Welcome to this month’s edition of FPF’s Youth & Education Privacy newsletter. I’m Lauren Merk, a policy counsel on the Youth and Education team at FPF, and I’m thrilled to be delivering this month’s newsletter to your inbox! Recently, much of my work has centered around federal child privacy bills, FTC enforcement, and state education privacy legal frameworks. I am especially interested in consumer rights laws as they pertain to children’s privacy, legislative frameworks, and regulation surrounding the privacy rights of children and students. Feel free to reach out to me at or follow me on Twitter @Lauren_Merk1

Next month you’ll be hearing from Alexa Urbanic, policy counsel and youth and education privacy expert extraordinaire! There is a lot happening in student and children’s privacy, and by rotating FPF experts, we will spotlight different perspectives on important issues in these areas.

Among other recent developments in child and student privacy, this newsletter highlights the following:

  • The FTC puts edtech companies on notice

  • Human Rights Watch and others examine student surveillance

  • State legislative updates from Minnesota and California 

  • The ransomware attack that led to a college’s permanent closing

As we continue to refine the content and format of this newsletter, we want to hear from you - what’s on your mind, and how can we help? Reach out to us anytime by replying to this email.

FTC Puts EdTech Companies on Notice

On May 19, the Federal Trade Commission unanimously approved a policy statement prioritizing enforcement of the Children’s Online Privacy and Protection Act (COPPA) as it relates to educational technology, writing, “children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools.” 

As Protocol noted, “While the policy closely follows existing law on kids' privacy, known as COPPA, the statement signaled that the commissioners are turning their attention to tools that kids may use every day and that parents rely on for their children's development.” 

The FTC’s vote was applauded by President Biden, who called for stronger child privacy protections in his State of the Union speech earlier this year. President Biden’s statement noted in part, “When children and parents access online educational products, they shouldn’t be forced to accept tracking and surveillance to do so.”

To learn more, read the FTC’s full policy statement and blog post, and FPF’s response.

Watching the Watchers

The end of the school year means final exams, which for students who have continued to learn remotely, may be observed by remote proctoring companies. State licensing boards who oversee high-stakes medical and legal exams are increasingly adopting these technologies as well, despite questionable efficacy. Examining law school and bar exams, a new paper, Watching the watchers: bias and vulnerability in remote proctoring software, calls into question whether the many resulting problems with the software are worth the benefit. New proposed legislation in California–the Student Test Taker Privacy Protection Act–aims to address some of these concerns by enhancing data privacy protections for test takers.  

And in the K-12 space, students are increasingly subject to online monitoring. The 74 Million profiled the troubling experiences of eight former “content moderators” charged with reviewing billions of personal photos, emails, chats, and other content from students flagged by an algorithm, under pressure to quickly distinguish a false flag from concerning content. And while New York state temporarily banned the use of facial recognition in schools, there remains a growing effort to utilize the technology in school settings around the world.  A UK school is reportedly considering the prospect of using facial recognition to facilitate cashless payments in the school lunch line. The use of biometric data in schools continues to garner skepticism, and is the subject of a new Defend Digital Me report: The State of Biometrics 2022: A Review of Policy and Practice in UK Education

In the U.S., Clearview AI, a facial recognition company that previously worked mostly with law enforcement, is planning to expand into schools through a new one-to-one facial verification product that can be linked to visitor management systems to schools. Clearview AI’s practices have long been the subject of controversy. Most recently, the company has been in the headlines regarding regulatory action by the UK Information Commissioner Office (ICO) and its settlement in a significant lawsuit brought by the ACLU. 

And - if it’s not enough for kids to be “watched” at school, parental surveillance is on the rise.

State Legislative Updates

The Minnesota Legislature recently wrapped up a busy and memorable session considering several student privacy measures. FPF policy counsel Bailey Sanchez spoke to the Star Tribune about the “tricky balance” the student privacy bills aim to strike. 

Days before the state’s legislative session ended, the Minnesota Student Data Privacy Act (HF 2353) was passed and signed into law. The law, which will take effect in the 2022-2023 school year, will regulate the use of student data and school-issued device monitoring. Now that the law has been passed, Minnesota will join the other 41 states and Washington, D.C. that have a student privacy law on the books.

California continues to be active in child privacy and advance new proposals, including one that seeks to regulate “addictive features” in tech products and services. The California Legislature is also considering an Age Appropriate Design Code, modeled after the UK’s own Age Appropriate Design Code. The California Assembly passed both bills at the end of May and the bills will now be discussed in the California Senate. Read more on the Age Appropriate Design Code in FOSI’s new research brief examining its impact in the UK and California’s attempt to implement its own version.
LGBTQ+ Student Privacy

Proposals that target LGBTQ+ student privacy continue to emerge across the country, raising alarm among educators and LGBTQ+ advocates. A Virginia school board proposal would require schools to notify parents of how students self-identify, and proposed legislation in New Hampshire would require schools to notify parents if their child visits the school counselor.

Meanwhile, the Missouri Attorney General has opened an investigation of multiple school districts in the state for allegedly violating state and federal privacy laws, including the Protection of Pupil Rights Amendment (PPRA), by surveying young students about sensitive personal topics including gender, race, and sexual orientation without parental consent. This comes after a request from the Southeastern Legal Foundation to open an investigation.
Social Media Chatter

Major social media platforms have been all over the news lately. Instagram recently required all users to enter their birthdate in order to verify their age, the platform’s latest effort to protect young users. But age-verification is not a cure-all, and some members of Congress recently wrote to Instagram’s parent company, Meta, requesting information about a new report that found an alarming rise of pro-eating disorder content on the platform targeting young children.

Meta’s struggle to protect kids online has also caught the attention of a major teachers union. Randi Weingarten, President of the American Federation of Teachers, sent a letter to the union pension trustees asking them to sanction Meta–a significant holding–over its targeting of kids. The company is also the subject of a significant proposed fine by the Irish data regulator regarding alleged children’s privacy violations under the EU’s General Data Protection Regulation (GDPR).

The Washington Post took a close look at a new class-action lawsuit against Snapchat led by a 16-year-old who was sexually exploited on the app as a young teen. The suit “accuse(s) Snapchat of negligently failing to design a platform that could protect its users from “egregious harm.”
Data Security News

Data security continues to be a concern at both the K-12 and higher ed levels; in 2021, ransomware attacks disrupted learning at more than 1,000 schools. It was encouraging to see data security cited as an area of particular emphasis in the FTC’s recent policy statement. Following our update last month about one of the largest student data breaches on record impacting more than one million current and former students in New York City schools and beyond, Chicago Public Schools announced a data breach affecting 560,000 students and staff. Meanwhile, Georgia high school students exposed a major security issue for DeKalb County Schools, finding they could access thousands of files containing private student and staff information, including social security numbers and medical, academic and disciplinary records. According to the local news outlet, a spokesperson from the school district said, “[a]n internal investigation determined that improper handling of files by employees caused these conditions.” 

In higher ed, the 157-year old Lincoln College recently announced it would close for good due in part to a ransomware attack last December that “walled off the school’s access to its data and halted its recruitment, retention and fund-raising campaigns” through March, The New York Times reported.
Human Rights Watch Takes on EdTech

On May 25, Human Rights Watch released an investigation into edtech “How Dare They Peep into My Private Life?” Children’s Rights Violations by Governments that Endorsed Online Learning During the Covid-19 Pandemic. The report contains a valuable set of recommendations for governments, education technology companies, and departments of education, many of which FPF has previously endorsed. For example, one of the recommendations aimed at Departments of Education is to “Develop and promote digital literacy and children’s data privacy in curricula.” It has already led to changes to privacy policies at some companies featured in the report. Other companies cited in the HRW analysis have challenged the report’s characterization of their practices.

11: TikTok use among kids ages 5-11 at the start of the pandemic rose 11 percentage points between 2020-2021, according to a new Pew Research Center survey of how parents’ views of kids’ screen time and social media use have changed during the pandemic.
91: EdTech Magazine reports that 91% of Internet of Things platforms will contain some form of “digital twin” capability by 2026. A digital twin is a virtual representation of an object or system that is updated throughout its lifecycle using real-time data. Digital twin technology uses simulation, machine learning, and reasoning to help decision-making.
40,000: The number of students who lost access to library materials via the school district's e-reader app when a superintendent in suburban Tennessee recently cut access for a week following a parent’s complaint that the e-library available on her kindergartner’s laptop included books supporting LGBTQ+ pride. E-reader apps are the latest edtech to have its moment under the microscope.
20Chalkbeat reviewed more than 20 polls in compiling its analysis of what parents think about schools, race, and racism.
Check out the Youth and Education Team's recent policy brief comparing the four children's privacy bills in the current Congress.
Policy Counsel Chloe Altieri is collaborating on a blog about the California Age Appropriate Design Code. Keep your eyes out for the blog coming later this summer!
We are closely watching the bipartisan and bicameral American Data Privacy and Protection Act (ADDPA). A discussion draft of the bill was released on Friday, June 3 and includes provisions specific to children’s privacy. Our team is monitoring the bill and working on analyses of the potential implications to child and education privacy. Stay tuned for more from FPF and the Youth and Ed team in the coming weeks!
  • On June 29, the International Society for Technology in Education (ISTE), as part of its 2022 EdTech Conference in New Orleans, will host “A Teacher, Administrator and Vendor Walk Into A Bar …”, a panel discussion examining various data stewardship roles regarding student data privacy, all set in a fun bar conversation format!
  • The FTC listed “child and teen privacy risks, harms, and vulnerabilities” on its call for PrivacyCon 2022 presentations. The deadline for submissions is July 29; PrivacyCon will be held virtually on November 1, 2022.
Do you know what a VCR is used for? And do you know why this question is being asked? Visit to learn more about Verifiable Parental Consent (VPC), and stay tuned for more from FPF on this topic.
Copyright © 2022 Future of Privacy Forum, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.