More federal and state policymakers are focusing on addressing data privacy, especially for children, because of increasing concerns about how companies collect and sell user information and how that affects users’ mental health.
Congressional lawmakers have introduced several data-privacy bills, some of which deal directly with children’s online privacy. At least 15 states have enacted comprehensive data-privacy laws since 2020, while other states either have narrower laws or have at least introduced data-privacy laws during the current legislative session, according to Bloomberg Law.
The problem with some of those policies, according to school data-privacy experts, is they don’t always consider how day-to-day school operations would be affected. Schools use student data to support decisionmaking, to personalize learning, and for better reporting as required under federal and state laws.
In an April 15 webinar hosted by the Software & Information Industry Association, data-privacy experts discussed three bills Congress is considering and their implications for K-12 schools. The experts were: Amelia Vance, the founder and president of nonprofit advocacy organization Public Interest Privacy Center; Kristin Woelfel, a policy counsel for the Center for Democracy and Technology, a nonprofit that advocates online civil liberties; and Sara Kloek, the vice president of education and children’s policy at SIIA, a trade association for technology companies.
The Kids Online Safety Act
The Kids Online Safety Act, or KOSA, was first introduced in the Senate by Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., in February 2022. It failed to pass during that session, so the lawmakers reintroduced the bill in May 2023. As of April 2024, the bill has 67 co-sponsors in the Senate.
KOSA would require certain online platforms to provide children with options to protect their information, disable addictive features, and opt out of personalized recommendations. Those platforms would also be required to design and operate their products in ways that prevent or mitigate negative effects on children, such as mental health disorders, bullying, and sexual exploitation. The bill would apply to any “online platform, online video game, messaging application, or video streaming service that connects to the internet and that is used, or is reasonably likely to be used, by a minor.” It exempts internet service providers, email services, educational institutions, and other specified entities from the requirements.
“This bill seems to be in response to a lot of attention around social media and impacts that it has been suggested to have on kids,” Woelfel said. “I don’t think KOSA was intended to interfere with any K-12 education services.”
However, because the definition of which platforms are covered under the bill is “very broad, it essentially would almost certainly cover a lot of ed-tech platforms,” she said.
Given that the bill would give children and caregivers the right to opt out and modify personalized recommendation systems, it could affect personalized learning software schools use to provide curated lessons and facilitate individualized learning, Woelfel said.
It would “frustrate the purpose of that technology and undermine a core function of the school,” she added.
Children and caregivers would also be able to delete accounts, which under the current language could be applied to ed-tech platforms hosting student data, such as assessments, grades, and attendance. In turn, that could “threaten the integrity of academic records,” Woelfel said.
Children and Teens’ Online Privacy Protection Act
The Children and Teens’ Online Privacy Protection Act, or COPPA 2.0, would amend the original Children’s Online Privacy Protection Act of 1998. Sen. Ed Markey, D-Mass., first introduced the revised measure in May 2021 and reintroduced it in May 2023. As of April 2024, it has 17 co-sponsors in the Senate.
The bill would build on the 1998 law. It would prohibit online platforms from collecting personal information from users who are 13 to 16 years old without their consent (the current law only applies to children under 13), ban targeted advertising to children, and require companies to allow parents and children to erase their personal information from the platforms.
Under the proposed updates to COPPA, schools would no longer need to get parental permission to use ed tech in classrooms. COPPA 2.0 would enable schools to consent on behalf of their students to provide access to ed-tech platforms schools have thoroughly vetted and with which they have entered into contracts.
This update is a step in the right direction for superintendents, said Vance, who also heads the Student and Child Privacy Center for AASA, the School Superintendents Association.
At least 11 education organizations—including the superintendents group; American Federation of Teachers; National Education Association; and the Council of the Great City Schools—have endorsed the legislation.
Woelfel, however, notes that the definition in the bill is limited to public schools and argues that policymakers should make it broader to include private schools as well.
American Privacy Rights Act
The American Privacy Rights Act, or APRA, was introduced earlier this month by Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash. It would establish a framework for uniform national data-privacy rights for Americans and would hold companies accountable by mandating strong data-security standards.
Similar to KOSA and COPPA 2.0, APRA would have special protections for children younger than 17 years old, so it could have implications for schools.
The bill says that schools wouldn’t be required to delete data that would interfere with education services, but it doesn’t provide protections for contractors that schools might hire to provide an educational service, the panelists said.
The measure would also require any organization that uses algorithms for “consequential decisions related to housing, employment, education, health care, insurance, credit, or access to places of public accommodation” to offer consumers a right to opt out.
Woelfel said she’s concerned about what that would mean for schools if students and families could opt out of ed tech that schools use for day-to-day operations. For instance, if a district uses an adaptive learning software, and students and parents could opt out, then it could undermine teachers’ ability to facilitate personalized assignments for students.