Not a Lexis Advance subscriber? Try it out for free.
LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
Reaching a Congressional Consensus Will Likely Require Additional Deliberation
As summarized in this Alert, the congressional proposals introduced thus far take very different approaches to addressing how to protect the privacy of student data.
During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.
Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)—the primary federal statute designed to protect private student information—may not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.
As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.
Approach 1: Establishment of a Study Commission
Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the study.
A House counterpart to S. 1177 passed in the House in July. This bill, H.R. 5, or the "Student Success Act," contains a "sense of Congress" provision, stating that the Secretary of Education has the responsibility to ensure every entity receiving federal funding under the Act holds PII in "strict confidence" and states that the Secretary should review regulations and ensure all PII is protected. The House bill, therefore, appears to urge the Secretary to more vigorously enforce current law.
In sum, both S. 1177 and H.R. 5 advocate a relatively modest approach to protecting student data privacy. These approaches would avoid establishing a new federal regulatory regime for student data privacy. The bills need to be conferenced, and it remains to be seen whether the proposals will make it into the final law in any form.
Approach 2: Target Operators Providing Certain Technology Services to K-12 Educational Institutions
Another approach that takes a direct aim at online applications used or designed and marketed for K-12 education purposes is set forth in a bill pending in the House Education and the Workforce Committee and the House Energy & Commerce Committee. The Student Digital Privacy and Parental Rights Act of 2015, H.R. 2092 [Rep. Messer (R-Ind.) and Rep. Polis (D-Colo.) co-sponsors], a counterpart to S. 1788, applies to any entity (other than an educational agency or institution) that operates Internet websites; online services, such as cloud computing services; online applications; or mobile applications that are used for K-12 purposes and were designed and marketed for K-12 purposes (defined as "operators" in the Act). The legislation would, among other things:
Approach Three: Amend FERPA to Strengthen Student and Parent Protections and Enhance FERPA Enforcement Mechanisms
The remaining approaches all involve proposed amendments to FERPA.
1. The Student Privacy Protection Act, H.R. 3157 [Rep. Rokita (R-Ind.), Rep. Fudge (D-Ohio), Rep. Kline (R-Minn.) and Rep. Scott (D-Va.)] was introduced on July 22, 2015, and referred to the House Education and the Workforce Committee. The bill applies to public and private elementary and secondary schools, local educational agencies and institutions of higher education, as well as to education service providers defined as any provider other than a school official or employee of services developed and targeted to students for an educational purpose, whether specifically marketed to schools, institutions of higher education, educational agency or institutional employees or officials, or other individuals primarily engaged in the provision of educational services. The bill would, among other things:
2. The Protecting Student Privacy Act of 2015, S. 1322 [Senator Markey (D-Mass.), Senator Hatch (R-Utah) and Senator Kirk (R-Ill.)] was introduced on May 13, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies and institutions, including local educational agencies, receiving federal funding and to any "outside party"—meaning "a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity." Among other things, the bill would:
It is important to note that the bill's enforcement mechanism is tied solely to federal funds access and would thus place the burden on educational entities to ensure outside party compliance with the law.
3. The Student Privacy Protection Act, S. 1341 [Senator Vitter (R-La.)], was introduced on May 14, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies or institutions as currently defined in FERPA and defines "student data" as "information about a student collected and maintained by an educational agency or institution, by a person or third party collecting or maintaining such information through the active intervention, facilitation, or authorization of such agency or institution, or by a person or third party acting for such agency or institution."
The legislation would:
This legislation would likely place greater responsibility on educational institutions to require compliance with the law by third parties with access to PII and includes a private right of action for violations.
About Duane Morris
Duane Morris is tracking activity in Congress on these bills as it pertains to educational institutions and the technology service providers that work with them.
For Further Information
If you have any questions about this Alert, please contact Katherine D. Brodie, Michelle Hon Donovan, Alison Haddock Hutton, John M. Neclerio, any of the attorneys in our Education Practice Group or the attorney in the firm with whom you are regularly in contact.
© 1998-2015 Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
Read more legal alerts and updates at the Duane Morris website
For more information about LexisNexis products and solutions, please connect with us through our corporate site.