The Vulnerability and Protection of Student Data
Student data contains important information on minors and young adults, but the regulations protecting student data are not comprehensive.
Published by The Lawfare Institute
in Cooperation With
Editor's note: This article has been adjusted in a few locations; an earlier version incorrectly stated certain rights under FERPA.
The vulnerability of young American’s personal data online has received increased attention in recent times, including from President Biden, who in a Wall Street Journal opinion piece wrote:
[W]e need serious federal protections for Americans’ privacy. That means clear limits on how companies can collect, use and share highly personal data—your internet history, your personal communications, your location, and your health, genetic and biometric data …. These protections should be even stronger for young people, who are especially vulnerable online. We should limit targeted advertising and ban it altogether for children.
To address these concerns, Congress and various state legislatures have proposed (and in some cases adopted) measures to protect students’ data. For example, this year, the Texas state legislature passed the Texas Education Code and Florida passed the Student Online Personal Information Protection, both of which were designed to protect students’ privacy and increase data transparency. What’s more, members of Congress are advocating for increased privacy protections for minors with the Kids Online Safety Act, which would limit the harmful collection of minors’ data, as well as the College Transparency Act (CTA), which would create a national database to track college students’ professional success after graduation.
Data brokers—companies that specialize in collecting and reselling data—pose significant risks to American students. Despite assertions that they are not acting as consumer reporting agencies (which are companies that calculate credit scores), data brokers report student data for student loans (without the consent of the students in question), which can be purchased and used in the future (also without students’ consent) for credit reports and employment background checks. Data collected by these companies is often inaccurate, which could inflict financial harm in a number of ways, including lawsuits regarding credit discrimination and the potential for restricted employment opportunities.
To get a better understanding of the issue, I surveyed students. All 92 of the students I spoke with believed they should be given the opportunity to provide consent before their data is shared. Notably, however, most of them did not know how to verify their student data, which indicates that students were not adequately informed about what institutions had control over their student data and, therefore, could not give informed consent.
Policymakers can address these students’ sentiments and the vulnerability of their data in three ways: (a) by leveraging existing disclosure requirements under the Family Educational Rights and Privacy Act (FERPA) to increase the transparency of reporting student data, (b) by standardizing disclosure and opt-outs for sharing student data, and (c) by adopting privacy regulations that restrict commercialization of sensitive data and promote students’ ability to consent to sharing their data.
Data Brokers and Students’ Data
Within the data broker ecosystem are many companies collecting, marketing, and selling student data. For example, the data brokers Student List and National Research Center for College and University Admissions both settled with the Federal Trade Commission for deceptive practices of selling information collected from student surveys filled out in classrooms. These data brokers deceived schools by providing forms for student feedback to collect information on students and then subsequently secretly sold the students’ data without the schools’ approval. Search platform Scholarships.com, for example, collected sensitive data points from students, such as whether a student is or is associated with someone who experienced domestic abuse. According to a report by the Center on Law and Information Policy at Fordham Law School, information was likely sold to data brokers and used for marketing purposes.
The collection and sale of students’ data is happening on quite a large scale. ASL Marketing, a data broker that collects and sells student data, possesses a database of mailing addresses for over 5 million high school students. What’s more, a search on NextMark, a data broker that sells mailing lists, produced “748 list results for the search term ‘high school.’” Data broker Lake B2B sold lists of students “as young as two years old.” Additionally, the data broker Exact Data marketed lists of “fourteen and fifteen year old girls for family planning services,” which could be used to profile and target girls from unstable families.
Not all data broker and student data activities involve the sale of data to commercial entities. A major recipient of student data collected by these data brokers is the U.S. government. Student data and education statistics are integral to improving the quality of and access to education. However, the U.S. government’s current system relies on third-party data brokers to report student data from academic institutions to the Department of Education. National Student Clearinghouse, for example, reports data on 97 percent of students enrolled in postsecondary education to the Department of Education. The department uses this student data to measure the performance of academic institutions and process student loans. Each year, for example, National Student Clearinghouse adds 5 million students to the Department of Education’s National Student Loan Data System (NSLDS) that were previously missing from the department’s list.
While the collection of this data is especially helpful to the Department of Education, some of the current brokerage and transmission of data significantly harms students’ financial stability and privacy. In Sass v. Great Lakes Educational Loan Services, Inc., a group of students sued data brokers for inaccurately reporting millions of students’ financial data, which ultimately caused significant financial damage. As a result of the inaccurate reporting, students had decreased credit scores when they stopped paying back student loans (due to federal student debt payments being paused at the beginning of the coronavirus pandemic), which resulted in persistent difficulties obtaining credit. Data brokers did not accurately register that student loan repayments had been paused, worsening students’ credit scores. This inaccurate data can appear on students’ credit score reports or background checks and therefore worsen their financial conditions.
There have also been complaints about the lack of transparency for verifying student data. In Robinson v. National Student Clearinghouse, for example, students sued over what they had to pay to access their transcripts, arguing that the National Student Clearinghouse was acting as a consumer reporting agency and was subject to FCRA—and was therefore violating FCRA by overcharging students to access their information. The case was eventually resolved with a settlement that created a $1.9 million fund for the class-action members.
Student Survey
To gauge students’ understanding of their data privacy, I conducted a survey of college and university students. Students are often not informed effectively when their data is shared with third parties, which makes it hard for students to verify their personal information and correct inaccurate data. The results of the survey showed that the majority of students (over 95 percent) did not know that they could verify their student data on National Student Clearinghouse’s website.
As described above, National Student Clearinghouse processes data from educational institutions on 97 percent of enrolled postsecondary students and reports it to the Department of Education, loan holders, and Equifax, a credit bureau company. Despite not knowing how to verify their data, every student who responded believed that students should consent before their student data was shared.
The survey results indicate that students are not adequately informed about the transmission of their personal information. It is important for students to be informed effectively because it enables them to verify the accuracy of their data and exercise agency to protect their personal information. Diverging understandings of student data privacy emerge from the lack of transparency into current data brokerage practices. Students who do not know how to verify their personal data may incorrectly believe that their student data is secure because they are uninformed about data broker practices.
Student Data Brokerage and Existing Laws and Regulations
Existing federal laws and regulations do not effectively require transparency in the sharing of student data. There are three main federal laws that relate to the protection of student data—the Family Educational Rights and Privacy Act (FERPA), the Child Online Privacy Protection Act (COPPA), and the Fair Credit Reporting Act (FCRA). Although these laws contain important protections for data privacy, they have not enforced transparent and consistent practices for transmitting and protecting student data.
FERPA governs access to educational information and creates privacy protections for students and parents. The law also allows academic institutions to disclose student data without consent to “authorized third parties” and to release student directory information. More specifically, FERPA § 99.31 permits the disclosure of education records to a “contractor, consultant, [or] volunteer.” This stipulation allows schools to transmit student data to National Student Clearinghouse without attaining students’ or parents’ consent. FERPA § 99.3 also allows for the disclosure of “directory information” online, which includes a student’s name, address, telephone number, email address, date of birth, personal photograph, grade level, and enrollment status. A report from the World Privacy Forum found that only “51 percent of primary/secondary schools posted some form of annual FERPA notice online in a way that was available and accessible to the public.”
It is important for policymakers to recognize that, although FERPA requires disclosure of practices for reporting student data, many schools do not follow standardized or straightforward disclosure methods. This lack of standardized disclosure methods makes it challenging for students and parents to exercise control over their data. It also means that there are no uniform best practices for schools to comply with for reporting student data. FERPA § 99.37 requires that educational institutions give a “public notice to parents of students” if personal information on a student is disclosed. This requirement of public notice also applies to “eligible students” over the age of 18 (where the informing of their parents is not needed).
COPPA restricts the commercial collection of personal data from "children" (ages 12 and under). However, COPPA applies only to the collection of data directly from children ages 12 and under, and it does not protect information that is obtained by making inferences about students’ parents, using purchase histories, or using other identifiers. The language in COPPA prohibits “gathering of any personal information from a child,” which notably does not address information that can be collected from parents, schools, and other patterns that are not directly related to the individual. COPPA protects students under the age of 13 from direct online data collection, but it only regulates companies and does not apply to schools. The school can, however, consent for a student to sign up for an online service. A parent could also consent to sharing the student’s data. When the operator is exclusively using data for “the educational context,” schools can grant consent on behalf of parents. In public responses on the Vermont Data Broker Registry, National Student Clearinghouse, Equifax, and Experian all state that they collect data on minors, defined in Vermont as anyone under the age of 18. To protect the privacy of minors, students and parents should remain aware of the limitations in COPPA (in only protecting minors aged 12 and under) and be informed about what information their child’s school is disclosing on students and what information is collected by data brokers.
The FCRA, in turn, enforces standards to protect the privacy, accuracy, and fairness of consumer data used by consumer reporting agencies. The FCRA applies only to data brokers that act as consumer reporting agencies—which are defined as entities that engage in a “practice of assembling or evaluating consumer credit.” Many data brokers that transfer or commodify student data deny acting as consumer reporting agencies. Written in the settlement with James Robinson of Robinson v. National Student Clearinghouse, National Student Clearinghouse “vigorously denies … that it is a consumer reporting agency and that the FCRA … appl[ies] to it or its business practices.” If data brokers report student data to credit agencies (such as National Student Clearinghouse providing student data to Equifax), consideration should be given to determine whether student data brokers should be regulated under the FCRA—many of which are currently not.
Student data should be used in a way that protects student privacy. This includes schools having clear policies in place to manage how student data is collected, used, and shared. What’s more, schools should have systems in place to better and more comprehensively notify students of their right to opt out of disclosing directory information under FERPA § 99.37 to promote transparency and foster understanding between students and parents. Educational institutions benefit when students are aware of and consent to the use of their student data because it promotes trust. By informing students of different ways that student data can be used and ensuring that it is used in a way that is ethical and protects student privacy, educational institutions can use student data to improve student learning and academic outcomes.
Next Steps
There is currently no standard or best practice for notifying students about disclosure of their personal data. Students and parents should exercise their right under FERPA § 99.10 “to inspect and review the student’s education records” to verify that reports on their student data are accurate. Policymakers are able to promote these protections under FERPA by working with schools, students, and parents to create a best practice framework for communicating disclosure notifications and opt-out applications.
Federal agencies can also step in to address this issue. The Consumer Financial Protection Bureau (CFPB), for example, can and should enforce existing requirements for reporting accurate data under the FCRA. In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act gave the CFPB rule-making authority under the FCRA. The CFPB is currently considering rules that “define a data broker that sells certain types of consumer data as a ‘consumer reporting agency.’” If the CFPB issued rules that classify student data brokers as consumer reporting agencies, then the FCRA would be more effective in regulating data brokers and protecting student data. FCRA § 623 prohibits “reporting information with actual knowledge of errors” and “reporting information after notice and confirmation of errors.” This regulation creates higher standards for ensuring accuracy in transmitting data. If the CFPB adopts rule-making that regulates student data brokers as consumer reporting agencies, then the existing protections under the FCRA would better protect student data.
There is also legislation that would help to protect students’ data specifically. The proposed America Data Privacy and Protection Act (ADPPA) increases protections for sensitive data, such as geolocation, health data, biometric information, government issued identifiers, among others. Part 27 B (ii) (II) (IV) of the bill prohibits using “publicly available information that has been combined with covered data,” which could restrict data brokers from matching students’ online yearbook data with sensitive personal information. This would help to make sure that students are informed of and have the opportunity to consent to the transmission of their personal information between different entities. In addition to the bill, student data can be protected in numerous ways, including by requiring disclosures from apps that collect personal information or surveys that resell the personal information of their users for profit.
***
Student data is extremely important. It contains information on young and maturing generations, and it forms the basis for decisions made about the education system. And it should be protected through standardized disclosure practices, oversight of the impacts it has on credit, and restrictions on the collection of data on minors and young adults.