved COPPA 2.0 on July 27, a significant update to the Children’s Online Privacy Protection Act. This amendment raises the age of protection from 13 to 16 years old, aiming to provide enhanced safeguards for children’s online privacy. Additionally, the new legislation prohibits platforms from targeting advertisements at kids, further bolstering the protection of young users on the internet.

Bill sponsor Senator Edward J. Markey (D-Mass.) released this statement after the unanimous decision.

“The safety and wellbeing of kids and teens online is a kitchen-table, bipartisan priority for American families, and it should be a bipartisan priority in Congress. Today’s unopposed vote to advance COPPA 2.0 through the Senate Commerce Committee is a tremendous step forward in our fight to deliver on the promise of a 21st century online privacy regime that is equipped to protect kids and teens so they will no longer be manipulated or targeted by Big Tech.”

Several advocates, including the Center for Democracy and Technology’s Free Expression Project and NetChoice, express concerns that the proposed COPPA 2.0 bill could compromise the privacy of a much larger demographic as the definition of “child” becomes less clear, potentially extending data collection restrictions to users up to the age of 16. They argue this would necessitate age verification from a broader spectrum of individuals, leading to more complex and challenging implementation, such as a substantial rise in websites needing to verify the age of all their users and facial recognition technology.

COPPA 2.0 now heads to the full Senate. 

Resources for Parents