How to keep online advertisers away from your kid’s grades, detention records, and yearbook photos

Make sure she knows how to keep her data secure.
Make sure she knows how to keep her data secure.
Image: AP Photo/Jacquelyn Martin
We may earn a commission from links on this page.

When it comes to the US public education system, big data is already firmly entrenched. School districts know what your child scored on all her tests, how many days she has been absent from school, whether your income qualifies her for subsidized meals. A company that provides educational services for the school might know what category of math problem she struggles with, and exactly how much time she spent trying to figure out a particular equation.

Much of this information is used to inform and improve what happens in classrooms. But the process also gives rise to a whole host of parental concerns: Can future employers or banks look at my child’s elementary school performance as an indicator? Can advertising companies buy my child’s data to target advertising at him?

There’s a limit to how much control we have over how our children’s data are used. But here are a few things a concerned parent in the US public school system can do:

Know what data are being stored, and where

The types of data that schools are storing can be separated into three major categories, according to a new report on student data (pdf) from the Future of Privacy forum.

  • Administrative: This is the basic, personal information that parents provide to the school district—name, date of birth, address, social security number, medical or dietary restrictions, whether a student qualifies for subsidized meals, disciplinary action. This information used to be stored on paper in filing cabinets, but now is moving online. Schools are increasingly keeping these records in remote, centralized locations.
  • Education measurement:  These are the data collected about your child’s performance. It might include test scores, recorded on a program like Pearson’s SchoolNet, which keeps track of a child’s progress through grades and even notes. This information is being used to track both your child’s progress and her teacher’s efficacy—including his attendance and preparation. School districts might contract with a vendor to collect the information, because there’s a lot of it and the schools don’t have the infrastructure to store, secure and analyze it all.
  • Instructional: As educational technology enters the classroom in the form of iPads and cloud-based learning, the information gathered on your child might include email records and Google Docs, which students can use for assignments. As more students begin to use apps for learning, there is also the question of whether the companies behind the apps are selling data to advertisers, and whether the internet connections are secure.

What parents can do about the data: You have the right to see information, and dispute it if it is incorrect, under the national Family Educational Rights & Privacy Act (FERPA). FERPA protects a student’s identifiable information from being distributed to anyone other than a school official under almost all circumstances, but allows schools to disclose some information for things such as yearbooks and school directories. That information can include name, address, telephone, email, photograph, date and place of birth, honors, and awards. You can opt out of allowing that directory information to be used by sending a letter to the school.

FERPA protects “permanent” records from distribution, but what is included in those records is often up to the school district. If you have a problem with what your school district defines as “permanent,” you can take it up with the school board.

Advocate for common-sense measures in the classroom

Some cloud-based learning platforms can be secured in the classroom. For example, Google Doc settings should be private, so nobody outside the intended audience (students, teachers, maybe parents) can access documents such as homework and assignments, says Henry Thiele, the assistant superintendent for technology & learning for Maine Township district 207 (which is located in Illinois). Additionally, classrooms using iPads, cloud-based programs or apps should have generic usernames and passwords so that the app can’t identify and profile a student individually. That way the app company wouldn’t know, for example, that a specific child answered a certain number of questions correctly, or how long the mouse hovered on a problem.

What parents can do: First of all, confer with your child and her teacher directly to make sure these basic protections are in place. Next, some good questions ask her teacher are “What’s the instructional information that you collect on my child?” and “How is it being used to help my child?” suggests Thomas Murray, a former school district administrator in Pennsylvania who is now at the DC-based education advocacy group the Alliance for Excellent Education

The federal Children’s Online Privacy Protection Act (COPPA) requires parental permission to sign up a child under the age of 13 for an instructional/cloud-based appthat has a username/password. This might come in the form of a permission waiver at the beginning of the year. Read the waiver, and if you have questions about it, clarify with the school. If your child is older than 13 and you’re unhappy with the practices in the classroom, or if you notice these common sense measures aren’t being enforced, raise those concerns with the teacher or principal, suggests Murray. Because educational technology is new and growing so quickly, school’s practices may lag a little bit behind the technology.

Find out who owns the data

The contract that your child’s school signs with an outside vendor should specify that the school or school district owns the data. For example, if a school assigns email addresses to the students, what happens to those email accounts, and their content, when the student graduates? They should be deleted.

It’s also important to know what happens to the data if the contract with a vendor ends or the school switches vendor. Does that information get deleted? Is it backed up anywhere? What happens to the backup? If an outside vendor has the data, can it sell information to advertisers for marketing purposes?

FERPA was passed in the 1970’s, so it doesn’t specifically address online vendors. But many states have passed bills (here’s a handy map) that regulate ed tech privacy policies. Most of these states put the responsibility on the school district to prevent identifiable student data from being used for any purpose other than education, such as advertising. (For example, many schools give students a few months after graduating to review their school-created email accounts and take what they’d like, and then they delete the accounts, Thiele says.) California, however, recently became the first state to put the burden on the tech companies rather than the schools.

What parents can do:  Not a lot, once the school district’s vendor contracts are in place. The most effective way to have a say in your child’s privacy is to get involved early, when the school board is discussing vendors and negotiating contracts. The bids and contracts themselves are all public information and subject to public comment at school board meetings. School boards are required to post their meeting agendas beforehand and their minutes publicly, and if you can’t attend a school board meeting, you can submit comments via email.

Ask how the data are being used

Schools don’t always have to ask your permission for collecting data—that would be hugely burdensome—but there is an increased demand for labeling educational technologies for parents in a way that helps them understand their use, according to a recent study from Harvard. Many companies are trying to get out ahead of this: Google has a page devoted to reassuring parents that their kids’ data are safe. (This became especially important after Google was slammed for scanning and providing targeted ads to students using Gmail, if they turned on advertising. Students using Gmail through their school now no longer have that option.) Khan Academy, the hugely popular education nonprofit, promises in its privacy notice, “We do not sell your personal information to third parties.”

What parents can do: Again, your options are limited once contracts are in place, but schools should monitor what apps and resources they’re using to avoid those that collect and share user information. You can advocate at the school or school board level for more transparency about what is being collected, and cite other school districts or companies, like the ones above, as examples. You can also look to private initiatives like the Student Privacy Pledge, which companies including Microsoft (but not Apple, Google, or Pearson) have signed, promising not to sell students’ information or to use it for anything other than educational purposes.

Ask to see the audit on data and network security

Your child’s permanent record is just that—permanent. Those records, the ones that include your child’s name, date of birth, transcript, etc., are increasingly being stored online or through security vendors. The information is protected by FERPA, but recent security breaches have raised concerns that the information is not being protected properly.

There should be very few people with access to a student’s information, and the networks on which the data are being stored should be secure (pdf). A number of states and school districts require periodic data and network security audits to make sure students’ permanent records and personal information are being stored securely, and that their internet connections are not vulnerable. For example, Thiele’s district in Illinois goes through a yearly audit to make sure it is up to date with industry standards on protecting data.

What parents can do: Once again, this is not an issue that can be addressed in a parent-teacher conference. If you’re concerned about this, ask to see your district’s audit on data and network security. If there is no audit, find out if your state or school board requires one. If there is no law or school district rule on the books, Murray says the best way to effect change is to demand it, and to elect school board members who will put a system in place. “The parent influence,” he says, “is electing school board members through voting.”

Don’t go overboard about privacy, but do talk to your child about it

Keep in mind that not all information-gathering is problematic. Much of it helps teachers and schools to provide individualized support to students, as well as to improve instruction systemwide. It’s just important to ensure the information is being used the right way.

It’s also important to note that schools are not the only place your child’s personal information could be harvested by advertisers—in fact, as this becomes a greater part of the national conversation, schools and companies are ramping up their efforts against it, so actually a computer at school may be safer than your own iPad at home. Any time a child inputs her information to play a video game or to sign up for a website, she is giving away information about herself.

What parents can do: Talk to children from a young age about what is and is not appropriate to share on the internet.

Other resources

The Consortium for School Networking has a guide to what districts should do (pdf) to protect data.

The US Department of Education Privacy Technical Assistance Center offers some best practices for protecting student privacy (pdf), a good gauge to measure your school against.

The Student Privacy Initiative at Harvard University’s Berkman Center for Internet and Society is continuously discussing and publishing on this topic.