Buckle up. That white noise you heard around student data privacy in 2018 is about to be replaced with thunder.
Relative to the flurry of legislative activity seen in prior years, it was a somewhat measured year for student data privacy. There was a constant drumbeat around it that filled up whatever space was available amid preparation for the European Union’s (EU) General Data Protection Regulation (GDPR). While the pace of state student data privacy legislation drafted remained relatively high—clocking in at approximately 117 bills and 22 new laws—the reaction from districts and edtech companies alike was much more subdued than in the past four years, likely because the idea that over 100 bills would be drafted on any one topic in a year is no longer met with shock.
This year, it seemed that everyone was catching their breath. At least 43 states had already passed foundational student data privacy legislation and so focused on more thoughtful adjustments to existing laws, including addressing data protection obligations for third-party providers, unintended consequences and making technical corrections. In the meantime, industry and education institutions woke up to the fact that yes, there is a lot of work to be done, and no, there are no quick fixes to be made. It was a time to digest what had come and accept that this matter of student privacy is not going away.
Meanwhile, the Facebook Cambridge Analytica scandal broke, leading to congressional hearings and the start of the largest EU Data Protection Authority investigation of its kind to date. California passed a sweeping new privacy law, and calls for federal privacy regulation ramped up. Both the Federal Trade Commission (FTC) and the U.S. Department of Education faced questions about how their teams were enforcing existing privacy regulations, and hardly a week went by without news of yet another significant cybersecurity incident.
If it sounds like a perfect setup for renewed privacy activity in 2019, that’s because it is. Here’s what we can expect:
1. All eyes on the feds
The appetite for federal privacy legislation is growing. We’ve already seen a number of parties, including Sens. Ron Wyden (D-Ore.), Amy Klobuchar (D-Minn.) and John Kennedy (R-La.); Intel and 200 other companies, propose general consumer privacy legislation or frameworks for legislation, and expect to see more as Congress settles in after the new year.
2. Children first
When legislators focus on general consumer privacy, attention quickly turns to privacy of young people. Look for more discussions about providing individuals between the ages of 13 and 16 more control over their personal information, particularly related to collection of location data and rights of data erasure.
3. Hands off
What’s the best way to protect privacy and eliminate risk of a data security incident? Don’t collect the data in the first place. Data minimization is a fundamental privacy concept, already required under the Children’s Online Privacy Protection Act (COPPA) and GDPR. Similarly, the Family Educational Rights and Privacy Act (FERPA) requires that school officials only receive the data in which they have a “legitimate educational interest.” Data minimization is likely to be foundational in much of the privacy legislation in 2019.
4. States in action
Some of the states that didn’t pass student data privacy legislation in the past few years will likely engage in the coming year. Other states are expected to continue to refine and evolve their existing laws. There are too many factors at play to truly predict the first movers, but keep your eyes on Illinois, Minnesota and Pennsylvania, all of which had active discussions this year.
5. A new sheriff in town
At a recent congressional subcommittee hearing, the FTC heard some stern words about its appetite and bandwidth for enforcement of consumer privacy laws. At the same time, the Education Department has ramped up FERPA enforcement after a scathing report from the Office of Inspector General. The message is clear: enforcement is needed for laws to be effective.
All signs indicate that it’s going to be a big year for privacy, so the time to prepare is now.
Edtech companies and education institutions would be wise to prioritize their foundational privacy and security responsibilities. Start with a renewed focus on privacy by design and security fundamentals, including data minimization. While you’re at it, invest extra energy around transparency to build better partnerships and trust in your work. With solid fundamentals under your belt, you’ll be well-positioned to work with any changes the legislators bring your way.