How America is Dealing with Student Digital Privacy

A long history with much progress to be made.

How America is Dealing with Student Digital Privacy
Photo by John Schnobrich on Unsplash

Introduction

Technology has been ingrained into every major aspect of the modern American classroom. With one-to-one technology becoming more prevalent in schools, by the beginning of the COVID-19 Pandemic, one-to-one technology rose from ~66% before the pandemic to 90% after1. With this, as well as the utilization of online collaborative tools to facilitate this learning, it is no shock that community stakeholders found themselves concerned about how to keep students safe when using the internet on district-owned devices, as well as wondering who owns that actual data the students leave on various websites2. This ultimately left it to legislators to determine what these limits will be and how they will be implemented. By investigating the history and implementation strategies taken regarding student privacy, much can be gathered about how teachers, administrators, and parents alike can prepare for what I see as the future of student-related privacy regulations.

The Wild West of the Internet

Legislation regarding school-aged children online is certainly nothing new. In the mid-1990’s, the popular website KidsCom, a site directed to children ages 4 to 15 with games and activities, was obtaining a large amount of data on children through the use of surveys3. These surveys required children to answer questions regarding their “name, birth date, e-mail and home addresses, and product and activity preferences”4. An investigation was soon launched by the FTC, and ultimately pressured the site to inform parents of this data collection, otherwise legal action would be taken5. Thus in 1998, the U.S. Federal Government created and passed the Children’s Online Privacy Protection Act (COPPA). COPPA predominantly focused its attention upon the data that was collected of children (under the age of 13) who are browsing a particular website. More specifically, the law mandated that operators of websites directed toward children not only require a clear, written privacy policy, but also require these websites to obtain parental consent prior to the collection of any information of their child6. For those of you old enough to remember, COPPA was used to prosecute the insidious data collection of children from the cute purple virtual assistant "BonziBuddy" in the early days of the internet7. This, though, was simply the start of a much larger movement to regulate operators of child-oriented websites.

Thanks for reading The Weekly Planner! Subscribe for free to receive new posts and support my work.

The second most impactful piece of federal legislation came in 2001 with the Child Internet Protect Act (CIPA). While COPPA was much more concerned with the data collection of children online, CIPA attempts to restrict content deemed to be “obscene” from being seen by children8. As opposed to being directed at the website operators, this legislation is directed squarely at schools and libraries, who can supply children with access to the internet9. Here, accessing inappropriate content, providing safety measures for children communicating online, possessing security measures to prevent the child from “hacking” (whatever that implies apparently beyond the scope of the bill), as well as preventing the voluntary spread of a minors personal information online, were all ultimately the pillars of the act10. CIPA was the first earnest piece of legislation that attempts to keep students safe online, particularly in this wild west period of the internet where children could come into contact with almost anyone and anything. It ultimately opened wide the doors to legislation that puts the onus on education institutions to protect children online, and with CIPA and COPPA, public focus was placed directly onto schools, libraries, and companies to ensure that this happens. 

The Big Tech Era

blue and white logo guessing game
Photo by Brett Jordan on Unsplash

In the years to follow, the internet changed spectacularly into the world-wide behemoth it is today with the vast majority of the world connected in some form11. This Web 2.0 is effectively predicated upon large tech companies (for our purposes, we'll simply stick to Google) who set up platforms for users for free, in exchange for their data that can be sold to advertisers to create targeted ads. Over the last few years, there has been a decidedly large backlash to this from of data collection, which many are finding to be overtly intrusive12. This obviously led more educational stakeholders to question what data is being collected from these companies about students, who are effectively compelled to utilize these technologies given the rise of one-to-one technologies.

So it is no surprise that in 2014 where we begin to see one of the first state laws enacted which targets students specifically, and the collection of their data online. California became one of the first states to implement this type of law, entitled the Student Online Personal Information Protection Act (SOPIPA). Similar to COPPA, SOPIPA specifically focuses on data collection of students. It is in direct reaction to the rise in popularity of supplying students with one-to-one technologies (like tablets and laptops), and the software that Educational Technology (EdTech) companies create and sell to schools13. The legislation outlines EdTech companies cannot collect and utilize student data for the purposes of advertisement or sales, and requires these companies to properly encrypt the data that they do collect14.

SOPIPA is the logical extension of COPPA and CIPA before it, combining the need to address student online privacy from the angle of individual companies in an environment where parents and students would have little choice but to engage with this technology. SOPIPA broke major ground in this regard, and would establish itself as a model for future legislation. 

Since SOPIPA was created, nearly half of all states have developed their own student online privacy laws modeled directly off of California's SOPIPA. As a beguiling case study, the Illinois Senate recently created the Student Online Personal Protection Act (SOPPA) in 2017, which fully went into effect July 1, 2021. With such similar naming schemes, SOPIPA and SOPPA are unsurprisingly very similar to one another. SOPPA limits EdTech providers in the exact same method, using almost the exact same language, ensuring that student data collected by an EdTech provider is limited and not used for the purposes of advertisements and sales15

Given the backlash toward “Big Tech” in the previous decade and a half of legislation hitherto the creation of SOPPA, parents and policymakers in California set a large precedent over how to regulate these companies in an institution that parents around the country were evidently concerned about given the passage of COPPA and CIPA respectively. 

Policy Variability Leads to Huge Problems

A large problem with this legislation, though, is the local variability of the implementation of a law. Each and every district, with different sizes and funds, determines on their own the standards they must take to implement SOPPA, given that there is no unified method established to do so. Chicago Public Schools (CPS) serves as an interesting example of this. When SOPPA went into effect in July 2021, CPS created comprehensive guidelines taking the various stakeholders through what the district is doing to ensure that this act is followed. Here, parents have the ability to request what data a particular vendor collects on a student by filling out a “SOPPA request form,” and the parent should receive their copy of this information within 45 days16. Parents can outright request to delete certain student data by going through a similar process, but guarantees about the deletion are left ambiguous17. The district also outlines the responsibility of educators and administrators to comply with this process. Perhaps the largest process stems from the need for teachers to obtain SOPPA approval on any particular educational website. The request is given directly to the principal who applies for approval on the SOPPA website18. If a website is not approved, the school cannot use that website or software.

As the 2021 school year began, some CPS teachers were shocked to find that various educational sites were unable to be used, pushing them to readapt various modernized lessons19. For instance, Computer science website “Code.org,” as well as popular computer graphics software from Adobe were unable to be used20. Thus, there was a great deal of trepidation regarding how curricula based upon these online resources would be able to cope, and if they would need to be entirely redesigned21. From a student perspective, Megan Camacho, student at Lane Tech College Prep High School, wrote in a Chalkbeat article that the program used to create their online school newspaper was deemed SOPPA non-compliant, and therefore the district ceased payments to the website, taking away student’s ability to publish22. Meanwhile, other schools within Illinois were still more than able to use the same application23.

This is quite obviously a large pit fall of this form of legislation. As the law gets applied (and perhaps over-applied), students could theoretically robbed of valuable educational opportunities and resources that are not "approved". This is not even to mention that this legislation does nothing necessarily limit data breaches from taking place.

So what is the solution to this dilemma?

Clearly, better communication and more effective guidelines need to be put in place regarding the method of data-collection that is inherently inappropriate to be gathered by an EdTech company. EdTEch companies in turn need to ensure that only the bare minimum information is needed to use an educational program. In regard to the software SNO used by Camacho for The Champion, the website clearly states that they collect:

Why would an EdTech company need this information from their users? From the POV of any given stakeholder, this would appear to be incredibly intrusive.

An Ethical and Moral Obligation for Educators

Despite restricting data access to EdTech companies, SOPIPA and it's sister laws do not restrict “general audience Internet Web sites” and their potential collection of student data25. Thus, there is still copious amounts of data being collected on websites that are not officially considered to be an EdTech platform. Google for instance, can still collect and utilize student data for advertisements if/when students navigate from a Google Education app, to another website.

I am even of the strong opinion that there is an ethical and moral obligation to prevent students from seeing advertisements in an educational context. By simply installing an open-source adblocker onto each teacher and student's school sanctioned device, the amount of advertisements that students see (and trackers they come across) when using their device will be significantly lowered. There is simply nothing like showing your students an educational video on YouTube, only to have a 30 second ad run beforehand, advertising that cool new foot cream that you were looking up on Amazon while on your lunch break. There is much more to be said for this scenario, but I will leave it at that.

Ultimately, the creation of Student privacy regulation presents an incredibly tumultuous history. From its philosophical beginnings in the late 1990’s, to the foundational SOPIPA in California, it is clear that legislation regarding student online privacy will continue forth in the years to come. We are still in the early stages of wide acceptance of this type of legislation, and this will certainly not be the last piece of legislation that focuses on student online privacy moving forward. By taking this knowledge of this particular case, state legislators, school administrators, teachers, and parents alike can obtain a more robust and effective process in the inevitable event another amendment or law is required to protect students as we enter a rapidly changing technological future.

Thanks for reading! Subscribe for free to receive new posts and support this project!


  1. Bushwell, J. (2022, May 17). What the Massive Shift to 1-to-1 Computing Means for Schools, in Charts. Education Week. https://www.edweek.org/technology/what-the-massive-shift-to-1-to-1-computing-means-for-schools-in-charts/2022/05

  2. Black, L. (2014, September 28). Student computer use raises privacy questions. Chicago Tribune.  https://www.chicagotribune.com/news/ct-school-tablets-privacy-met-20140928-story.html

  3. Levin, T. (1997, July 16). FTC Staff Sets Forth Principles For Online Information Collection From Children. Federal Trade Commission. https://www.ftc.gov/news-events/news/press-releases/1997/07/ftc-staff-sets-forth-principles-online-information-collection-children

  4. Ibid.

  5. Ibid.

  6. Federal Trade Commission. (2020). Complying with COPPA: Frequently Asked Questions. https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#A.%20General%20Questions

  7. Schwartzman, Jen (18 February 2004). ["UMG Recordings, Inc. to Pay $400,000, Bonzi Software, Inc. To Pay $75,000 to Settle COPPA Civil Penalty Charges"](http://www.ftc.gov/opa/2004/02/bonziumg.htm). _ftc.gov_. [Federal Trade Commission](https://en.wikipedia.org/wiki/Federal_Trade_Commission "Federal Trade Commission").

  8. Federal Communications Commission. (2019, December 30). Children's Internet Protection Act (CIPA). https://www.fcc.gov/consumers/guides/childrens-internet-protection-act

  9. Ibid.

  10. Ibid.

  11. Statista. (2022, September 20). Number of internet and social media users worldwide as of July 2022. https://www.statista.com/statistics/617136/digital-population-worldwide/

  12. Brenan, M. (2021, February 18). Views of Big Tech Worsen; Public Wants More Regulation. https://news.gallup.com/poll/329666/views-big-tech-worsen-public-wants-regulation.aspx

  13. Common Sense Media. (n.d.). Student Online Personal Information Protection Act (SOPIPA). Common Sense. https://www.commonsensemedia.org/kids-action/about-us/our-issues/digital-life/sopipa

  14. Ibid.

  15. Student Online Privacy Act, Pub. Act 100-0315, 2017 Ill. https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=100-0315

  16. Chicago Public Schools. (n.d.). Student Online Personal Protection Act. https://www.cps.edu/about/policies/student-online-personal-protection-act/

  17. Ibid.

  18. Ibid.

  19. Dey, S. (2021, November 1). CPS teachers ‘blindsided’ after access to popular classroom software yanked due to new student privacy law. Chicago Sun-Times. https://chicago.suntimes.com/education/2021/11/1/22749383/cps-soppa-student-online-personal-protection-act-students-data-privacy-public-schools-adobe

  20. Ibid.

  21. Ibid.

  22. Camacho, M. (2021, November 5). I’m a student journalist. A new privacy law is interfering with Chicago’s high school newspapers. Chalkbeat Chicago.  https://chicago.chalkbeat.org/2021/11/5/22765913/student-newspapers-chicago-soppa

  23. Ibid.

  24. SNO Sites. (2021, January 21). Privacy Policy. https://snosites.com/privacy-policy/

  25. Student Online Personal Information Protection Act, S. 1177, 839 (Cal. Stat. 2014). https://www.leginfo.legislature.ca.gov/faces/billVersionsCompareClient.xhtml?bill_id=201320140SB1177

Subscribe to the weekly planner

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe