FTC, Department of Education Announce Workshop to Explore Privacy Issues Related to Education Technology #00023

Submission Number:
Rocio Baeza
Initiative Name:
FTC, Department of Education Announce Workshop to Explore Privacy Issues Related to Education Technology
In my experience, FERPA and COPPA are not sufficiently understood by EdTech providers. EdTech providers look to Legal counsel to determine the laws that they need to follow. Legal does communicate these expectations to the business, however, the interpretation and understanding of these laws are inconsistent. EdTech leaders driving the business strategy expect the technology teams to enforce security requirements. Technology teams can enforce some requirements, but not all. This results in a gap that is presenting risk to children and students. This gap is not obvious to regulators, attorneys, business leaders, or EdTech providers. As a mom, privacy advocate, security consultant, and professional in the software development space, I see this gap, and it worries me. This is creating a compliance gap with the letter and spirit of these laws. EdTech providers are struggling to understand FERPA and COPPA requirements, because the law is written in a way that is open to broad levels of interpretation. This is further complicated when interpreting it for data in a digital form. Here is an example: Encryption. Many schools require EdTech providers to encrypt data to ensure the confidentiality of data. However, encryption can be applied at different levels. At transit and at rest, and this is not obvious to regulators, parents, or schools. This creates a disconnect with what we are requiring from EdTech providers and what is actually being implemented by the EdTech providers. Let's further explore this example. Encryption can be applied in transit: when data travels from a computer to a server. Technology can handle this. However, data also travels within an EdTech environment (i.e. employee laptops), and it's usually not encrypted. Take for example the Sales or Marketing team pulling reports. It's common to email these reports, unencrypted. In this case, student data is in transit, but employees may not be aware of the encryption requirement. They assume that IT has handled that, when in reality the team member has a level of responsibility. Encryption can also be applied at rest: when data is stored at the database level. Technology can handle this. However, it creates performance issues. It's common for tech companies not to encrypt data at rest. However, organizations are "technically" complying with the encryption requirement, because the requirement (i.e. terms in the agreement) doesn't specify at what levels the encryption needs to be applied. I hope this illustrates the challenges with an EdTech understanding COPPA and FERPA. I hope it also highlights the importance of implementing technical, procedural and training measures to fully comply with the letter and spirit of the law. We shouldn't expect regulators to have a technical background, but we can easily build a committee that helps ensure that laws are written in a way that is understandable and actionable by EdTech providers. This way, EdTech providers can understand the expectations and make an informed decision in their ability to comply.