June 8: Child & Student Privacy News

There's been significant movement in the student and child privacy world and we’ve dug into the details so you don’t have to - read on for the highlights.

There's been significant movement in the student and child privacy world and we’ve dug into the details so you don’t have to - read on for the highlights. If we missed anything or if you would like to see something mentioned in the next stakeholder alert, reach out and let us know!

Best, 

Morgan, Amelia, and Katherine (the PIPC team)

---

Coming Soon:

• The third and final webinar of the joint AASA and PIPC series, Fixing Student & Child Privacy: Practical Solutions, is next Tuesday, June 13, at 1 PM ET. The webinar will consist of a panel of experts discussing what is missing in existing student and child privacy laws and how those laws could be improved. You can register for the final webinar here. Miss our first two webinars? You can now watch them on YouTube:

  • Fixing Student & Child Privacy: The Current Landscape

  • Fixing Student & Child Privacy: Balancing Student Privacy & Wellbeing

News:

• “Students’ psychological reports [and] abuse allegations leaked by ransomware hackers” following Minneapolis Public Schools data breach. In this article from The 74, I discuss the harms of having this sensitive information, and such a large volume of  the records, widely available on the internet.

• You should be aware of a recent article from EdSurge, “As Number of Edtech Providers Grow, Some Say Student Privacy Needs a Reset”, which posits the question: “rather than forcing edtech companies to get better at handling data, what if schools just kept them from accessing data in the first place?”

• An investigation by the Markup claims that Wisconsin’s Early Warning System (DEWS) generated “false alarms about Black and Hispanic students at a significantly greater rate than it does White students.” Relatedly, a major research study found the system to be “no better than a random allocation of the intervention” at the individual school level, despite being “highly accurate when evaluated across the entire population of students in Wisconsin public schools.”

• Students were briefly denied diplomas after a professor asked ChatGPT if it generated their essays - and the AI inaccurately said yes.

• The Office of Science and Technology Policy (OSTP) released a Request for Information (RFI) about national AI priorities and future actions - specifically asking for input about AI’s impact on education. Responses are due by July 7.

• New FERPA regulations are (allegedly) on the horizon! In announcing the creation of “an interagency Task Force on Kids Online Health & Safety”, the White House said “The Department of Education will promote and enhance the privacy of minor students’ data and address concerns about the monetization of that data by commercial entities, including by planning to commence a rulemaking under the Family Educational Rights and Privacy Act (FERPA).”

• Additionally, there was a surge of other activity in the child and student privacy world at the end of May, including a major conservative think tank saying they believe KOSA and COPPA 2.0 will enable restrictions or bans regarding LGBTQ+ content; the FTC filing a brief stating COPPA doesn’t preempt state privacy laws that are consistent with COPPA; and the White House and ED announced multiple new AI efforts, including guidance for education stakeholders on AI. For more on these, see our recent blog.

Legislative Landscape:

STATE CHILD PRIVACY BILLS

• PASSED: Connecticut SB 3 (includes elements from the age appropriate design code)

• PASSED: Florida Digital Bill of Rights (includes elements from the age appropriate design code in Section 2) For an in depth analysis of this bill, check out FPF’s recent publication and accompanying comparison chart

• PASSED BUT CHALLENGED: California (the NetChoice lawsuit to block the California Age Appropriate Design Code from coming into effect) 

• PASSED: Montana (a bill banning TikTok, effective January 2024, and a comprehensive consumer privacy law, though it only includes a couple child privacy provisions).

• PASSED: Utah (passed two sweeping child technology bills on social media access and use by minors)

• PASSED: Arkansas Social Media Safety Act (which is becoming more and more infamous for which companies are probably exempt from the law, including YouTube, Twitch, and TikTok)

• PENDING SIGNATURE: Texas Data Privacy and Security Act (only includes a couple child privacy provisions)

• PASSED: Indiana SB5, Iowa Consumer Data Protection Act, and Tennessee Information Protection Act (only include a couple child privacy provisions)

• PASSED: Washington State 'My Health, My Data' Act (though it doesn’t have child-specific mandates, the law’s massive new legal requirements and protections for all consumers will impact child and student privacy stakeholders)

• Also noteworthy: state age appropriate design code copycats failed to pass in NY, MN, NV, MD, and NM, BUT New York has full-time legislators and can meet throughout the year after adjourning their regularly scheduled sessions.

Strong appreciation to Husch Blackwell’s 2023 State Children’s Privacy Law Tracker, Keir Lamont’s must-subscribe newsletter “The Patchwork Dispatch,” and Tech Policy Press’s “144 State Bills Aim to Secure Child Online Safety As Congress Flounders.”

Federal Child Privacy Bills:

• Children and Teens' Online Privacy Protection Act (COPPA 2.0) - S. 1418, Sponsor: Markey

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Clean Slate for Kids Online Act - S. 395, Sponsor: Durbin

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Protecting the Information of our Vulnerable Adolescents, Children and Youth Act (Kids PRIVACY Act) - H.R. 2801, Sponsor: Castor

  • Status: Referred to the House Committee on Energy and Commerce

• Kids Online Safety Act (KOSA) - S. 1409, Sponsor: Blumenthal

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Protecting Kids on Social Media Act - S. 1291, Sponsor: Schatz

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Making Age-Verification Technology Uniform, Robust, and Effective Act (MATURE Act) - S. 419, Sponsor: Hawley

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Parental Data Rights Act - S. 564, Sponsor: Hawley

  • Status: Read twice and referred to the Committee on Commerce, Science, and Transportation

• Strengthening Transparency and Obligations to Protect Children Suffering from Abuse and Mistreatment Act of 2023 (STOP CSAM Act) - S. 1199, Sponsor: Durbin

  • Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 69

• Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) - S. 1207, Sponsor: Graham

  • Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 70

• Parents Bill of Rights Act (PBOR) - H.R. 5, Sponsor: Letlow

  • Status: Received in the Senate and Read twice and referred to the Committee on Health, Education, Labor, and Pensions

• Federal Social Media Research Act - S. 410, Sponsor: Hawley

  • Status: Read twice and referred to the Committee on Health, Education, Labor, and Pensions

• Privacy in Education Regarding Individuals' Own Data Act (PERIOD Act) - H.R. 951, Sponsor: Schiff

  • Status: Referred to the House Committee on Education and the Workforce

Lots of Action at the FTC:

• The “FTC Says Ed Tech Provider Edmodo Unlawfully Used Children’s Personal Information for Advertising and Outsourced Compliance to School Districts.” For analysis of how this may change the current COPPA interpretation that allows school districts to contract with edtech companies, see our recent blog post.

• The “FTC and DOJ Charge Amazon with Violating [COPPA] by Keeping Kids’ Alexa Voice Recordings Forever and Undermining Parents’ Deletion Requests.”

• Meta “asked a federal court to block the [FTC]’s attempt to impose new sanctions on the company for alleged privacy violations” in proposed changes to Facebook’s 2020 consent order. Proposed changes include prohibiting Meta “from profiting from data it collects, including through its virtual reality products, from users under the age of 18” and expand limitations for Meta’s “use of facial recognition technology.”

• The “FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent” and “makes clear that avatars and biometric and health data are protected under COPPA.”

Resources:

• Actionable Intelligence for Social Policy published a new consent brief entitled “Yes, No, Maybe? Legal & Ethical Considerations for Informed Consent in Data Sharing and Integration.” The brief explores the legal, ethical, and practical challenges of consent in data sharing and integration. Are you from a public agency and want more resources on integrated data systems? Remember to check out our partner, the new Data Integration Support Center at WestEd (and stay tuned for a special integrated data system-focused newsletter next week!).

• The 5Rights Foundation published “Child Rights By Design: Guidance for innovators of digital products and services used by children”, a report “explain[ing] the 11 Child Rights by Design principles and match[ing] them with practical advice for innovators”. The website also has an accompanying interactive tool.

• USED issued “Family Educational Rights and Privacy Act: Guidance for School Officials on Student Health Records” and “Know Your Rights: FERPA Protections for Student Health Records,” two new guidance documents about FERPA, with a particular focus on student health records. 

---

Were you forwarded this newsletter? You can subscribe here: