FTC, Department of Education Announce Workshop to Explore Privacy Issues Related to Education Technology #00024

Submission Number:
00024
Commenter:
Rocio Baeza
State:
Illinois
Initiative Name:
FTC, Department of Education Announce Workshop to Explore Privacy Issues Related to Education Technology
Discussion Point: COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors. What are the appropriate limits on the use of this data? Data use: Processed to render contracted services: Appropriate. An area of challenge here is defining what the contracted service is. It's oftentimes captured in general terms in service agreements. This results in 3rd party vendors being able to use collected data as they wish. Data use: Processed for internal reporting and/or data analytics: Appropriate only if fully anonymized An area of challenge here is setting this expectation and enforcing it with the appropriate teams. This expectation is usually lost after the contract negotiation process. Data use: Shared: Appropriate only to render contracted services The challenge on allowable use also applies here. Oftentimes, contracted services is not defined, making it difficult to identify if data is being used inappropriately. Data use: Sold: Appropriate only with explicit written consent from individual that the data is about (i.e. student) not the data controller (i.e. school or school district). Verifiable consent should be provided in layman terms, not hidden in Terms and Conditions, Terms of Use, or Privacy Policy Agreement. It may not be common knowledge that companies are happily capturing, selling and reselling information in the back end. More data helps them profile consumers and deliver better promotional material. However, consumers are oftentimes not aware that this is going on and that companies are profiting from the sale of their data. Consumers are oftentimes not aware of the data that an organization holds about them. Data use: Rented: Appropriate only with explicit written consent from the data owner. Verifiable consent should be provided in layman terms, not hidden in Terms and Conditions, Terms of Use, or Privacy Policy Agreement. It may not be common knowledge that companies are happily capturing and sharing data in the back end. Data brokers are collecting data, in exchange for free trials of their data reporting services. Companies that share their consumer's data aren't being transparent with this practice, as this is oftentimes hidden as jargon in the Privacy Policy. Data brokers are amassing large volumes of data, unbeknownst to the public, and oftentimes, not subject to any scrutiny of their security responsibilities. These issues are not specific to the EdTech space. These apply across various industries, including the FinTech space.