Last week, I posted a rather long article about data sharing and my fear the recently passed Senate Bill 79 will only make it worse based on some clauses in the legislative language. Delaware Attorney General Matt Denn responded to me, and addressed his concerns. I thought that was very forthcoming considering I hadn’t even reached out to him yet on the issue.
From: “Denn, Matthew (DOJ)” <Matthew.Denn@state.de.us>
To: Kevin Ohlandt <email@example.com>
Cc: “Wright, Christian (DOJ)” <Christian.Wright@state.de.us>
Sent: Friday, October 9, 2015 7:51 AM
Subject: Senate Substitute 1 for SB 79
Kevin — I saw Mike Matthews’ link to your blog post about Senate Substitute 1 for SB 79. That bill was written by my office, and it has been recognized by national student data privacy advocates as among the most protective in the country for students. It does not undo any existing privacy protections — you can actually look at the bill and see that not one word in the existing statute is deleted. It does set up a task force to look at how DOE’s internal handling of student data should be improved — the majority of the bill relates to sharing and handling of student data by entities outside DOE. Most if not all of the lobbyists who are listed were registered to lobby against the bill, they represent a variety of large national interests and getting the bill passed over their objections was a difficult undertaking. I am copying Christian Wright from my office who wrote the bill and is also in charge of enforcing it, if you have any questions about it, he would be happy to answer them.
I took AG Denn up on his offer and reached out to Christian Wright.
From: Kevin Ohlandt <firstname.lastname@example.org>
To: “Denn, Matthew (DOJ)” <Matthew.Denn@state.de.us>
Cc: “Wright, Christian (DOJ)” <Christian.Wright@state.de.us>
Sent: Friday, October 9, 2015 10:36 AM
Subject: Re: Senate Substitute 1 for SB 79
I didn’t have concerns with this legislation as it was originally written. Unfortunately I got very distracted by House Bill 50 while most of the action on this legislation was going on. The amendment is what I have grave concerns with. It seems as if it was modeled after “legislation” written by Jeb Bush’s company, Excellence In Education. http://static.excelined.org/wp-content/uploads/Student-Data-Privacy-Accessibility-and-Transparency-Act-Model-Legislation-03.2015.pdf Many of the sections in the amendment have the exact same working as this mock legislation, especially on pages 10-13. Jeb Bush has received a lot of criticism for his role in education and the further implementation of Common Core State Standards, high-stakes testing, and things like this. I can see why Google and Microsoft would lobby against the bill, but my concern is who lobbied FOR the bill, or more specifically, the amendment to it.
There are legal loopholes all over this that can cause data to stream out to outside companies. As well, this company IMS Global Learning Consortium, which is incorporated in Delaware, seems to be an umbrella company for shared access of a great deal of student data between their “members”. A blogger in Colorado wrote an excellent article based on this company and what is going on out there with data. I would like to know how much of this bill was written by your office and how much was taken off templates from outside companies that actually make money off of education. Legislation can be extremely tricky, but even if certain data is protected, a great deal of it isn’t and it really feels like students are being tracked and catalogued for unknown purposes. I’m not the only person that feels this way. Given the numerous issues going on with education in Delaware in terms of the DOE, the Governor’s role in very questionable actions, and the very large influence outside companies have on education in this state, I am attempting to understand what is really going on. What we are told in the general media and in public meetings does not always gel with what is going on behind the scenes, and this concerns me on levels I never could have imagined.
From: Kevin Ohlandt [mailto:email@example.com]
Sent: Friday, October 09, 2015 12:23 PM
To: Denn, Matthew (DOJ) <Matthew.Denn@state.de.us>; Wright, Christian (DOJ) <Christian.Wright@state.de.us>
Subject: Fw: Senate Substitute 1 for SB 79
From: Wright, Christian (DOJ)
Sent: Friday, October 09, 2015 2:55 PM
To: Kevin Ohlandt <firstname.lastname@example.org>
Cc: Matthews, Michael J (K12) <email@example.com>; firstname.lastname@example.org; Denn, Matthew (DOJ) <Matthew.Denn@state.de.us>
Subject: RE: Senate Substitute 1 for SB 79
Thanks for your emails. I have attempted to address what I think are the questions you have raised SS 1 for SB 79, while also trying to provide an overall view of how the bill came about.
Who drafted SS 1 for SB 79?
I was the sole drafter of SS 1 for SB 79. I modeled SS 1 for SB 79 on California’s Student Online Personal Information Privacy Act (SOPIPA), which is now Section 22584 in the California Business & Professions Code. SOPIPA had been widely praised by student advocates as being the strongest legislation in the country for protecting student data privacy. SOPIPA was suggested to us as model legislation by Common Sense Media, one of the top independent NPOs focused on children and technology. SS 1 for SB 79, like SOPIPA, has been praised by student data privacy advocates and experts for taking one of the strongest stands in the nation to date in favor of student data privacy—most recently this morning during a call I had with a law professor who is a nationally-recognized expert on information privacy and cyber law.
Who lobbied on SS 1 for SB 79?
I handled all negotiations, meetings, and conversations with folks who wanted to provide input for or against SS 1 for SB 79 (and SB 79 before it). Excluding legislators, the only parties with whom I had dealings on SS 1 for SB 79 (or SB 79 itself) were Common Sense Media, Microsoft, Delaware PTA, Google, DOE, the State Board, and the State Privacy & Security Coalition (whose members include Google, Facebook, Yahoo!, Amazon, Comcast, AT&T, and Verizon). Until your email, I had never heard of either Jeb Bush’s company or IMS Global Learning Consortium. (Your email was also the first time we have seen the proposed model legislation in the URL you provided, so it played no role in our thinking and drafting.)
Common Sense Media, Microsoft, and Delaware PTA lobbied hardest in favor of the bill, and Google and the State Privacy & Security Coalition lobbied hardest against it. DOE and the State Board were also in favor of SS 1 for SB 79, but their participation was not as significant once SS 1 replaced the original SB 79.
Why the change from SB 79 to SS 1 for SB 79?
While you didn’t specifically ask this question, you stated that you didn’t have any concerns with SB 79 as originally written, so I thought it would be useful to explain why the substitution took place. The original SB 79 was modeled on a Georgia student data privacy bill (SB 89), and the student data privacy provisions governing ed-tech companies in the Georgia bill were not as strong as California’s bill. (At the time, we thought it might be difficult to get a bill as strong as California’s passed.)
During subsequent negotiations on SB 79, it became increasingly likely that SB 79 in its original form would have a fiscal note attached to it because of the provisions applicable to DOE. We did not want a fiscal note to delay the passage of legislation regulating the security and privacy of student data collected or maintained by ed-tech providers, and Delaware already has laws and regulations addressing the collection and use of student data by DOE, districts, and schools, so we elected to strip all of the DOE provisions in SB 79 out (essentially lines 97-234 and 317-379) in favor of a substitute bill that focused only on the ed-tech providers using California’s best-in-class privacy protections, and the creation of a task force to take a comprehensive look at student data privacy and security in Delaware’s public school system.
What did SS 1 for SB 79 do to “provisions addressing data security and privacy responsibilities currently in code”?
Absolutely nothing. They are all still there and will remain there until new Chapter 81A in Title 14 goes into effect. The nine items in the final paragraph of the synopsis—including the language about “deleting provisions addressing data security and privacy responsibilities of the Department of Education in favor of establishing the Student Data Privacy Task Force”—are identifying the differences between SB 79 and SS 1 for SB 79. This was done because the Division of Research’s Legislative Drafting Manual (p. 49) recommends that “A synopsis to a substitute bill should detail the difference between the substitute bill and the original bill, in addition to explaining what the bill does.” So the “deleting provisions” language in the synopsis is identifying what was deleted from SB 79 in creating SS 1, not anything that was deleted from the Delaware Code itself. ALL state and federal laws currently protecting student data (including FERPA, which we couldn’t touch anyway) remain in place until Chapter 81A goes into effect.
What about the legal loopholes in SS 1 for SB 79?
There aren’t any legal loopholes. As the handout we distributed to legislators explains (see attached), SS 1 for SB 79 protects a broad range of student data, including student records, emails, searches, and personally identifiable information, from commercial use by operators of sites and applications used for school purposes. The law absolutely forbids ed-tech providers from targeting students and parents with advertising based on student data, creating a student profile based on student data to be used outside of the school, selling student data, or disclosing student data to third parties (except in very limited, specified circumstances, set forth mostly in lines 105-124 of the bill).
The law does not allow student data to be given to marketers. It does allow an operator to use de-identified or aggregate data—which cannot be traced to any specific student—for its own marketing purposes, but not generally to give to marketers. If the data can in any way identify a student then it isn’t de-identified or aggregate student data and cannot be used for the operator’s own marketing purposes.
Let me give you a concrete example of how that works. Let’s say a Delaware school district hires Acme-Ed Corp. to provide online math services for its students, with personalized learning that adapts to the student’s progress as they learn the material. The service performs amazingly, with huge leaps in student learning, and Acme-Ed would like to be able to tout this success when it pitches to other school districts (i.e., marketing its service). Acme-Ed cannot use identifiable student data if it wants to do this—it cannot say “Jane Doe’s math scores jumped 37%, and John Public’s math scores jumped 40%!”. But Acme-Ed would be able to say something like, “Using our product, the score for one student at an elementary school in Delaware jumped 37%” or “Using our product, the scores for the students at an elementary school in Delaware went by 15-40%, with a median increase of 27%.”
If there are other parts of the bill that concern you that I haven’t covered, please feel free to identify them for me, and I’ll be happy to address them.
Thanks for giving us an opportunity to clarify what SS 1 for SB 79 does (and doesn’t) do. We are confident that the bill is a giant step forward for protecting student data in Delaware, and is every bit the “big victory for student privacy” that Common Sense Media calls it. (https://www.commonsensemedia.org/kids-action/blog/big-victory-for-student-privacy-in-delaware)
Christian Douglas Wright
Director, Consumer Protection Unit
Delaware Department of Justice
820 N. French Street
Wilmington, DE 19801
My concerns, which really haven’t changed much at all, are still in the signed legislation, which can be on the Delaware Legislator website. If you go to the right side, go to “Bill Quick Search”, on the drop bar, put in Senate Bill, and then 79. When you scroll down, go to “Substitute Legislation for this bill”, and follow the lines by number if you download the Full Text of the Legislation in MS Word. The following are the lines that I am most concerned about, all of which are already allowed under the Federal Educational Rights and Privacy Act (FERPA).
An operator shall not knowingly engage in any of the following activities with respect to such operator’s Internet website, online or cloud computing service, online application, or mobile application:
(2) Use information, including state-assigned student identifiers or other persistent unique identifiers, created or gathered by an Internet website, online or cloud computing service, online application, or mobile application as described in § 8102A(10)a. of this title, to amass a profile about a student except in furtherance of K-12 school purposes.
(4) Disclose student data, unless the disclosure is made for any of the following reasons:
a. In furtherance of the K-12 school purposes of the Internet website, online or cloud computing service, online application, or mobile application. The recipient of the student data disclosed for this reason shall not further disclose the student data unless done to allow or improve the operability and functionality within that student’s classroom or school, and is legally required to comply with the requirements of § 8104A of this title or paragraphs (1) through (3) of this section.
2. As allowed by state or federal law and under the direction of a school district, school, or the Department, if no student data is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes.
(6) Nothing in this subsection prohibits an operator from using student data for any of the following:
a. Maintaining, delivering, supporting, evaluating, or diagnosing the operator’s Internet website, online or cloud computing service, online application, or mobile application.
b. Adaptive learning or customized student learning purposes.
(8) Prevent the Department, school district, or school from recommending, solely for K-12 school purposes, any educational materials, online content, services, or other products to any student or to the student’s family if the Department, school district, or school determines that such products will benefit the student and no person receives compensation for developing, enabling, or communicating such recommendations.
If this was just the Delaware DOE, my concerns could stop there. But we all know how much money they spend on vendor after vendor. With Rodel really pushing personalized learning, my fears only magnify. We already have several school districts in a “consortium” to share “best practices”.
But what makes my hair stand on edge is the words “except in furtherance of K-12 school purposes”. This is the legal loophole. Any corporate education reform company is supposedly in business for “school purposes”. But they make tons of money while doing so, and their goal isn’t to make education better. They are selling a product, so their goal is to make more and more money.
What safeguards does this legislation have for the student data once it is in the hands of a private operator? Once the information is out there, it’s not that easy to just put it back. If the company did violate this law, how would anyone know it? It’s not like the company would just hand over the information to a concerned parent. These companies have attorneys that make more in a day than the eight former Race To The Top positions at the DOE. What normal parent can stand up to these corporate juggernauts? How many years would it take? And how much information is already out there?
I can’t believe our General Assembly would overwhelmingly pass this bill. A hat tip to the four sole Republican Senators who had the courage to vote no. If I can see the gaping holes in this legislation, why couldn’t they? This bill was written by lobbyists who knew exactly what they were doing. These lobbyists are paid handsomely to swindle legislators into obeying their corporate masters. I’ve heard from a lot of folks indicating they needed more information on this. Unless you have followed all the movements of the DOE, Governor Markell, and corporate education reform companies, it is hard to pinpoint one glaring point.
Aside from the time away from true teacher-student interaction, this is one of my biggest concerns with personalized learning. Smarter Balanced was just the beginning in Delaware. Now the Governor and the Delaware DOE have their “justification” to unleash an unwitting public into the glory of “blended learning”. This was the true goal of all of this: a trillion dollar industry that has been very patient. This is the crossroads. Only you can decided if you want your child to be a commodity.