A bill to protect student online privacy has passed both houses of the NC General Assembly and had been sent to the Governor for signature.
SB 632 (Protect Student Online Privacy) was ratified last Friday.
The bill places requirements on the business providing an online app or data service used in North Carolina schools with regards to Personally Identifiable Information (PII). In other words, the onus is placed on the company, instead of the district or the Department of Public Instruction.
Operators of such online apps or services must use all available and appropriate practices to protect PII. They also will be required to delete any student information within 45 days upon request of the school, local board of education or if services are completed.
Data mining kids is a very big and lucrative business. Parents, in my experience, are relatively clueless on just how many third parties sell information about their children.
This bill has one really good thing going for it that many other privacy bills do not have. It has consequences.
“A parent, K‑12 school, teacher, local board of education, or the State Board of Education may report an alleged violation of this section to the Attorney General. The Attorney General, upon ascertaining that an operator has violated this section, may bring a civil action 14 seeking injunctive and other equitable relief.”
The bill is a good start, but leaves wiggle room on the part of businesses engaged in online educational services in the state.
The problem will come in determining just how private companies might be violating SB 632 if the public can’t see what data is involved or what is being collected.
The bill lacks the posting of any data contracts entered into or requirements to reveal what data items are collected.
I spoke with Cheri Kiesecker, a Colorado mom who has become an expert on the data mining and data collection going on in education.
Mrs. Kiesecker was featured in an article at the Washington Post which drew a lot of attention to the amount of data being collected on students. Parents would do well to read some of her recent articles at Missouri Education Watchdog.
I’d also recommend checking out Jane Robbins. She’s been on top of the invasive data collection and tracking of students for some time now.
Kiesecker made the following observations about SB 632:
On page 4 with regards to general audience:
3) [does not apply to] Apply to general audience Internet Web sites, general audience online services, 46 general audience online applications, or general audience mobile applications, 47 even if login credentials created for an operator’s site, service, or application 48 may be used to access those general audience sites, services, or applications.
Kiesecker said that this means Google (or whatever app/program is being used) can data mine the kids as soon as they leave an imaginary ‘safe zone’.
Page 3 and 4 are all exemptions….here are a few:
(4) Except as otherwise provided in subsection (d) of this section, disclose covered 16 information unless the disclosure is made for the following purposes:
a. In furtherance of the K-12 school purpose of the site, service, or 18 application, if the recipient of the covered information disclosed under this sub-subdivision does not further disclose the information unless 20 done to allow or improve operability and functionality of the operator’s site, service, or application.
b. To ensure legal and regulatory compliance or protect against liability.
c. To respond to or participate in the judicial process.
d. To protect the safety or integrity of users of the site or others or the security of the site, service, or application.
e. To a third party for a school, educational, or employment purpose requested by the student or the student’s parent or guardian, provided that that information is required not to be used or further disclosed by the third party for any other purpose.
f. To a subcontractor, if the operator contractually prohibits the subcontractor from using any covered information for any purpose other than providing the contracted service to or on behalf of the operator, prohibits the subcontractor from disclosing any covered information provided by the operator with subsequent third parties, and requires the subcontractor to implement and maintain reasonable security procedures and practices. This sub-subdivision does not prohibit the operator’s use of information for maintaining, developing, supporting, improving, or diagnosing the operator’s site, service, or application.
After speaking with Mrs. Kiesecker, I made the following suggestions (below) to the Senate Ed Committee Chair, Chad Barefoot, but I was too late. Perhaps there can be amendments or a companion bill down the road.
- A full list of all sources and their subsets for parental inspection.
- Inclusion of the posting of contracts for data services, including privacy agreements.
- Mandatory notification of parental rights by DPI regarding data & penalties for not providing it.
- Curbing the general exemptions such as the general audience items. It has already proven that Google’s Chromebook is built to mine data off of student activity.
On a separate note, it would be welcomed by many parents if we could get someone to run an Opt Out bill for both testing AND data collection, but those two alone constitute a whole other article.