Antiquated Federal Laws Allow Exploitation of K-12 Student Data: Cybersecurity Expert

By Masooma Haq | 7.30.23 

Since the lockdowns, K-12 schools’ reliance on online education technology (Ed Tech) companies has grown exponentially, yet the laws that protect students’ online data are antiquated. Currently, parents have no legal recourse when student data privacy laws are violated.

Parents believe that school districts are required by student privacy laws to get parental consent to have students use online applications and SEL-infused technologies, but this is not always the case.

In addition, the pace at which Ed Tech companies are gathering and using student online data is on hyperdrive, much of it gathered through Social-Emotional Learning focused platforms and surveys, but school districts’ online data privacy infrastructure has not adapted. According to privacy and cybersecurity expert Joel Schwarz, districts are not prioritizing parental rights and student privacy.

“Our school district is far more concerned about the rights of the Ed Tech providers administering these surveys than the statutory rights of our children and parents under the PPRA and FERPA,” Schwarz told The Epoch Times.


Schwarz is the co-founder of the organization Student Data Privacy Project (SDPP), which has been pushing school districts to release student metadata to parents and working to get the U.S. Department of Education (DoE) to penalize the districts that do not comply with federal student data privacy laws and provide all the metadata to the parents.

The federal laws that were designed to protect student data and allow parents to see all student records are outdated or insufficient.

The DoE’s Family Educational Rights and Privacy Act (FERPA) is supposed to protect the privacy of student’s educational records and limit how educational institutions can disclose personally identifiable information (PII), and the Protection of Pupil Rights Amendment (PPRA) is there to limit the collection of PII through surveys, analyses, or DoE backed evaluations.

There is also the Children’s Online Privacy Protection Act (COPPA) which covers data privacy for online (websites, apps, and online services) collection of PII from children under the age of 13.

Student Data Privacy Project Map of states that had FERPA complaints filed (green) to access student metadata (courtesy of Student Data Privacy Project)


FERPA should be enough to allow parents to easily acquire their child’s school records, whether online or written. However, the 1974 law was created before the internet and concerns about metadata. It was meant to limit how student records were used, and to whom and how they were disclosed, but in its current form, it allows student data to be shared more easily with the Ed Tech companies than with parents.

“Fast forward now … and the schools use the ‘school official exception’ designation to disclose data to the Ed Tech companies without parent’s consent,” Schwarz said. “It means FERPA basically doesn’t really exist anymore.”

Another factor that prevents parents from accessing their child’s data is that the metadata stored on the Ed Tech platforms is not in the schools’ central database, and based on a prior Supreme Court decision, in order for student data to be under FERPA’s privacy protections it has to be stored in the district’s central database said, Schwarz.

“It’s not centrally stored by the school system, and therefore, it’s not a FERPA record,” Schwarz said. “None of the records are covered, and therefore they don’t have to tell you what is stored by the Ed Tech providers.”

The question is not where the data is stored but who has direct control over the entity that keeps the students’ metadata, said Schwarz.

SDPP filed a series of FERPA complaints in 2021 across the country to obtain student metadata, but to date, none of them have been resolved, said Schwarz.

“Nobody’s had their case resolved, and in fact, the DoE “told us point blank the only option they have, if they find a school violating FERPA, is to take away the federal funding, and they don’t want to do that. So, there is no other penalty structure under FERPA,” Schwarz said.

“You [DoE] can’t just enforce it because you don’t like the penalties,” said Schwarz. Their FERPA complaints got a variety of unhelpful responses.

Some school districts responded to SDPP FERPA complaints by attaching their agreements with Ed Tech companies, stating that student data is protected under FERPA. Some districts claimed that FERPA does not apply to PII held by Ed Tech providers because the Ed Tech records are not “centrally stored,” some parents were provided with ID and password information for the platform, which they already had but which did not give them access to child’s metadata, or there was no response at all said, Schwarz.

Schwarz believes the reason districts were not able to resolve SDPP parents’ FERPA complaints is because the FERPA Law is outdated and doesn’t fit the districts’ shift to primarily online/virtual education. In addition, Schwarz suspects that school districts may also be running into obstacles when they reach out to these Ed Tech providers on behalf of parents.

“But the problem is the schools have the contracts with the Ed Tech providers, the schools and the FERPA [DoE] are responsible for directly controlling them [Ed Tech], so they need to get the data from the providers,” said Schwarz. “I think it’s a lot of confusion over how this works.”

Student Data Privacy Project Map of states that had FERPA complaints filed (green) to access student metadata (courtesy of Student Data Privacy Project)

No Legal Recourse

Ed Tech companies need to be held accountable for mining and exploiting student data, said Schwarz.

According to Schwarz, parents have no legal avenue to hold Ed Tech companies accountable because the school districts have contractual agreements with the Ed Tech providers, and districts must take action; state attorneys general cannot defend parents because they are obligated to defend the state education department in a lawsuit; FERPA is not an option to sue under either, because the statute does not allow a private right of action.

Further, parents cannot sue Ed Tech providers directly because state privacy laws don’t recognize the data breach as a crime when consent was given, even if that consent is given by the school district.

“Until DoE updates its regulations, Congress updates the law, or an Executive Order is issued, parents are left with no recourse,” said Schwarz.

Schwarz organization has been working with Sen. Ron Wyden’s (D-Oregon) office to amend FERPA, but in order to have Congress change FERPA, the DoE would first need to enforce the law as it is and penalize schools for not providing their child’s data to parents and then parents could proceed to sue the school, and then Congress would have a reason to act, said Schwarz.

Until DoE decides to enforce FERPA, Schwarz said his organization is talking to the Federal Trade Commission (FTC) about enforcing COPPA.

FERPA does cover online data but COPPA does. However, Schwarz stated that the COPPA rule also does not work to get the online data because Ed Tech providers will say our contract is not with parents but school districts, so we can’t give you the records even though it’s your child’s data.

The long-term solution needs to be that FERPA is enforced and then amended.

Meanwhile, as privacy laws fail parents, data collection from students has increased, and parents are dismayed at being kept in the dark about surveys that collect PII, said Schwarz. In particular, districts find loopholes to justify why parents were not informed before and given the choice to opt out.

What SEL Surveys are really used for (Courtesy of Courage is a Habit)What SEL Surveys are really used for (Courtesy of Courage is a Habit)

Top-down SEL Mandate

The U.S. Department of Education 2020 report, Supporting Child and Student Social Emotional Behavior Mental Health Needs (pdf), directs schools to establish an integrated framework for SEL and advocates for universal mental screenings [surveys], saying, “Districts are encouraged to adopt a structured and comprehensive universal screening process to catch internalizing and externalizing child or student needs.”

Personal information is gathered through a variety of means under the banner of Social Emotional Learning (SEL), with surveys being implemented throughout the year in most schools, with some of them being federally mandated, with names like, school climate surveys, health surveys, behavior risk surveys, etc.

The American Rescue Plan Act (ARPA) and recent state policies have provided money to expand mental health and wellness services in schools, $122.8 billion allocated for the Elementary and Secondary School Emergency Relief (ESSER), and more recently Congress passed Bipartisan Safer Communities Act which also allocates funds to support school-based mental health services.

The “School Official Exception” designation allows schools to disclose children’s data to an Ed Tech provider, for educational purpose, without parental consent, so long as the school maintains “direct control” over the provider, said Schwarz, which embolden Ed Tech companies.

Most school districts contract with or use hundreds of online apps and programs, for which they technically have direct control but do not maintain oversight of that direct control to see how student data is being used, said Schwarz.

“Fact is, schools are not maintaining “direct control” over Ed Tech providers, nor are they holding those providers accountable, which explains why 67 percent of public schools share children’s personal data with 3rd party advertising and analytics companies,” Schwarz said in a 2022 written testimony.

Cycle of Indoctrination

Ed Tech providers are permitted to administer invasive surveys to students, sometimes without parental knowledge or consent, depriving them of their PPRA rights of access, ability to opt-out of their children, and state SDPP.

“This data is tied to their climate rating and the money that they get,” Rhonda Thomas, president of The Truth in Education, told The Epoch Times. “This data is being used by third-party organizations. An to reinforce the need for more social emotional learning in our schools.”

“They’re giving them a survey, if that child is not on the track they want them to be on they can change the algorithm based on the surveys, they know what they need to do, to change the algorithm to start moving them either individually or as a group,” Thomas said.

Thomas said a lot of new legislation is written to support universal mental health screenings, which allows schools to bypass parental consent.

“HB 1013 has in there that we can do universal mental health screenings on everyone beginning infancy,” Thomas said.

Education Consultant for Truth in Education, Barbara Bush told The Epoch Times that schools are not teaching students to think critically but training them to react.

“Educating is presenting information in its proper context. In a way that it can be applied in multiple ways,” Barbara Bush said. “Whereas training, is designed to eliminate the reflective critical thinking. It is to give you many responses that become reactions and our reaction is void of thought.”

According to many parental rights groups, including Courage is a Habit, the online surveys and SEL curriculum have the same end goal which is to collect student data and perpetuate a cycle of indoctrination. This allows the Ed Tech companies to continue to profit and for school districts to cheat students out of a rigorous academic education.

“Mental health data is collected and interpreted through an equity lens. Schools receive a grade and thereby justification for further SEL investment. But children also receive a score based on conformity to the collective standards of social justice. Much like a social credit system, these scores may later be used to evaluate a student’s suitability for college acceptance and entry into the workforce,” states The Truth About Education report, Unmaking SEL (pdf).

Scope of Data Mining

“The schools give children evaluations that measure mental health based on highly personal questions about sexuality, depression and anxiety, family life, risky behaviors, and attitudes and beliefs about divisive issues like race and gender. The results are stored in the child’s dashboard, creating a permanent psychological profile that follows them as they change grades or even schools through SLDS,” states the Truth in Education report Unmasking SEL.

The PII data collected by students is very detailed and specific.

A factor that allows this level of data collection is that FERPA does not limit Ed Tech in their use of the data because there is a lot of room for interpretation of the law, said Schwarz.

“It’s a gray area,” Schwarz said he has heard Ed Tech providers say, “that FERPA doesn’t explicitly prohibit advertising,” said Schwarz. “It doesn’t say you can’t use educational data for purposes of refining your product and building new products to service students.”

A series published by The Markup in January 2022, revealed that Naviance software – which many school districts use –collects sensitive PII starting in 6 grade, and then sells it to colleges and universities so that those institutions can then “target students with paid advertisements,” even allowing those admissions officials use the PII to target specific demographics.

In addition, The Markup revealed that Naviance is owned by PowerSchool, which is owned by a private equity firm Vista Equity Partners, which stores data on more than 75 percent of the nation’s K-12 students. The equity company has “an educational software empire that wields unseen influence over the educational journeys of tens of millions of children.”

Children’s personal information collected from their activities at school is being used to create personality profiles that may land them on lists used by law enforcement to identify potential criminals. Florida’s Pasco County Sheriff’s Office used student data to target “at-risk” youth.

“Students can be placed on the list if they get a “D” grade in class, miss school three times in a quarter, get a single discipline referral during a quarter or have experienced childhood trauma,” according to the Tampa Bay Times report.

In 2022, Hackers gained access to highly sensitive personal information of nearly 820,000 current and former New York City and Connecticut school district students through the software vendor Illuminate..

Statewide Longitudinal Data

According to a 2019 Pioneer Institute report called “Social-Emotional Learning: K–12 Education as New Age Nanny State,” by Karen Effrem, M.D. and Jane Robbins, J.D. in early 2000, the DoE began to develop statewide longitudinal data systems (pdf) through a grant program, since then, many states have received federal funding to develop and improve their SLDS infrastructure.

Since 2002, the DoE incentivized (pdf) the collecting and storing of student data.

“Whatever parents know about their child, the SLDS probably knows it, too,” the Pioneer Institute report states.

A state’s SLDS may contain massive data points on each student (including mental health/SEL data) and would be stored at least to the end of a student’s pre-K through 12-grade years.

And with interoperability, that data could be shared universally. Interoperability is a huge component to education data collection a whistleblower and California parent Lisa Logan told The Epoch Times. School divisions can link with other districts across the U.S., for easier data sharing but create a greater risk to privacy she said.

From The Epoch Times