Welcome to the latest edition of FPF’s Youth & Education Privacy newsletter. I’m Bailey Sanchez, policy counsel on the Youth & Education team at FPF. My work right now is mainly focused on legislative tracking, as child privacy is still a top priority of many lawmakers and we are seeing age-appropriate design codes pop up in other states. 

Next, you’ll be hearing from Miles Light! Miles has a particular interest in AI, and so we’re going to save our deep dive into all things ChatGPT and education for his newsletter next month.

Among other recent developments in child and student privacy, this newsletter highlights:
  • The FTC’s action against Epic Games
  • The Age of the Age-Appropriate Design Code
  • Ongoing challenges on cybersecurity - and a look at a hacker group
  • The student mental health crisis, how schools are responding, and parent resources 
  • The latest on online proctoring
As we continue to refine the content and format of this newsletter, we want to hear from you - what’s on your mind, and how can we help? Reach out to us anytime by replying to this email.

An “Epic” FTC Announcement

Just before the holidays, the FTC announcedhistoric” action against Epic Games, the maker of the popular video game Fortnite, over allegations the company violated the Children’s Online Privacy Protection Act (COPPA), as well as the FTC Act’s prohibition against unfair practices by making certain features on by default to children and teens. Epic agreed to pay a collective $520 million in relief ($245 million in refunds and $275 million in penalties) through two separate agreements - one for alleged privacy violations and one for billing practices. While the financial penalty is certainly eye-catching, the agreement outlines several interesting operational takeaways for operators of online services and sites directed at kids and/or teenagers

The Entertainment Software Rating Board’s blog post and takeaways are worth a read, as is Epic’s forward-looking response. From the opening lines: “No developer creates a game with the intention of ending up here…. We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.”

The Age of the Age-Appropriate Design Code

My colleague Keir asked in his blog “Five Big Questions” for the U.S. state privacy landscape in 2023 if we have entered the “Age of the Age-Appropriate Design Code”… and all signs continue to be a resounding yes. Following California’s lead, New York, New Jersey, Oregon, and most recently Connecticut have introduced similar bills (of note: Oregon’s bill, as written and if it were to pass, would go into effect at the same time as California’s law), and we expect even more to follow in the coming months. In short: states aren’t waiting around for Congress to act on children’s privacy.

If you are catching up on all things AADC, I worked on two resources with my colleague Chloe Altieri late last year that may be helpful to you: a comprehensive overview and analysis of the California AADC and a comparison of the California and UK versions. A key takeaway from our comparative analysis is that the UK’s code is generally a good bit more specific than California’s version, leading some companies to look at it for guidance as we await further information from California. Another step in that direction worth noting: the UK Information Commissioner’s Office (ICO) recently released design tests that, while not an official assessment, can help companies gauge their level of compliance with their AADC.

One of the big questions that California’s AADC (and similar legislation) raises is just how an online service provider is supposed to determine a child’s age - a long-running challenge that raises the age-old issue of balancing privacy and security. While policymakers in the US and UK continue to include age verification in a variety of legislative proposals, the French data protection agency, CNIL, viewed by some as “generally seen as the most aggressive and most thorough in its data protection/data privacy work,” recently declared “no current solution” was acceptable, noting they can all “can easily be circumvented” and pose privacy risks. CNIL took issue with many of the most often-discussed potential solutions, too. It remains to be seen if “nerding harder” will lead to better alternatives. In the meantime, companies continue to innovate: Meta recently expanded its age verification testing to Facebook Dating.

One other key question: as more kids’ privacy bills incorporate a “best interests of the child” standard - who determines what content is in the best interests of kids, and what isn’t? And what happens when states disagree on that determination? I talked about this issue and others with CyberScoop.

Ongoing Data Security Challenges

Data security continues to be a very real problem for schools, districts, and edtech companies alike; despite a renewed focus on combating the threat, schools sustained approximately the same number of cyberattacks in 2022 as they did in 2021. Warning that “[a] continuing drumbeat of cyber intrusions is threatening the nation’s ability to educate our children while also placing personal information and school data at risk,” the Cybersecurity and Infrastructure Agency (CISA) released a new report and toolkit for schools that builds on its recommendations.

Attacks continue to impact schools of all shapes and sizes - from large K-12 districts to smaller colleges like Knox College in Illinois where the attackers sent intimidating emails directly to students. In early December, the Little Rock School District board voted to negotiate with the hackers who launched an attack against the district’s computer network, ultimately approving a $250,000 payment that the school district described in a letter as a “final agreement.”

Meet one of the more active “ransomware gangs” targeting the education sector, Vice Society. While the group is “continually evolving” and has “shaped their campaigns to take advantage of the school year” (the start and end of the year are the most vulnerable for schools) a recent report by Palo Alto Networks’ Unit 42 threat research team does point to one reason to be optimistic. While noting it is often an underutilized advantage, the report concludes that in a school setting, “There are many educators who can help inform trainings for both staff and students to learn what they need to do to maintain security for everyone in the organization.”

A Global Interest in Protecting Kids’ Privacy

While a year-end push to enact federal child privacy legislation led in part by Sen. Markey faced an “uphill climb” and ultimately came up short, a January 11 Wall Street Journal op-ed by President Biden calling for federal privacy protections quickly became the talk of the town. President Biden highlighted the importance of special protections for children, writing, “protections should be even stronger for young people, who are especially vulnerable online. We should limit targeted advertising and ban it altogether for children.”

An ABC News segment from early December featuring a joint interview between the bipartisan leaders of the House Energy & Commerce Committee, Rep. Frank Pallone and Rep. Cathy McMorris Rodgers, highlighted the provisions of the ADPPA that would protect kids 17 and under. And I also presented on this topic at the Connecticut Data Privacy Task Force meeting on December 7; catch my presentation starting around the 30-minute mark.

One privacy provision of note that did make it into the omnibus and become law: a TikTok ban on federal devices over growing security concerns. This follows the action from an increasing number of states to ban TikTok on state-owned devices and in some cases, WiFi networks, impacting students at some public universities

Across the pond, a controversial online safety bill long in the works in the UK but that had been put on hold during the governing party’s leadership transition is back with two noteworthy changes. One: the bill’s “legal but harmful” clause has been removed, a provision that would have tasked online platforms and tech companies with removing content that was legal but deemed harmful from their platforms, a prospect that had free speech advocates concerned. The second big change: a January 17 agreement to add in criminal charges including jail time of up to two years for tech executives who "consent or connive" to ignore the new rules. The BBC reports the bill, which has been “repeatedly altered” as it has progressed, now faces “what is expected to be a lengthy journey through the House of Lords.”

“A National State of Emergency”

“The need is real, the need is dire,” Alberto Carvalho, the superintendent of Los Angeles Unified School District, told the Washington Post about the deepening student mental health crisis. Schools continue to face a shortage of counselors and doctors are warning - again - about a “national emergency.” Students are acting out; 60 percent of schools reported an increase in classroom disruptions due to student misconduct and 40 percent of schools reported an increase in physical fights. Test scores have dropped to a level not seen since 1999.

How Schools Are Responding 
One potential avenue that many schools are turning to is teletherapy. While the telehealth format presents some privacy and accessibility challenges for students who may not have access to the right tech and/or private space at home, early research into the potential efficacy of teletherapy for children is encouraging, including lower no-show rates for underserved children compared to traditional in-person visits. One potential concern we’re keeping an eye on is that many schools are paying for these services with COVID relief dollars or other one-time grants, rightly raising questions about sustainability. 

What else are schools doing to support students? Some are investing in social-emotional learning and/or implementing mental health days off for students. Surveys and mental health screenings can be an effective way to better understand student needs but come with their own privacy risks. “In the wrong hands, the very information schools need to support students can threaten students’ reputation and well-being,” warns the Education Commission on the States (ECS). One state the ECS report does applaud is Utah (we agree!).

Another avenue that the FPF Youth & Ed team has long kept an eye on is student monitoring technology. Online monitoring programs such as the one implemented in Chicago Public Schools this fall are often presented as “key in efforts to prevent violence and self-harm,” but to date, there is no independent evidence linking the use of monitoring tools to either outcome. To address school safety, states continue to pass a wide range of legislation; The Education Commission of the States again has a good recap of the key trends and developments within the dozens of school safety bills that states adopted in 2022.

Seattle Public Schools recently took things a step further by filing a federal lawsuit against the companies behind the major social media platforms, arguing in part that the design of social media platforms is inherently dangerous to kids, and that the district doesn’t have the resources to contend with a growing mental health crisis that social media is making worse.

Resources for Parents 
If you are a parent wondering what to do, a few resources that may help: the Washington Post breaks down how to make a school mental health day work for their child and family, and if you are worried about setting screen time limits, this parenting expert makes a case for teaching your child “screen smarts” instead.

The Latest On Online Proctoring

On the heels of a federal court ruling last fall that found a public university’s use of room-scanning technology during a remotely proctored exam violated a student’s Fourth Amendment right to privacy (read more from my colleague Lauren on that case), the international community is weighing in. The Netherlands Institute for Human Rights recently issued an interim judgment finding that online proctoring software can discriminate, regardless of developers' intent, siding with a student who brought the case after facial recognition software failed to recognize her face as she was taking an exam. Universities must now pre-emptively show that the software does not discriminate before it is used. Read more (in Dutch, with Google Translate available)

The French data protection commission, CNIL (the “Commission Nationale de l’Informatique et des Libertés”) recently closed a public “consultation” in response to its growing awareness of “particularly intrusive practices and tools” used in online proctoring. Read more (in French, with Google Translate available). 

91 percent: According to a new GAO report that calls for tighter regulation of how colleges and universities describe their financial aid packages, 91% of schools do not correctly list their net price. More from the Wall Street Journal.
3 hours: 75% of Chinese youth report they now played less than three hours of video games per week, according to a new report co-authored by China’s video gaming association that tracked the country’s progress to curb video game addiction, Reuters reports.
2: TikTok was the subject of two lawsuits filed by the state of Indiana in early December over concerns about security and the app’s influence on children.
50 percent: Twitter’s child safety team staffing had been reduced by 50% as of December, leading to questions from Sen. Dick Durbin, Chair of the Senate Judiciary Committee, NBC News reported.
1,981: school districts hit with ransomware attacks in 2022 represented 1,981 schools, double the number of schools that were potentially exposed in 2021, according to a year-end report from Emsisoft.
20 percent: Nearly 20% of schools have vacancies in mental health positions according to federal data, the Washington Post reports.
As part of Data Privacy Week, I joined a terrific kids’ privacy-focused panel hosted by the National Cybersecurity Alliance and Linkedin; our discussion starts at about the 15-minute mark
Did your child unwrap a “smart” toy over the holidays? My colleague Daniel Barrick spoke to WIRED about the privacy risks and tips you need to know. Read How to Set Up Your Kid’s “Smart” Toy.
What’s on your 2023 privacy wish and worry lists? David Sallay, FPF’s Director of Youth & Education Privacy, shared his thoughts with THE Journal. We’d love to know what’s on your mind - reply to this email to share your thoughts.
I presented to the Connecticut Data Privacy Task Force meeting on December 7 about the intersection of child privacy and the American Data Privacy and Protection Act; catch my presentation starting around the 30-minute mark.

A bill introduced in the Mississippi legislature would allow video cameras to be installed in public schools across the state, including in classrooms, auditoriums, gyms, and cafeterias. While this is not an entirely new proposal (similar bills have been introduced in Florida and Iowa in recent years) the privacy and safety implications are alarming.

In our last newsletter, we highlighted the emergence and growing concern about ChatGPT and how educators are bracing for AI-generated school work. Just weeks later, we had GPTZero, developed by a Princeton student to detect work that has been generated using AI. Clearly, things are moving quickly on this topic, and likely will continue to for some time. As we mentioned, more to come from my colleague Miles next month! In the meantime, here are some of the things we’re reading:

Copyright © 2023 Future of Privacy Forum, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.