[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                    HOW EMERGING TECHNOLOGY AFFECTS
                            STUDENT PRIVACY

=======================================================================

                                HEARING

                              BEFORE THE

                    SUBCOMMITTEE ON EARLY CHILDHOOD,
                  ELEMENTARY, AND SECONDARY EDUCATION

                         COMMITTEE ON EDUCATION
                           AND THE WORKFORCE

                     U.S. House of Representatives

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

           HEARING HELD IN WASHINGTON, DC, FEBRUARY 12, 2015

                               __________

                            Serial No. 114-2

                               __________

  Printed for the use of the Committee on Education and the Workforce
  
  
  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                   Available via the World Wide Web:
                       www.gpo.gov/fdsys/browse/
           committee.action?chamber=house&committee=education
                                   or
            Committee address: http://edworkforce.house.gov
            
            
                              ___________
                              
                              
                       U.S. GOVERNMENT PUBLISHING OFFICE       
93-208 PDF                   WASHINGTON : 2016                       
_________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]  
               
                
                
                
                
                
                
                COMMITTEE ON EDUCATION AND THE WORKFORCE

                    JOHN KLINE, Minnesota, Chairman

Joe Wilson, South Carolina           Robert C. ``Bobby'' Scott, 
Virginia Foxx, North Carolina            Virginia
Duncan Hunter, California              Ranking Member
David P. Roe, Tennessee              Ruben Hinojosa, Texas
Glenn Thompson, Pennsylvania         Susan A. Davis, California
Tim Walberg, Michigan                Raul M. Grijalva, Arizona
Matt Salmon, Arizona                 Joe Courtney, Connecticut
Brett Guthrie, Kentucky              Marcia L. Fudge, Ohio
Todd Rokita, Indiana                 Jared Polis, Colorado
Lou Barletta, Pennsylvania           Gregorio Kilili Camacho Sablan,
Joseph J. Heck, Nevada                 Northern Mariana Islands
Luke Messer, Indiana                 Frederica S. Wilson, Florida
Bradley Byrne, Alabama               Suzanne Bonamici, Oregon
David Brat, Virginia                 Mark Pocan, Wisconsin
Buddy Carter, Georgia                Mark Takano, California
Michael D. Bishop, Michigan          Hakeem S. Jeffries, New York
Glenn Grothman, Wisconsin            Katherine M. Clark, Massachusetts
Steve Russell, Oklahoma              Alma S. Adams, North Carolina
Carlos Curbelo, Florida              Mark DeSaulnier, California
Elise Stefanik, New York
Rick Allen, Georgia

                    Juliane Sullivan, Staff Director
                 Denise Forte, Minority Staff Director
                                
                                
                                --------                                

  SUBCOMMITTEE ON EARLY CHILDHOOD, ELEMENTARY, AND SECONDARY EDUCATION

                     TODD ROKITA, Indiana, Chairman

Duncan Hunter, California            Marcia L. Fudge, Ohio,
Glenn Thompson, Pennsylvania           Ranking Minority Member
Dave Brat, Virginia                  Susan A. Davis, California
Buddy Carter, Georgia                Raul M. Grijalva, Arizona
Michael D. Bishop, Michigan          Gregorio Kilili Camacho Sablan,
Glenn Grothman, Wisconsin              Northern Mariana Islands
Steve Russell, Oklahoma              Suzanne Bonamici, Oregon
Carlos Curbelo, Florida              Mark Takano, California
                                     Katherine M. Clark, Massachusetts
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

Hearing held on February 12, 2015................................     1

Statement of Members:
    Rokita, Hon. Todd, Chairman, Subcommittee On Early Childhood, 
      Elementary, and Secondary Education........................     1
        Prepared statement of....................................     2
    Fudge, Hon. Marcia, L., Ranking Member, Subcommittee On Early 
      Childhood, Elementary, and Secondary Education.............     3
        Prepared statement of....................................     4

Statement of Witnesses:
    Sevier, Shannon, Vice President for Advocacy, National Parent 
      Teacher Association, San Antonio, TX.......................    06
        Prepared statement of....................................    08
    Knox, Allyson, Director of Education Policy and Programs, 
      Microsoft, Washington, DC..................................    10
        Prepared statement of....................................    12
    Abshire, Sheryl, R., Chief Technology Officer, Calcasieu 
      Parish Public Schools, Lake Charles, LA,...................    20
        Prepared statement of....................................    22
    Reindenberg, Joel, R., President, Stanley D. and Nikki 
      Waxberg chair and Professor of Law, Founding Academic 
      Director, Center on Law and Information Policy, Fordham Law 
      School, New York, NY.......................................    27
        Prepared statement of....................................    29

Additional Submissions:
    Dreiband, Eric, Partner, Jones Day, Washington, DC:..........
        Prepared statement of....................................    66

 
                HOW EMERGING TECHNOLOGY AFFECTS STUDENT
                                PRIVACY

                              ----------                              


                      Thursday, February 12, 2015

                       House of Representatives,

              Subcommittee on Early Childhood, Elementary,

                        and Secondary Education,

               Committee on Education and the Workforce,

                            Washington, D.C.

                              ----------                              

    The subcommittee met, pursuant to call, at 11:15 a.m., in 
Room 2175, Rayburn House Office Building, Hon. Todd Rokita 
[chairman of the subcommittee] presiding.
    Present: Representatives Rokita, Thompson, Carter, Bishop, 
Grothman, Russell, Curbelo, Fudge, Davis, Bonamici, and Clark.
    Also present: Representatives Kline, Messer, Scott, and 
Polis.
    Staff present: Lauren Aronson, Press Secretary; Janelle 
Belland, Coalitions and Members Services Coordinator; Nancy 
Locke, Chief Clerk; Daniel Murner, Deputy Press Secretary; 
Krisann Pearce, General Counsel; Jenny Prescott, Legislative 
Assistant; Mandy Schaumburg, Education Deputy Director and 
Senior Counsel; Alissa Strawcutter, Deputy Clerk; Tylease Alli, 
Minority Clerk/Intern and Fellow Coordinator; Austin Barbera, 
Minority Staff Assistant; Jacque Chevalier, Minority Senior 
Education Policy Advisor; Eamonn Collins, Minority Education 
Policy Advisor; Denise Forte, Minority Staff Director; Melissa 
Greenberg, Minority Labor Policy Associate; Christian Haines, 
Minority Education Policy Counsel; Ashlyn Holeyfield, Minority 
Education Policy Fellow; and Brian Kennedy, Minority General 
Counsel.
    Chairman Rokita. Well, good morning. And welcome to the 
first hearing of the Subcommittee on Early Childhood, 
Elementary, and Secondary Education in the 114th Congress.
    I would like to thank our witnesses for joining us today. 
We appreciate the opportunity to learn from you about how 
emerging technology in the classroom affects student privacy.
    And Ms. Fudge, before we begin, I want to take a moment to 
congratulate you on being selected by your colleagues to be the 
ranking member of this subcommittee. I anticipate that we are 
gonna hear a lot from each other, work well together. And I 
look forward to doing that with you.
    Ms. Fudge. Thank you.
    Chairman Rokita. Forty years ago, Congress enacted the 
Family Educational Rights and Privacy Act, otherwise known 
around these parts as FERPA. It was meant to safeguard 
students' educational records and ensure parents had access to 
their children's information. The law established the 
circumstances under which the record could be shared, giving 
parents the peace of mind that with few exceptions, that their 
child's academic performance and other personally-identifiable 
information would be under their kid's school's lock and key.
    As a father of two young boys, I can appreciate why parents 
may not have that same confidence today. Despite the advent of 
computers, the internet, wifi, cloud services, et cetera, the 
law has not been significantly updated since its introduction 
in 1974. As a result, student privacy--the very information 
FERPA was intended to protect--may be at risk.
    As administrators, teachers, and students continue using 
emerging technology to track everything from test results to 
bookstore purchases, parents and students are vulnerable to the 
inappropriate use of student data, often without their 
knowledge or consent. New devices, platforms, programs, and 
services have enabled educators to better understand the 
behavioral and educational needs of each student and tailor 
individual learning plans accordingly. I think that is amazing 
progress.
    They have assisted researchers in developing new solutions 
to improve class room reduction, and they have provided 
families with more educational options by facilitating distance 
and blended learning opportunities. Technology organizations 
and policymakers have taken steps to strengthen student privacy 
protections. And that is appreciated. However, these efforts 
have not addressed rules under which schools must operate as 
the guardians of student data.
    So unless Congress updates FERPA and clarifies what 
information can be collected, how that information can be used, 
and if that information can even be shared, student privacy 
will not be properly protected. We welcome your thoughts on how 
this committee can update FERPA for the 21st Century, improve 
parental involvement, and hold bad actors accountable.
    Modernizing student privacy protections without undermining 
opportunities to improve student achievement is no small task, 
as everyone here understands. But we owe it to our students and 
parents to work together to find that proper balance. So I look 
forward to hearing from you and from my colleagues on this 
important issue.
    And with that, I welcome and recognize our subcommittee's 
ranking member, again, my colleague, Congresswoman Fudge, for 
her opening remarks.
    [The statement of Chairman Rokita follows:]

Prepared Statement of Hon. Todd Rokita, Chairman, Subcommittee on Early 
             Childhood, Elementary, and Secondary Education

    Good morning, and welcome to the first hearing of the Subcommittee 
on Early Childhood, Elementary, and Secondary Education in the 114th 
Congress. I'd like to thank our witnesses for joining us today. We 
appreciate the opportunity to learn from you about how emerging 
technology in the classroom affects student privacy.
    Ms. Fudge, before we begin, I want to take a moment to congratulate 
you on being selected by your colleagues to serve as ranking member of 
this subcommittee. I anticipate we will have many robust conversations 
on key issues, and I am looking forward to working together on policies 
that will help our children succeed in school and in life.
    Forty years ago, Congress enacted the Family Educational Rights and 
Privacy Act, or FERPA, to safeguard students' educational records and 
ensure parents had access to their children's information. The law 
established the circumstances under which the records could be shared, 
giving parents the peace of mind that, with few exceptions, their 
child's academic performance and other personally identifiable 
information would be under the school's lock and key.
    As a father of two young boys, I can appreciate why parents may not 
have that same confidence today. Despite the advent of computers, the 
Internet, Wi-Fi, and cloud services, the law has not been significantly 
updated since its introduction in 1974. As a result, student privacy, 
the very information FERPA was intended to protect, may be at risk.
    As administrators, teachers, and students use emerging technology 
to track everything from test results to bookstore purchases, parents 
and students are vulnerable to the inappropriate use of student data - 
often without their knowledge or consent.
    New devices, platforms, programs, and services have enabled 
educators to better understand the behavioral and educational needs of 
each student and tailor individual learning plans accordingly. They 
have assisted researchers in developing new solutions to improve 
classroom instruction. And they have provided families with more 
educational options by facilitating distance and blended learning 
opportunities.
    Technology organizations and policymakers have taken steps to 
strengthen student privacy protections. However, these efforts have not 
addressed rules under which schools must operate as the guardians of 
student data. Unless Congress updates FERPA and clarifies what 
information can be collected, how that information can be used, and if 
that information can be shared, student privacy will not be properly 
protected.
    We welcome your thoughts on how this committee can update FERPA for 
the 21st century, improve parental involvement, and hold bad actors 
accountable. Modernizing student privacy protections without 
undermining opportunities to improve student achievement is no small 
task, but we owe it to students and parents to work together to find 
the proper balance. I look forward to hearing from you and from my 
colleagues on this important issue.
    With that, I will now recognize the ranking member, Congresswoman 
Fudge, for her opening remarks.
                                 ______
                                 
    Ms. Fudge. Thank you very much, Mr. Chairman. And I thank 
all of you for being here today. Look forward to hearing your 
testimony.
    I certainly want to recognize the ranking member of the 
full committee who has joined us, Representative Scott, from 
Virginia.
    And I want to say to the chairman, indeed I do hope that we 
can have some very productive meetings and discussions. This is 
a very timely topic. I thank you for calling this hearing.
    I do though find it unfortunate that it is our first 
hearing after we had a 10-hour mark up yesterday on ESEA. And 
with that, to you, more than ever before, technology does play 
an essential role in educating our nation's children, enhancing 
learning and empowering educators with more and better 
information to meet the individual needs of their students.
    Gone are the days when education was supported by 
flashcards and workbooks. Today's students use electronic 
tablets and smartphone apps, online study tools, and various 
other technological resources to aid them in their studies. 
Teachers have the ability to extend learning beyond the 
classroom using online learning platforms to share multimedia 
resources and engage parents in their children's learning.
    New educational technology generates information that can 
be instrumental in improving a student's learning experience. 
The data from these tools allow teachers to more accurately 
assess student progress and provide interventions to ensure 
children are learning.
    Data can also assist schools in making district strategy 
and curriculum decisions. Many states now use longitudinal data 
systems to link student achievement data from pre-K through 
grade 12, or even through entrance into the workforce, enabling 
district and state leaders to make informed, data-driven policy 
decisions.
    While the use of technology in education continues to 
expand, we must take the necessary steps to protect the privacy 
and the data of students and their families. The Family 
Educational Rights and Privacy Act was enacted 40 years ago to 
address concerns about privacy in a time of paper student 
records. Innovative new educational technology tools capture 
large amounts of student data. And many districts now contract 
with private vendors to use online, cloud-based storage for 
students. I see some of those very vendors here today.
    Congress must ensure student data is being used only for 
defined educational purposes and cannot be sold or used for 
private companies' financial gain. Parents should know who has 
access to student data and how it is being used and protected. 
And teachers and school leaders need to understand how to 
properly protect student information while taking advantage of 
the powerful digital learning tools at their disposal.
    As we examine FERPA, we need to balance privacy and 
innovation. Students, teachers, and parents need to feel 
comfortable that student data is protected. At the same time, 
we need to be careful not to limit the advancement of new 
educational technologies, restrain educators' ability to 
accurately assess student learning, or stifle research and 
development of effective instruction tools.
    I look forward to hearing from our witnesses. Mr. Chairman, 
I yield back.

      Prepared Statement of Hon. Marcia L. Fudge, Ranking Member, 
  Subcommittee on Early Childhood, Elementary, and Secondary Education

    More than ever before, technology plays an essential role in 
educating our nation's children, enhancing learning and empowering 
educators with better information to meet the individual needs of their 
students.
    Gone are the days when education was supported by flashcards and 
workbooks. Today's students use electronic tablets and smartphone apps, 
online study tools, and various other technological resources to aid 
them in their studies. Teachers have the ability to extend learning 
beyond the classroom, using online learning platforms to share 
multimedia resources and engage parents in their children's learning.
    New educational technology generates information that can be 
instrumental in improving a student's learning experience. The data 
from these tools allow teachers to more accurately assess student 
progress and provide interventions to ensure children are learning.
    Data can also assist schools in making district strategy and 
curriculum decisions. Many states now use longitudinal data systems to 
link student achievement data from pre-k through grade 12, or even 
through entrance into the workforce, enabling district and state 
leaders to make informed, data-driven policy decisions.
    While the use of technology in education continues to expand, we 
must take the necessary steps to protect the privacy and the data of 
students and their families.
    The Family Educational Rights and Privacy Act (FERPA) was enacted 
40 years ago to address concerns about privacy in a time of paper 
student records. Innovative new educational technology tools capture 
large amounts of student data and many districts now contract with 
private vendors to use online cloud-based storage for student data.
    Congress must ensure student data, is being used only for defined 
educational purposes, and cannot be sold or used for private companies' 
financial gain. Parents should know who has access to student data and 
how it is being used and protected. And teachers and school leaders 
need to understand how to properly protect student information while 
taking advantage of the powerful digital learning tools at their 
disposal.
    As we examine FEPRA, we need to balance privacy and innovation. 
Students, teachers, and parents need to feel confident that student 
data is protected. At the same time, we need to be careful not to limit 
the advancement of new educational technologies, restrain educators' 
ability to accurately access student learning, or stifle research and 
development of effective instructional tools.
    I look forward to hearing from our witnesses. Thank you.
                                 ______
                                 
    Chairman Rokita. Thank the gentlelady. Pursuant to 
Committee Rule 7(c), all members will be permitted to submit 
written statements to be included in the permanent hearing 
record. And without objection, the hearing record will remain 
open for 14 days to allow such statements and other extraneous 
material referenced during the hearing to be submitted for the 
official hearing record.
    It is now my pleasure to introduce our distinguished 
witnesses for today. First we have Shannon Sevier. All right. 
Not off to a good start. Sevier. Shannon Sevier--thank you--has 
been a PTA member for 14 years. As vice president for advocacy, 
she needs advocacy efforts for the national PTA positions at 
federal, state, and local levels. Welcome.
    Next, we have Allyson Knox, who is the director of 
education policy and programs at Microsoft. In her 10 years at 
Microsoft, she has focused on stem, computer science, education 
and technology, and student privacy issues. Welcome to you, as 
well.
    Next, we have Sheryl Abshire, who is the chief technology 
officer for the Calcasieu Parish Public Schools in Lake 
Charles, Louisiana. For over 40 years, Dr. Abshire has worked 
as a chief technology officer, school principal, K through 5 
teacher, a library media specialist, classroom teacher, and 
university professor. She was the first teacher inducted into 
the National Teacher's Hall of Fame. Thank you for being here.
    Next, we have Joel Reidenberg. He is the Stanely D. and 
Nikki Waxberg Chair in law and professor of law at Fordham 
University, where he directs the center on law and information 
policy. Reidenberg publishes regularly on both information 
privacy and on information technology law and policy. Mr. 
Reidenberg, welcome back. I understand this is at least your 
third time testifying.
    Mr. Reidenberg. Thank you.
    Chairman Rokita. I will now, in conformance with our rules, 
ask our witnesses to stand and raise your right hand.
    [Witnesses sworn.]
    Let the record reflect that the witnesses answered in the 
affirmative.
    And before I recognize each of you to provide your 
testimony, let me briefly explain our lighting system. You will 
each have 5 minutes to present your testimony. During the first 
4 minutes of that, the light will be green. The last minute it 
will be yellow. And then if it turns red, I will be forced to 
use the gavel, which we have never had to do. At all. Ever. So 
I am sure it won't happen today.
    So with that being said and understood, Ms. Sevier, you are 
recognized for 5 minutes.

 TESTIMONY OF MS. SHANNON SEVIER, VICE PRESIDENT FOR ADVOCACY, 
    NATIONAL PARENT TEACHER ASSOCIATION, SAN ANTONIO, TEXAS

    Ms. Sevier. National PTA thanks Chairman Rokita and Ranking 
Member Fudge for the opportunity to submit testimony to the 
Committee on Education and the Workforce. On behalf of the 
National Parent Teacher Association, I express my appreciation 
for holding a hearing to discuss emerging technology and 
student data privacy.
    My name is Shannon Sevier, vice president of advocacy for 
the National PTA, past European PTA president, and proud mother 
to Ryley, MacKenzie, Meraleigh, Ryan, and Hanna.
    Founded in 1897, PTA is the oldest and largest volunteer 
child advocacy association in the United States. For more than 
118 years, we have worked side by side with policymakers at 
every level to improve the lives of our nation's children. With 
more than 4 million members and 22,000 local units in every 
U.S. state, D.C., Puerto Rico, the Virgin Islands, and Europe, 
PTA continues to be a powerful voice by advocating for federal 
policies to improve educational equity and opportunity for all 
children.
    With access to so many families, PTA also recognizes our 
responsibility to our membership to approach changes in 
education policy through engagement and outreach and to 
recognize that true advocacy is achieved through stakeholder 
consensus and collaboration. National PTA has long been a vocal 
advocate of keeping kids safe; safe at school, safe at home, 
and same online.
    The National PTA's position statement on technology safety 
clearly states National PTA opposes the practice of collecting, 
compiling, selling, or using children's personal information 
without giving parents notification or choice with respect to 
whether and how their children's personal information is 
collected and used.
    The National PTA takes student data privacy seriously and 
believes we should strive to guarantee the effective use of 
students' information, while keeping that information 
protected. While student data management has changed, parents' 
and students' expectation of privacy has not. And as such, 
National PTA has made safeguarding student data a key pillar of 
our overall policy agenda.
    The Administration has also called attention to this issue, 
announcing its support of what it calls the Student Digital 
Privacy Act, which would build upon the basic language of 
record management release and review offered by the Family 
Educational Rights and Privacy Act, or FERPA. This law was 
written in 1974 with the intent to protect the privacy of 
student educational records and includes a parental consent 
provision.
    Over the past 40 years, however, the concept of privacy has 
evolved from the right of direct control to an individual's 
right to control the information they have entrusted to others. 
This wrinkle in control requires subsequent change to student 
data privacy policy.
    Entities collecting educational data should seek to provide 
value back to the people on whom data are being collected. Our 
children's data, our children's privacy, should not be treated 
as a product or commodity. Until now, the collection and use of 
student data could not be feasibly used to target advertising 
or mass profiles by third party vendors. The use of student 
data for other than educational purposes was not contemplated 
on a large commercial scale. FERPA provisions must be updated 
to address the privacy concerns presented through such use.
    In addition, we are seeing this data collected and stored 
in a different fashion heretofore not addressed by FERPA. State 
by state, we see the construction of longitudinal data systems 
that hold hundreds or even thousands of pieces of data related 
to individual students. Typically, demographic, enrollment, 
curriculum choice, test performance, and grade information. The 
extent to which this information constitutes a student's legal 
educational record is unclear, as are the policies for 
protecting student data through cloud-based computing.
    Current policy also begs the questions, who owns the data 
and who is responsible for the management of the data? Has the 
data been selected ethically with full consent and 
notification? And what constitutes sufficient notice in the 
case of breaches or unauthorized releases of data?
    Parents, as their child's first educator, play a unique 
role in education reform. Whether big or small, reform will be 
unsustainable without the buy-in of these key stakeholders.
    National PTA remains committed to engaging parents, to 
guaranteeing students have safe and secure access to technology 
in the classroom, and committed to supporting policies that 
ensure responsible management of student records, digital or 
otherwise.
    National PTA commends the committee for holding this 
hearing and highlighted the need for sound federal policy that 
balances the promise of educational technologies with student 
data, privacy, and security.
    Thank you.
    [The testS NOT AVAILABLE IN TIFF FORMAT] 
    
    Rokita. Thank you for your testimony.
    Ms. Knox, you are recognized for 5 minutes.

TESTOMONY OF MS. ALLYSON KNOX, DIRECTOR OF EDUCATION POLICY AND 
             PROGRAMS, MICROSOFT, WASHINGTON, D.C.

    Ms. Knox. Thank you, Chairman Rokita, Ranking Member Fudge, 
and members of the subcommittee for inviting me to testify 
today. My name is Allyson Knox. For 10 years I worked in the 
fields of education, workforce development, and economic 
development at the local, regional, and state levels in 
Michigan. I have worked at Microsoft for 10 years, and 
currently serve as the director of education policy. I am 
pleased to be here today to discuss this important issue of 
student privacy.
    Microsoft believes students must be protected. Student data 
belongs to students and their parents. And students are not 
commodities to be monetized through advertising. Over the past 
year, revelations of government surveillance, highly-publicized 
data breaches, and other stories of personal data being used 
inappropriately have dominated the media. Microsoft, a provider 
of education technology, continues to balance education 
objectives, as well as privacy and safety expectations.
    For many years, schools have been increasing the use of 
technology in the classroom because it transforms education. It 
enables personalized instruction, and it helps students learn. 
Schools that use cloud-based services rather than maintaining 
and updating their own on-site servers, they save money and can 
access the latest technology. Cloud computing allows teachers 
and students to access their documents and communications, such 
as email, anywhere from almost any device, enabling learning 
any time and anywhere.
    We have seen great changes on the technology side. But the 
primary federal law focused on protecting student privacy, the 
Family Educational Rights and Privacy Act, or FERPA passed in 
1974 has not kept pace with these changes.
    Think back to a classroom in 1974. I think we can all 
remember student data being collected and stored in an old-
fashioned way on paper forms sent home with kids and stored in 
school filing cabinets.
    The world of information storage and sharing has certainly 
changed. In almost all schools, information about a student is 
stored digitally, and it can be accessed through the school's 
internet or the open internet. The data is portable and often 
not deleted when the student graduates from high school.
    There are obvious difficulties with the law that is 4 
decades old. And there are three areas to consider. First, it 
is questionable whether FERPA covers email stored in a cloud. 
As a result, some interpretations are that FERPA applies to 
cloud-based email for faculty, but not for students, and that 
FERPA doesn't apply to most third-party online courses. FERPA 
would benefit from an update to reflect these new types of 
technologies.
    Second, FERPA was written to apply only to educational 
institutions. It should be updated to prohibit third parties 
from using data for targeted advertising or for building 
profiles to advertise to students after they leave school.
    And third, FERPA's primary sanction is the denial of 
federal funds to school. This all-or-nothing enforcement 
penalty is so draconian that it has never been used. As a 
result, FERPA provides no real incentive for technology 
providers to improve data privacy practices. The time has come 
to do the difficult work of revising this law to bring it to 
the 21st Century.
    And in the absence of federal action to update FERPA, 
states have taken this issue into their own hands. This year, 
already over 100 student privacy bills have been introduced in 
32 states. It is becoming more and more difficult to interpret 
and comply with the patchwork of federal and state laws on this 
issue, even for a company of our size.
    Microsoft and other technology companies have also moved 
forward on their own to set a higher standard for protecting 
student data. Last October, Microsoft was one of the 14 
original signatories of a detailed and voluntary industry 
pledge, led by Representatives Messer and Polis, about how to 
protect student privacy. Today, the pledge has over 100 
signatories.
    Under the student privacy pledge, school service providers 
promised to not sell student information, not target advertise 
to students, use data for authorized education purposes only; 
and there are 5 other points, but I am running out of time. The 
pledge has been influential and beneficial, but Microsoft 
believes that signing it is only part of what must be done to 
help inform schools and parents on how to protect student data. 
It is for this reason that Microsoft has worked closely with 
key lawmakers and national education associations to help 
inform and educate stakeholders about the student privacy 
issue.
    Again, I thank you for this opportunity to come before you 
today to discuss these important issues, and I look forward to 
answering any questions.
    [The testimony of Ms. Knox follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Chairman Rokita. Thank you for your testimony.
    Dr. Abshire, you are recognized for 5 minutes.

 TESTIMONY OF DR. SHERYL R. ABSHIRE, CHIEF TECHNOLOGY OFFICER, 
    CALCASIEU PARISH PUBLIC SCHOOLS, LAKE CHARLES, LOUISIANA

    Ms. Abshire. Yes, sir. Thank you, Chairman Rokita, Ranking 
Member Fudge, and members of the subcommittee for inviting me 
to testify about technology's impact on student privacy and 
confidentiality.
    For over 40 years, I have served the Louisiana Public 
Schools as a teacher, school librarian, principal, and 
technology leader. I now serve as the chief technology officer 
of the Calcasieu Parish schools in Lake Charles, Louisiana. And 
I am also a member of the Consortium for School Networking, 
CoSN, the national professional organization for school tech 
leaders.
    I appreciate this opportunity to discuss how our district 
uses technology to support teaching and learning and to share 
our strategy for balancing effective technology and data use 
with strong student data privacy protections.
    Technology and data use plays a central role in our 
district's strategy for supporting teaching and learning, as 
well as in improving the system's planning, evaluation, and 
continual improvement. Equipped with the right technology, 
high-quality professional development, and appropriate data, 
our teachers tailor individualized instruction, engage 
students, and deliver rich digital resources. Our district also 
equips parent and guardians with the data they need to monitor, 
understand, and support their children's educational progress.
    Using technology to provide the right people with the right 
data at the right time is critical to effective decision making 
at the classroom, school district, and state levels. We believe 
robust data sharing, however, must be complemented by well-
designed strategies and practices to protect student privacy 
and ensure confidentiality.
    Our district has taken an aggressive and comprehensive 
approach to assuring student privacy. We have created extensive 
data-sharing training materials, and all employees in the 
district have participated in training sessions. Upon 
completion of this required training every year, each district 
employee signs a statement of assurances. This process is based 
on CoSN's protecting privacy in a connected learning toolkit 
that we produced in partnership with the Harvard Law School. 
And the best part, it is free to all school districts.
    The Calcasieu Parish Public Schools strongly emphasize both 
appropriate technology and secure and safe data use, including 
using this data to develop a greater understanding of student 
needs, and then tailoring instruction delivery of resources to 
help them succeed. Over the past 3 years, our district has 
developed a leading edge data warehouse and data dashboard to 
provide our teachers and school leaders with timely, targeted 
information; the information they need to support improving 
learning.
    Based on my experience in the Calcasieu Parish Schools, I 
urge Congress to proceed very cautiously with new federal 
privacy requirements. We want to ensure that any contemplated 
legislation doesn't impede this type of powerful instructional 
data use.
    We also work with all of our vendor partners that use any 
student data as part of learning or assessment. We require them 
to certify their compliance with our data usage policy. And our 
state law reasonably addresses data sharing with vendors and 
requires them to sign contracts specifying the limited purposes 
for which the student information can be used.
    Our district believes that our teachers and school leaders 
and parents must be equipped with the right technology and the 
knowledge about how to use the student data and protect--to use 
it with fidelity to implement best practices. We provide this 
regularly-targeted professional development designed to equip 
our educators and school leaders with this knowledge they need 
to use to, most importantly, improve student outcomes, and 
including training them with privacy and security practices.
    However, additional federal investments in technology and 
student-focused privacy professional development, including the 
Enhancing Education Through Technology program is urgently 
needed. I would encourage Congress to support the President's 
fiscal year 2016 request. Unfortunately, for school districts, 
this program hasn't been funded since 2011.
    Our district also prioritizes communicating with 
stakeholders to convey the value of this data in teaching, 
learning, and decision making. All of this information is made 
readily available to parents and the entire community on our 
district web page. Transparency builds trust with our 
communities. And that is why I hope Congress will consider 
strategies that encourage districts to promote data use 
transparency, including describing the who, what, where, and 
when of their technology practices.
    Protecting student data is not a one-time event. Educators' 
data needs are evolving. Security threats are constantly 
changing, and professional development need are ongoing. I hope 
Congress would encourage districts to implement security 
practices that meet the mature technical, physical, and 
administrative standards.
    While federal state and privacy policy is critically 
important, there is no doubt in my mind that school districts 
and schools must lead these efforts to protect student data 
privacy. And any effort by Congress to update laws to protect 
students, FERPA and COPPA, should support, not burden school 
district and state data use to improve instruction and decision 
making.
    Appropriate data sharing must be served to strengthen the 
potential of technology to transform and improve education. I 
urge Congress, please do not overreach as you address this 
important issue. But instead, take a thoughtful, balanced 
approach focused on supporting schools and district leaders.
    I thank the members of the Committee for this opportunity 
to share a realistic view of the issue from the perspective of 
a school district that is engaged in this work. And I am happy 
to answer any questions.
    [The testimony of Dr. Abshire follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Chairman Rokita. Thank you, Dr. Abshire. Appreciate it.
    Mr. Reidenberg, you are recognized for 5 minutes.

   TESTIMONY OF MR. JOEL R. REIDENBERG, STANLEY D. AND NIKKI 
WAXBERG CHAIR AND PROFESSOR OF LAW, FOUNDING ACADEMIC DIRECTOR, 
 CENTER ON LAW AND INFORMATION POLICY, FORDHAM LAW SCHOOL, NEW 
                         YORK, NEW YORK

    Mr. Reidenberg. Thank you, Mr. Chairman. And good morning. 
Good morning, Ranking Member, and distinguished remembers of 
the committee. I very much appreciate the opportunity to 
testify today.
    I studied and written on privacy technology for over 25 
years. And I focused the last 5 or 6 years on student privacy 
issues, including several national studies that have been 
presented previously to this subcommittee. On a personal level, 
I served on a school board for 5 years. So it is an issue that 
is actually quite close to my heart.
    I am testifying today though on my own behalf, I am not 
representing any organization with which I am affiliated. I 
have submitted a longer witness statement, but I am just gonna 
summarize that during the 5 minutes.
    Educational technologies and the use of data today is 
transforming American education. We see tremendous 
opportunities to improve education. And at the same time, we 
see the scope of data collection has now become massive. And 
our privacy laws simply aren't working to protect children's 
privacy when that information is coming from schools.
    We have three statutes in our federal privacy law; FERPA, 
the Protection of Pupil Rights Amendment from the 1970s, and 
COPPA. The Pupil Rights Amendment Act and COPPA are really 
addressing very narrow issues. One focuses on surveys in 
schools. The other focuses on directly collecting data from 
children.
    So the main privacy legislation that addresses student 
information is FERPA. And FERPA desperately needs to be updated 
for the 21st Century. We have heard--you know, 40 years ago 
when it was enacted, data was kept--the records were kept in 
file cabinets. It worked then, but schools had no computers and 
the internet wasn't anyone's dream in the school systems in 
those days.
    There are really three areas that I think we need to 
address in modernizing FERPA. The first is that the coverage of 
FERPA is outdated. FERPA governs educational records. Well, 
today, student and educational records are narrowly defined. 
Today, the kind of information will range from grades to 
metadata about reading habits. Much of the data that comes from 
learning tools is outside the scope of FERPA.
    FERPA is a financing statute. It applies to institutions 
receiving federal funds, and only those institutions. That 
means the vendor community--those supplying many of these 
services--have no direct statutory obligations. Schools have 
them. But schools are often in a very difficult position to be 
able to work--deal with--contract with the vendors.
    We have so many schools across the country that don't have 
legal council, don't have sufficient technology expertise to 
even know what they are looking at when they see a vendor 
agreement.
    The privacy pledge that we heard about this morning is a 
tremendous initiative, but it is not a substitute for strong 
legal protections. And then FERPA misses very important 
elements. FERPA saying nothing about data security, saying 
nothing about breach notification, has nothing on the 
transparency of how vendors might be using and sharing 
information. So these are elements the coverage of FERPA just 
doesn't match what is going on today.
    The approach--the secondary, the approach of FERPA itself, 
is outdated. FERPA's focus was on confidentiality and parental 
access. Today, the critical issues are about permissible 
educational uses of student data. What is the use; right? We 
have other statutes, like the Fair Credit Reporting Act, is a 
permissible purpose statute. That works in the modern world. 
FERPA doesn't. FERPA needs to look toward that model, identify 
what are truly educational uses. Those are fine. Everything 
else is prohibited wthout parental consent.
    Data mining, homework assignments, teacher interactions, 
all of these things today, are they appropriate uses for the 
students' data? As a parent, a former board member, I don't 
think our children should be required to subsidize private 
commercial gain to get an education through their information 
being monitored and used.
    Lastly, the third area is enforcement and remedies. FERPA 
is essentially unenforceable. The one existing remedy is a 
nuclear option. It has never been used by the department of 
education. It is total withdrawal of federal funds.
    The victims have no redress. If you or your family's 
information is compromised, there is no redress under FERPA. 
FERPA needs to have graduated sanctions, fines, various 
abilities to enforce through the Department of Education. I 
think the State's attorney general ought to have enforcement 
authority. We see that again in the consumer credit reporting 
area. And I think it would be very important to have private 
enforcement options so that families have redress.
    It would be helpful for Congress, I think, to encourage the 
States to have chief privacy officers in their state 
departments of education to assist the local schools. Because 
it is very difficult for local school to understand how to 
navigate this territory.
    So my conclusion is that Congress can no longer wait. If we 
want the innovation that educational technologies and data uses 
offer us, if we want that to be accepted by schools and 
parents, Congress has to update FERPA so that it matches what 
will be happening in the school communities. Otherwise, parents 
will not have trust, and there will be a constant struggle 
between the communities and the schools and the educators and 
national education policy.
    Thank you.
    [The testimony of Mr. Reidenberg follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Chairman Rokita. Thank you for your testimony.
    The way this usually works is the subcommittee chairman 
usually asks out with asking his questions. But I find out that 
my life goes smoother when I defer to the full committee 
chairman when he is in the room.
    Sir, thank you for your leadership. You are recognized for 
5 minutes.
    Mr. Kline. Yes, that won't work. Okay. Thank you, Mr. 
Chairman. This is a good hearing. Thanks for yielding to me to 
ask a question. I really want to thank the witnesses. You are 
an excellent panel. Years of expertise.
    When we look at data and data privacy in the large, we as 
Americans ought to be concerned. We have seen spectacular 
reaches, big retail firms where all of their customers' 
information was made available to whoever was doing the 
hacking. Because these cyber attacks are not just a matter of 
rhetoric, they are a matter of fact. And so whenever you have 
data that is compiled, today, we have to be somewhat concerned 
that data will be made available. So as we look at this, we 
need to keep that in mind.
    And I am also concerned that when we are dealing with 
technology--we, the Congress--we, the government. But we, the 
Congress, particularly--there is a great danger that we will be 
trundling along here years behind. In the House we move slowly. 
In the Senate they hardly move at all. And so it is a little 
troubling that we could be developing policy that by the time 
it is enacted is already outdated.
    So I could probably start anywhere, but I am going to go to 
Ms. Knox to--I would like for you to get at the issue of the 
amount of technology that there is in the classrooms. It is not 
a simple question of the paper file drawer now being on a flash 
drive somewhere. There is all kinds of stuff. We have got 
hardware, software, apps, tablets, kids with cell--we have all 
kinds of things going on there.
    So can you help us understand some common principles or 
ideas that we should be looking at when we are trying to update 
FERPA that will not get in the way of supporting technology in 
the classroom, but which can provide some privacy and something 
that won't be outdated tomorrow or in a week or something like 
that? Just give it your best shot.
    Ms. Knox. Sure, sure. I think starting with a commitment to 
trust is important. I know that at our company, we have 
principles and policies in place about establishing trust with 
customers. So starting with a commitment is always important. 
And then, you know, knowing what it is you believe. For 
example, in our company, we believe that people own their own 
data; right? So the student and the parent--the student's data 
belongs to them. So being clear on those pieces sort of guide, 
then, action and belief.
    So then how does that translate? At least, again, where I 
work, that translates into making sure that privacy is in the 
design of any product that we put on the product. So if we 
design a product, there is always a privacy expert with the 
product developer. That means you are baking it in to who it is 
and what it is you are going.
    And then, you know, wherever we go, we try to be extremely 
transparent about the data. So I know that the question has to 
do with schools and there are all these different devices and 
how do you make sure that data stays secure. The cloud, you 
know, unites them, right, brings them all together. And it is a 
service of--in a remote data center, basically--and educating 
and becoming clear and being very transparent. Whoever that 
third-party provider is needs to articulate in the clearest 
terms how that data flows in and out, who has--if anyone have 
access.
    And we have an entire center called the trust center. We 
have a trustworthy computing initiative. This morning I 
actually watched a couple of videos of some software engineers 
who took me on a virtual tour of our data centers. And I could 
see physical, you know, protections. I could see software 
protections. I could see a blue team and a red team identifying 
good and bad use. I mean, being transparent helps inform, but 
it also decreases fear. Because we believe data is critical in 
the age of 21st Century education, just like everybody else 
does.
    And then two other points is, you know, in general, always 
committing, putting something in place where improvement 
continues. So whatever the law ends up doing--you know, 
whatever direction it goes in, there should be a piece in there 
that says we will constantly improve our practices based on the 
times and the opportunities that come available.
    We do that at the company, as well. So that is, again, part 
of the way that we approach our work, the way that we, you 
know, commit to it, believe in it, act on it, create products. 
And I think that can be translated into the way that society 
sort of behaves when designing laws for students and their 
privacy.
    Mr. Kline. Thank you. I see my time is expired, Mr. 
Chairman. Thank you.
    Chairman Rokita. Gentleman's time is expired. And I see 
that this subcommittee's ranking member believes in a similar 
philosophy as I do. So Ranking Member Scott, you are recognized 
for 5 minutes.
    Mr. Scott. Nice try. Thank you. And I want to thank all of 
our panelists. They have provided really good information. Let 
me just ask some general questions.
    When you talk about personal data, is there anything in the 
discussion that will hurt us in trying to find growth models or 
trends, demographic trends, that in general we could use for 
educational purposes? Is there anything that--nonpersonal 
information, non-personally-identifiable information, is that 
at risk if--in any of our discussion? In other words, boys do 
better than girls in some areas, some pedagogy works better 
with some groups other than others. Are we gonna lose our 
ability to evaluate along those lines?
    Mr. Reidenberg. Yes, can I respond, Congressman? I don't 
think so. Because if the focus of FERPA is looking at using 
data appropriately for educational uses, that is going to be a 
very important educational use to understand how individual 
children learn, how cohorts of children learn, and how to 
deliver the most effective educational programs for them.
    Mr. Scott. I just wanted to make sure that is not at risk.
    Mr. Reidenberg, you indicated the problem with sanctions. 
We have got a problem with classified information. If a 
reporter gets classified information illegally, meaning 
somebody illegally has classified information, gives it to a 
reporter, there is apparently no prohibition against the 
reporter just sticking it in the newspaper.
    What about republication of data and other kinds of 
breaches? You alluded to the fact that we need the graduated 
sanctions so there will be some sanction. If there is a breach, 
would there be any prohibition against the rebroadcast or 
republication of the data? Is that part of FERPA?
    Mr. Reidenberg. You are talking about, say--take an 
example. Nashville, Tennessee a number of years ago had all of 
the information on all of the cities' students and their 
families openly available on the internet. A case like that, if 
you are talking about a newspaper publishing information from 
it, well, the First Amendment rights would address what the 
scope of the newspaper's authority to do that.
    But if you are talking about a third-party organization 
taking all that data and then using it for various commercial 
purposes, I think that would be wrong and should be 
interdicted.
    Mr. Scott. One of the questions is what is an educational 
record. Is homework, grades on quizes, exams, final grades, 
disciplinary records, financial records, are all those 
educational data that needs to be protected? Computer use, if 
you are using the library computer?
    Mr. Reidenberg. Those I do not believe are currently 
covered by the definition in FERPA. The Supreme Court has 
interpreted the educational record specification quite 
narrowly. So homework assignments, for example, would generally 
not be. A family's financial status; so if the child is on a 
reduced lunch program, for example, that is not going to be 
considered necessarily part of the educational record. How a 
child uses an app in school, the metadata generated from that 
app will be outside the scope of protection from FERPA.
    And I think it should be. I think when you are dealing with 
data that is gathered about, by, or for kids in school, we 
should be treating that as custodians of our children's 
privacy, and we should be very careful with how that 
information gets used.
    Mr. Scott. So stuff like that is not now covered, but 
should be covered?
    Mr. Reidenberg. I believe that is correct.
    Mr. Scott. And part of the discussion is how long should 
the information be held? Somebody has graduated from high 
school, should the high school still have their stuff on some 
computer that somebody can get to?
    Mr. Reidenberg. I think it is going to depend on what the 
purpose is for the high school archiving it. Should the high 
school, for example, or the high school's vendor be storing the 
seventh grade home work assignment that Johnny or Sally wrote 
when they are 35 years old? I think the answer to that is 
probably no.
    Mr. Scott. Let me ask you just another quick question. How 
do the marketers get this information? I mean, I think we would 
all agree you shouldn't be marketing people. How do they get 
the information to begin with?
    Mr. Reidenberg. If you ask me the question in a couple of 
months, I should be able to give you a specific answer. We are 
in the midst of doing a study right now in my research center 
that is trying to understand the circulation of the student 
information in the commercial student marketplace. And I don't 
have an answer for you at this point.
    Ms. Knox. So your question is how does student data end up 
in the hands of marketing people. If the students are using 
certain cloud infrastructures and it is held by a third party 
and that third party's contract terms aren't clear, it is 
possible for them to trend through the data that flows. So 
emails, forms that the school district is completing. I am sure 
Dr. Abshire may have some specific examples of maybe 
situations.
    But when it is flowing through the data center, it is 
possible to, you know, take a peek at it and find trends and 
put it kind of on the market to other businesses who want to 
advertise to those students. And then certain targeted ads then 
would flow back to the students. And when again they are 
emailing, low and behold, what they were talking about maybe in 
an email 6 months ago, there is an advertisement for it.
    So this idea of trust and understanding where the data is 
flowing and committing to not using data for noneducational 
purposes becomes critically important in this information.
    Chairman Rokita. Thank you very much. The gentleman's time 
is expired.
    I now recognize myself for 5 minutes. And in the first 20 
seconds give Dr. Abshire a chance to respond to that last 
question, if she would like.
    Ms. Abshire. I guess I would just comment that the comment 
around trust I think is critically important. Also, the comment 
I would make is about how we at the district level should 
anonymize data. If you think about all that we collect about 
children--there was some earlier comment about large-scale 
demographic data. That data coming out of a school district 
usually is and should be anonymized so that it is reported in a 
way that it is not PII, it is not personally identifiable 
information. It indicates trends. It allows researchers and 
states to look at those trends and make solid educational 
decisions.
    The other piece is the use of role-based data. In other 
words, depending what your role is in the school district or an 
organization, that limits your access to certain pieces of 
information. We have been very successful with that, and we are 
working on that in the--
    Chairman Rokita. And does that work in a cloud situation?
    Ms. Abshire. Absolutely.
    Chairman Rokita. Okay.
    Ms. Abshire. The pending and the agreements that are in 
place with our providers allow for that data to be--
    Chairman Rokita. And who writes your agreements? Who writes 
your agreements? You have outside counsel?
    Ms. Abshire. We work on that with counsel in the district 
and with our state department. Yes, sir.
    Chairman Rokita. Okay. Thank you. Very interested in all 
your testimony. So many questions, so little time.
    I am going to start with Ms. Knox. You rightly praised the 
pledge that you signed. And now we have 100 other signatories 
to it. Good stuff. Where is the enforcement mechanism in the 
pledge?
    Ms. Knox. I know--
    Chairman Rokita. Assuming it was codified.
    Ms. Knox. Right. Oh, assuming--well, the existing penalty 
would be, you know, misleading. And if you actually do 
different activities than you said you would do in the pledge, 
then the FTC can fine you.
    Chairman Rokita. Okay. And then you also mentioned that 
FERPA, you mentioned correctly, does not include third parties.
    Ms. Knox. Right.
    Chairman Rokita. Should it?
    Ms. Knox. Yes.
    Chairman Rokita. Thank you. Mr. Reidenberg, same question. 
You mentioned the same thing.
    Mr. Reidenberg. Yes. I Think FERPA should absolutely apply 
to all participants in this space, which would include the 
third-party vendors. I--
    Chairman Rokita. Can you give some more specificity of what 
that would look like in an updated FERPA--
    Mr. Reidenberg. Sure.
    Chairman Rokita.--environment?
    Mr. Reidenberg. What FERPA should--what I think FERPA 
should be doing is specifying the kinds of uses that are 
permitted for student information. And uses that don't fall 
within that category would require consent. And that 
requirement of only using for admissible purposes would apply 
whether it is the school, whether it is a data analytics firm, 
whether it is some other cloud service provider offering 
services to the school.
    Chairman Rokita. So as long as there is some contractual 
relationship between the government jurisdiction or school 
element and the service provider, that would extend FERPA?
    Mr. Reidenberg. It would--there would always be that 
contractual arrangement where the school is using third-party 
services.
    Chairman Rokita. Right. Ms. Knox, you wanted to add 
something?
    Ms. Knox. Just really quickly, one of the things I really 
liked about Dr. Abshire's written and what you mentioned in 
your oral is she talked about not overburdening schools with 
more regulation. And I can't agree more. And I think that was 
part of the brilliance of the Student Privacy Pledge. And I 
just want to thank Representative Polis for his leadership 
there. The idea of industry standing up and raising our hand 
and taking a pledge and saying these are the kinds of things we 
think we should be doing and we will do them when it comes to 
students, I think it is important, and I think it does help 
with schools.
    Chairman Rokita. I thank you. But the question was on 
FERPA; right?
    Ms. Knox. Right. But I think it could translate right into 
FERPA. I mean, not word for word. But the same principles. 
There could be a new piece of FERPA that developed that looks 
at third party or business--
    Chairman Rokita. Absolutely. Absolutely. Thank you.
    And with the time remaining at 1 minute, Ms. Sevier, what 
do you think about what has been said so far? Do you have 
comment to add?
    Ms. Sevier. I do. It sounds like we are all speaking on 
behalf of student privacy. And I just wanted to bring up the 
parent engagement aspect. If parents are not able to review 
digital records and if digital records are not included in the 
definition of a child's educational record, then that kind of 
relegates the parents to being a bystander in the process, and 
not a participant. And I think we need parents as participants. 
We need them involved.
    Chairman Rokita. Absolutely. They are the first guardians 
of all this. Literally.
    Ms. Sevier. Yes. We need them to be involved. If a digital 
profile is going to guide my children's opportunities, whether 
they graduate, whether they are eligible for services, I want 
to review that. I want to be involved. I want know how those 
determinations were made. And right now, unless I am in her 
school district, I don't necessarily have that opportunity.
    Chairman Rokita. Thank you all again.
    Ranking Member Fudge, you are recognized for 5 minutes.
    Ms. Fudge. Thank you very much, Mr. Chairman. And again, 
thank you all for your testimony.
    Let me start with you, Dr. Abshire. You have kind of been 
talking around it. But can you just give me some specifics 
about what you believe we can do or how FERPA can be modified 
to reflect the change in technological climate, while still 
ensuring that children's data is protected?
    I mean, I understand, you know, that you don't want us to 
put more onerous restrictions. And I understand that too. But 
my priority is children. And so if--you know, maybe it is a 
little much and we can work on it. But how can we protect these 
children? What do we need to do with FERPA?
    Ms. Abshire. Well, thank you, Congressman Fudge. I 
appreciate that question.
    I think the comments of my colleagues here at the table 
this morning have kind of encompassed that; that the revisions 
do need to be made with an eye towards a balanced approach. I 
would come down strongly on the side of ensuring parental 
engagement and involvement. In our district it is called 
``informed consent.'' Our parents are allowed to consent and 
opt in and out on different pieces of data around their 
children's educational records.
    So they know that when they give informed consent, that 
student data around discipline, student data around a 
children's progress on formative and summative assessment 
results are gonna be used within the district with privacy with 
the educational experts that need access to make good decisions 
about that child's educational progress.
    They also know that it is gonna be sent to the state to be 
able to assimilate that information and look at how our 
district performs against other peer groups in the state and on 
national levels. They also know that information will be 
anonymized for certain requests and it will not leave the 
district. It will not go out into the cloud and be available 
for potential data breaches.
    So I think the strongest piece that I can bring to the 
table around that issue, Congresswoman, is the piece of 
informed consent; that it is, I think as Chairman Rokita said, 
the parents are the first guardians. And the culture of a 
community in Louisiana--
    Ms. Fudge. I don't want to cut you off, but I have got some 
other questions I must ask, so--
    Ms. Abshire. I am sorry--
    Ms. Fudge. So parental consent. Ms. Knox, what has 
Microsoft actually done to protect the data?
    Ms. Knox. Well, great for us we have some lead amazing 
products. And I feel lucky that I get to go out into classrooms 
and talk to actual teachers who use them. Office 365 being in 
the classroom. And these are specifically designed so that 
students don't receive any unwanted advertisement. And so 
they--a teacher can--as one teacher told me, no more in my 
classroom can anybody come back from doing their homework and 
say their dog ate their home work. Because everything is now 
stored in the cloud. And there is more productivity. Kids are 
really engaged. This office 365 product has really inspired him 
to do new things with technology; collect data, do analytics on 
which equation he is teaching about, you know, students 
struggled with the most at night and didn't struggle as much on 
this equation, so he changes his teaching strategy.
    So all these things are great. But at the same time, we 
need to make sure that they are--that the student is protected 
and they are safe. And that is what these products do. It is 
possible to strike the balance that Dr. Abshire keeps talking 
about.
    Ms. Fudge. Thank you very much.
    Dr. Abshire, can you give me an example of how your 
district uses this data dashboard to effect curriculum 
decisions and to provide interventions for struggling students?
    Ms. Abshire. Yes, Congresswoman. Thank you.
    Teachers regularly meet in our district in what we call 
PLCs, professional learning communities. And those communities 
are focused on looking at how students are performing. And in 
the past it was a set of folders. It was stacks of information 
that people could not cross tabulate the data and, again, look 
for trends and look for specificity in what skills and 
standards are students not able to make.
    Now in our direct, our teachers sit in conference rooms 
with the fourth grade team or a group of math teachers at the 
high school level and pull on a computer screen all the trends 
for the students in their classrooms, drilling down to a 
specific skill that don't know. So they are able to pull out 
students into groups, reteach that specific skill, and allow 
other students to move on.
    What that data warehouse for us has created is efficiencies 
in learning and efficiencies in teaching.
    Ms. Fudge. Thank you very much, thank you very, very much.
    I yield back, Mr. Chairman.
    Chairman Rokita. Thank the gentlelady.
    I would now like to recognize a new member of the committee 
and subcommittee who has served on school boards in Florida.
    Mr. Curbelo, you are recognized for 5 minutes.
    Mr. Curbelo. Thank you, Mr. Chairman, for this opportunity 
to discuss what is a topic that is increasingly on the minds of 
parents and students and teachers.
    I wanted to delve further into the issue with penalties 
related to FERPA violations. Mr. Reidenberg mentioned that we 
should perhaps consider developing a graduated penalty system. 
Could you go into that, expound what would something like that 
look like and how could it be most effective?
    Mr. Reidenberg. Thank you. I think my reference to 
graduated penalties, what I have in mind, are range of levels 
of fine depending on egregiousness of violation. So you would 
not want to see a school district or a state subject to 
crippling penalties for what are small technical violations.
    On the other hand, we need to have some mechanism to insure 
that FERPA is, in fact, effectively enforced in local schools 
across the country. I think--so on the one hand, those are the 
publically-assessed fines. I think it is important that 
families have an ability to get redress if their information is 
compromised and their student's privacy rights are violated and 
they are harmed. Right now, we have no mechanism for that in 
FERPA. It is one of the few areas in American privacy law where 
we have no way of addressing redress.
    Mr. Curbelo. Now, I also heard a conversation about 
expanding FERPA to cover third-party vendors--
    Mr. Reidenberg. Yes.
    Mr. Curbelo.--for example, how ould those groups be 
penalized? Same way?
    Mr. Reidenberg. Same way. Same way. If FERPA is authorizing 
use for a defined educational purpose and the third-party 
vendor does something else; something else being using it for 
advising purposes, using it to profile a student to skew search 
results or to deliver content that is unrelated to the 
educational purpose for which the data was gathered. In an 
instance like that, the third-party vendor should be subject to 
a fine.
    Mr. Curbelo. And a question for Ms. Sevier.
    It is obvious that these types of breaches occur every day. 
Obviously, most of them do not rise to the level where they 
would get attention from the media. But how much do parents 
know about these beaches? Do you get the sense that schools are 
open and transparent about data breaches, or is there a lot 
that parents and even we don't even know?
    Ms. Sevier. That is an interesting question. And I think 
that there are layers of misunderstanding, depending on how 
involved the parent is in the landscape. But I also think that 
the reason that question is most interesting is because the way 
that the law is written right now, there is release of 
information that is not considered a breach. Does that make 
sense? And I think that is really the focus of revising FERPA 
and kind of shoring up those areas; really looking at the 
digital information that is being collected and stored, 
informing parents not just how it is being collected and stored 
and who is using it, but how it is legitimately being applied 
within the school, and then allowing them to review that.
    And I would say that dialogue at that level is not 
happening, but that we are taking first steps with partners, 
like Microsoft, to get information out to parents so that they 
play more of an active role in shaping policy, at least at the 
district level.
    Mr. Curbelo. Thank you.
    Ms. Knox, I think you wanted to weigh in?
    Ms. Knox. Just in terms of the confusion that parents may 
find. We hosted last month--or in December--approximately 30 
state PTA leaders in our office. And we conducted a 2-day 
training on student privacy. Everything from personalized 
learning to what is cloud computing to--I mean, I can't--what 
is data-driven instruction.
    But one of the most interesting moments, I think, for all 
of us was none of the adults had actually experienced 
personalized learning. And so they had never--I mean, those 
were words and terms. And so once they felt the power of oh, my 
gosh, I get to move on quicker based on the data because I am 
actually learning quicker than this person, but this person 
might come and help me, they got really excited once they 
experienced it.
    But then they also thought where is all this data going? 
And then breaking down the cloud and how that works. And it was 
just a fascinating--I don't know if you want to mention--or 
comment. But it was good.
    Mr. Curbelo. Please.
    Ms. Sevier. It was fascinating. And it enabled our state 
leaders to go back to their states and kind of mimic that same 
behavior with their constituents so they were informed 
advocates around the issue. And it decreased the amount of 
hyperbole. And I think it makes us better decision makers.
    Mr. Curbelo. Thank you all very much.
    Thank you, Mr. Chairman. My time is expired.
    Chairman Rokita. Thank the gentleman.
    Ms. Bonamici, you are recognized for 5 minutes.
    Ms. Bonamici. Thank you very much, Chairman Rokita and 
Ranking Member Fudge, for holding this very important hearing.
    Thank you to the witnesses. This is an important issue. And 
I hear a lot from many constituents in Oregon who are as 
concerned as I am about the gaps in protection.
    There is always a problem in legislating around technology. 
Because as was recognized earlier, the technology changes much 
faster than policy changes. And trying to find that right 
balance to make sure that we aren't inhibiting innovation and 
the beneficial uses of technology while still finding 
protections is a critical balance. But it is past time for us 
to address that issue.
    I want to talk with you, Professor Reidenberg, and say 
thank you for your excellent recommendations on the changes 
that are needed to update FERPA. When I think back to--I think 
you said in your testimony it was 1974. Things were a little 
different in 1974. And we have come a long way. But the law 
needs to definitely be updated.
    You talked about an analogy to the Fair Credit Reporting 
Act, permissible purposes provisions, when you talked about 
educational use. But what about remedies? You said in your 
written testimony that right now, the denial of education funds 
by the Department of Education is the remedy.
    But what happens, say for example, if a family finds out 
that there is erroneous information in a database about their 
student? What can they do? Is there way for them--analogous to 
the correction of errors provision in the Fair Credit Reporting 
Act, is there a way for them to correct erroneous information?
    Mr. Reidenberg. Yes. FERPA gives the parents the right to 
access and request the school district make changes to data 
that is incorrect. If a school district does not do that, the 
parent has no recourse.
    The second thing is that doesn't apply to all of the third 
parties holding that data. So all the educational app providers 
that are profiling individual children to serve them content or 
games or learning tools, the parents don't have a legal right 
to access what those profiles are. And to suggest that the 
profile really doesn't adequately or accurately describe the 
child, there is no mechanism for the parent to have it changed.
    Ms. Bonamici. An important issue to address.
    And I want to follow up on Chairman Rokita's questioning 
about the Student Privacy Pledge, which I applaud. That is a 
great first step. However, I am concerned also about the 
voluntary nature of it; that it is something that doesn't have 
adequate enforcement if there is a problem. And again, being 
voluntary.
    So I am also concerned about the issue of conflict. When 
schools are essentially acting in loco parentis, they are, 
playing the parent role, in fact, when our students are in 
their schools. So are schools really equipped to be a go-
between in this kind of issue where parents and vendors and 
school district may have conflicts? How can schools adapt to 
serve that role?
    Mr. Reidenberg. So if I could address the pledge first, and 
then the second portion. I mean, I think the pledge is a 
terrific initiative. I think there are very serious questions 
about its enforceability; whether if a company signs up for it 
and does not adhere to it but then presents Dr. Abshire with a 
contract that is inconsistent with the pledge, and she has had 
her legal counsel review it, I think it is going to be very 
hard to claim it is a deceptive practice on behalf of the 
vendor.
    So I think that relying on unfair and deceptive practices 
as an enforcement tool I think may be difficult. It also means 
the FTC is the principal enforcer for that. And their staff is 
simply not equipped to go after that many organizations that 
might not be following. It is great that there are 100 leading 
companies that are standing up, but there are thousands and 
thousands of companies across the country doing these sorts of 
practices.
    Ms. Bonamici. And as you know, the FTC doesn't represent 
individuals to begin with. So it would have to be a widespread 
practice.
    Dr. Abshire, did you want to weigh in on this?
    Ms. Abshire. Just a quick addition. I think we should make 
no mistake about the fact that schools are painfully aware of 
this issue today. None of us is--can ignore, I think as 
Congressman Kline mentioned, the data breaches that have 
happened with public information and different companies and 
people's credit cards.
    So we are all aware of this. And at the heart of our role 
as school district officials, principals, and superintendents 
and school boards, is the interest of the child. I think the 
chairman said it quite eloquently. Our role is to educate, 
protect, and take care of our nation's children.
    And so in this area of privacy and security, we have not 
ignored this. Every meeting I go to around the country there 
are conversations about this. I am gonna be in California in a 
couple of weeks speaking to district CTOs from around the 
country about this issue. And if we find an issue, I don't know 
of an educational agency that would say we will not correct the 
record, that we will not do the right thing by the child; and 
that if a contract is violated, we have easy recourse. We quit 
doing business with them.
    Ms. Bonamici. My time is expired. I yield back. Thank you, 
Mr. Chairman.
    Chairman Rokita. I thank the gentlelady. And I would like 
to recognize another new member of the subcommittee and 
committee. Glad to have him, as well.
    Mr. Carter, from Georgia. 5 minutes.
    Mr. Carter. Thank you, Mr. Chairman.
    And thank you y'all for being here. We appreciate what you 
do. Nothing more important than our children, and especially 
their education.
    Let me ask you, when we are talking about this information, 
are we talking about specific information to a specific child? 
Or are we just talking about general information? Are we 
talking about, you know, at this school, 40 percent finished in 
this percentile?
    Ms. Knox. I mean, the way I think about the answer to that 
question is there is data that is collected in a classroom, 
right, that informs instruction. Then there is about classroom. 
Then there is data at the school level. Then there is data at 
the county level. And then it goes to the state.
    And so you are right; there is all these different layers 
and there are policies that sort of try to blend together and 
weave together. I keep looking over at Dr. Abshire because she 
lives this. And so the answer to your question is it is like a 
fabric or a quilt that needs to kind of work all in the same 
direction. But there are many different buckets of data at play 
in the education system.
    Mr. Carter. Are you more concerned with the--I suspect that 
you are more concerned with the personal data on the specific 
student than you are about the general data.
    Ms. Knox. I mean, from my point of view, the personal data, 
why--I am very concerned. I don't want to see kids get viruses 
that penetrate their system. I don't want them to be--you know, 
to have data loss or have their passwords exposed. I don't want 
to have their data sold for inappropriate or un-educational 
purposes. All those types of things more on the micro or the 
personal level. But then data can being aggregated and there 
can--people can look for trends. And then there can be some 
unwanted advertising that is targeted towards the student or 
groups of students based on clicks and searches and ways they 
interact with the technology.
    There are lots of ways for data to inform the technology 
that has been used. And sort of what does the company decide to 
do with the data that they are collecting? Is it for the 
purpose of improving the business, or is it actually to be 
monetized and sold and be making money off the whole process?
    Mr. Carter. Dr. Abshire, when your school system gives the 
information to a company, do you sell it? Do you get a price? 
Do you get paid for it?
    Ms. Abshire. Well, we don't give information about a 
student to a company. That data--we have been working on this 
for a little while. Let me say that. And as we look at PII, 
personally identifiable information, we have begun to ferret 
out systems where in earlier contracts and earlier provisions, 
we used a lot of PII. And we are anonymizing that data now by 
using student IDs.
    Information is power in this new technology, economy, and 
educational arena. And if we know that this information has the 
potential, as Ms. Knox said, to be misused or to be exploited 
in some way, then it is our responsibility as--it is the 
responsibility at the school district level to be able to 
restrict that PII in such ways that these children cannot be 
identified.
    Only within our own discreet systems with the educator or 
the researcher or the evaluator that needs to use it in a 
direct line of correlation between that child and their 
educational records.
    So as I said before, this is evolving. It is not an easy 
issue. Because obviously, the use of technology and information 
systems in schools is evolving. And it is complex. But it is 
our opportunity, I think, as a community of policymakers, of 
parents, of companies, and educators to look at this in a 
comprehensive way that holistically evaluates what are we 
doing, what should we be doing, what should happen if we don't 
do what we are supposed to be doing. And then look at ways that 
we can support the use of data to inform instruction.
    Because I think as all the panelists said, the powerful 
learning opportunities that this technology provides to 
advance, remediate, enrich children's learning in ways that 
didn't happen 40 years ago when I started is the way we would 
transform schools and create competitive educational 
environments so our kids can compete within those safeguards. 
Does that help?
    Mr. Carter. That helps. One last question.
    Are there any physical characteristics including in this 
information? You know, male, female, gender--
    Mr. Reidenberg. Yes. It will be in the metadata. It will be 
in some of the specific characteristics the child signs up for. 
An app in school that has an avatar and they are supposed to 
choose their sex, it will be predictable based on certain 
patterns that a child engages in school. So the third party can 
identify those characteristics, even if the child hasn't given 
the name.
    I think it is important though, just giving an ID rather 
than a student's name is not satisfactory today, given the 
state of computer science. The computer scientists are able to 
show you can reverse engineer identity. If you give me several 
characteristics about an individual that are purportedly 
anonymized, I can reverse engineer who that child is.
    And we see today that in our research we found 
approximately 25 percent of the school contracts in--I think it 
was in the classroom function area--were not paid with by cash; 
they were paid with using their students' privacy. They were 
giving the vendors information in exchange for the services.
    Chairman Rokita. Gentleman's time is expired.
    Mr. Carter. Thank you all again.
    Chairman Rokita. Thank the gentlemen.
    Now I would like to recognize another new remember to the 
committee, very much welcomed as well. Mr. Russell, you are 
recognized for 5 minutes.
    Mr. Russell. Thank you, Mr. Chairman.
    And thank you, panel, for being here today.
    FERPA was changed under the leadership of Secretary Duncan, 
allowing anyone that has even a mild interest in education to 
see personal records. Would you support the elimination of 
access by third-party vendors? And that is for whoever would 
like to take that on.
    Mr. Reidenberg. I am happy to jump in and say no. I mean, 
third-party vendors serve an important and useful function for 
the schools. And our schools today would not be able to develop 
and enhance their educational programs if they couldn't use 
third-party vendors. So if you cut off access to the 
information, the schools would have tremendous difficulty 
delivering education and improving the outcomes for their kids. 
But that is not to say what those vendors do has to be careful 
and closely circumscribed.
    Mr. Russell. Okay. As a follow on to that, you know, Mr. 
Reidenberg, you have correctly pointed out in your previous 
comments about these unique identifiers that are attached that 
never go away. They are attached to personal level student 
data. It follows the data no matter where it goes. So 
disaggregated data is really a myth. So how do you protect 
that?
    And then you are also willing to give it to third-party 
vendors, because it is all for the children. Well what about 
the Fourth Amendment of the Constitution of the United States 
that says we have a right to privacy of our papers? What do we 
do with that? And I would like to hear someone from the panel 
address those issues.
    Ms. Knox. I mean, from the company--from Microsoft's point 
of view, we can operate as a third-party vendor. But our belief 
system, what we adhere to, our principles and policies, is your 
data that we are gonna put in a data center offsite, you own 
that data. We don't own that data, and we will not access it. 
And so we have that in our contract. And that is, I think, a 
way of addressing and--well, addressing the issue, but 
increasing trust among all these stakeholders who could access 
the function--
    Mr. Russell. Well, and to that point--and I agree with 
that. But take the Federal government, for example. They are 
asking for data from states to fill out such initiatives as the 
prevention and intervention programs for at-risk youth. They 
provide grants for the SLDS, the longitudinal data system. Do 
you think that data from the National Assessment Educational--
you know, NAP, do you think that would provide the very things 
that they are asking for with less specificity on individual 
students? Why does the Federal government need to drill down to 
that level?
    Ms. Knox. I think there are lots of ways probably to 
respond to that question. My big--my general response about the 
NAPE and the data that is collected, as a general education 
system as a country, we are trying to constantly improve it. So 
we are collecting, you know, aggregated data to make good, 
informed decisions so that we can improve our systems.
    Mr. Reidenberg. Congressman, there is a well-known 
principle in data privacy which is called ``data 
minimization.'' And I think the question you are asking is 
really going to that point; what is the minimum level of data 
necessary to make the decision that we are seeking? And I think 
with--and we have done some research on the SLDSs. And I think 
there are many questions about the scope and extensiveness.
    In fact, it was approximately 4 or 5 years ago I testified 
before this subcommittee on a study that we did. And the 
example that I used came from the state of Louisiana. I was 
just telling Mr. Abshire this before the testimony. Louisiana 
requires its school districts to report whether children curse 
in school. And it seems to--because when you look at the 
disciplinary codes, one of the codes is using--the child is 
disciplined for using profane language.
    And you have to ask the question, is that level of detail 
necessary? I think in many cases, we will increasingly conclude 
no.
    Mr. Russell. Well, and I appreciates that. And my last 
question, I mean, if FERPA no longer protects personal student 
data and we can give no assurances that we can't reverse 
engineer and find privacy factors, and yet we are still willing 
to give it to third parties, what makes any of you on the panel 
believe that the Federal government has a right to do that 
instead of states?
    Local schools, local communities owned by their school 
boards, their parents, their teachers. Sure, we all accept 
that.
    What gives the Federal government this right that none of 
you today by your statements, you realize that there are ways 
around all of this and it can be breached. So why should the--
    Mr. Russell.--federal government--
    Chairman Rokita. The gentleman's time is expired. So we 
will have to get those answers perhaps from the witnesses in 
writing.
    Mr. Russell. That would be great if I could. Thank you, Mr. 
Chairman.
    Chairman Rokita. Thank the gentleman.
    Next, another new member of the subcommittee and committee. 
Mr. Grothman from Wisconsin, you are recognized for 5 minutes.
    Mr. Grothman. Thanks much. I have been concerned about this 
issue for a long time. And the more the government collects 
data of any sort--you know, we have seen every agency. 
Eventually, it is going to get out somewhere. And this is 
supposed to be confidential data. So it is a scary thing.
    But Mr. Reidenberg just said something kind of shocking. 
And I want you to repeat for me, because I almost fainted, so I 
didn't hear the whole thing.
    The percentage of vendors who are getting, apparently 
partly in compensation for what they are doing, are sending out 
data? Could you elaborate on that a little bit?
    Mr. Reidenberg. Yes. The school districts that are getting 
a service for which they are not paying cash. So the 
quintessential example is Google apps for education. The school 
districts aren't paying for it with cash. But what is Google 
getting? Google is getting the personal information of all of 
the district's children.
    Mr. Grothman. Can you give me an example of that 
information they are getting?
    Mr. Reidenberg. Home work assignments, communications 
between teachers and students, presentations that kids are 
working on in school, if they are working from school, the 
search items that are being used.
    Mr. Grothman. So in other words, if Google wants to sell a 
product and my niece is working on something on who knows what, 
they are gonna know what she has chosen for her, whatever, 
middle school project or something?
    Mr. Reidenberg. Yes. But Google has now said that they 
won't use that data to market or advertise to the children. 
They haven't said whether they would not use that data to 
develop the product, to create the content for the product.
    Mr. Grothman. What else would they be doing with it?
    Mr. Reidenberg. That is a very good question. It is 
nontransparent. One of the difficulties is what the vendors do, 
how they are using this information, it is not transparent. It 
is not stated often in the contracts. If you look at the 
contracts that school districts have with their vendors--and we 
have done that. We have analyzed those contracts--it is very 
difficult to figure out exactly what they are doing.
    Mr. Grothman. And so these people, in addition to the 
garden variety government employees--well, Ms. Sevier, do you 
want to--
    Ms. Sevier. Thank you. The situation that you bring up is 
interesting to me. Because with this relationship that Google 
has with the district--and this goes even to some online apps 
that are used in a classroom--parents and students do have an 
expectation of privacy, but they don't always realize when they 
are opting out of it.
    And so part of engagement and information-sharing would be 
to educate teachers, administrators, parents and students, when 
they are opting out of privacy; for them to understand that by 
participating in something--by using Google or one of those 
platforms, that they are giving their information up--
    Mr. Grothman. I am gonna--
    Chairman Rokita. Five minutes is--
    Mr. Grothman. Okay. Well, we will--I have got a broader 
question.
    Ms. Abshire. Just very quickly. Back to our earlier 
comments. This information, this concept of transparency and 
trust; that within our communities, it is school districts' 
responsibilities and states' responsibilities to inform and 
educate parents so they can make informed decisions. We cannot 
do this in isolation. I don't think we can do it with 
legislation, with policy, or with practice. It has got to be a 
partnership between companies, school districts, parents, and 
students so that they are informed when they make these 
decisions and we can use that power of technology.
    I fear a world where we can not use the technology to 
transform learning. But I also fear a world where our students' 
privacy is jeopardized. But I think we can balance that. And I 
hope that we will. Because I think that the potential is 
transformative.
    Mr. Grothman. Well, I am 59 years old. I grew up without 
all this stuff, and I don't feel like I missed anything. But be 
that as it may, maybe I did. Maybe I would be so much better 
off if they had a big data bank to peruse.
    Mr. Reidenberg, one quick question. By the time I am--let's 
say I go graduate school, so we got all this stuff. Or like I 
did, I went to law school. And this stuff was in place from the 
time I was 3 years old in day care to 25 years old in law 
school. What all--could you give us like a 1-minute summary of 
all the stuff that would be in one place that somebody could 
fine out about me? You know, that we all have to have, the 
program has to be of?
    Mr. Reidenberg. Well, probably the easiest way to do that 
in a minute is just think George Orwell and take it to the Nth 
degree, and that is probably what would be available. I mean, 
we are in an environment of ubiquitous surveillance, 
essentially. So the data from all sorts of devices can be 
captured and synthesized in enormous number of places.
    And as we see emerging between what children do in the 
classroom, what they do at home outside the classroom, I think 
we are gonna see a lot of pressure to have data from each of 
these places; what is done in the privacy of the home with what 
is done in school being merged together. And it will just be an 
extraordinarily-rich data set of your life.
    Chairman Rokita. Gentleman's time is expired. Thank the 
gentleman.
    And I am also pleased to see that we have members from off 
the subcommittee interested in this issue. I would like to 
recognize the gentleman from Colorado for 5 minutes.
    Mr. Polis. Thank you, Mr. Chairman. And I appreciate the 
opportunity to join the subcommittee today.
    I think it was very valuable the way that Ms. Bonamici has 
sort of framed this issue and why this has strong democratic 
and republican agreement about, you know, parental rights and 
privacy issues. It is really--as we know, schools function with 
a certain degree of ability to in loco parentis operate in lieu 
of the parents.
    And the question is when it comes to kids' personal 
information, do the schools and the government own it and can 
they sell it? And the answer should be without the parent's 
consent, no, they don't have that ability.
    But because of the advent of interactive technology, there 
are oftentimes students interacting directly with third-party 
vendors and there is not the teacher or administrator there.
    And therefore, policies and laws are needed to ensure that 
schools, in fact, are not selling personal information, whether 
there is monetary compensation or in kind, software 
composition, effectively selling information that isn't really 
theirs because the parents of the minor did not give them the 
permission to do that.
    I want to go to Ms. Knox. And recognizing that we can learn 
from state efforts, notably SOPIPA in California that protects 
student privacy. And this is fundamentally a demand driven by 
parents across the country. Certainly, in my own state of 
Colorado.
    Could you elaborate on how some of those innovative 
policies can be taken to the federal level, building upon the 
pledge which 100 companies, including yours, have already 
signed?
    Ms. Knox. Sure. Sure. And I would be remiss not to also 
thank Representative Messer for your leadership on the Student 
Privacy Pledge. So thank you for that. I know you joined a 
little after Mr. Polis or Representative Polis.
    The state bill. So the California bill was very 
constructive. We found it constructive for the larger 
conversation. I think the data that came out of 2014 where 
there were 106 student privacy bills introduced, I think 28 of 
them had to do specifically with protecting student privacy. 
And I think it came from, like, there were 32 different states. 
The numbers are even, you know, at that level and getting 
higher as we speak.
    What is interesting is that there is such a different kind 
of mix of the state bills. So some of them are looking at 
governance. You know, how--we should have a security officer or 
a CIO or a student privacy leader at the state level, you know, 
setting up governance systems, versus sort of this idea of how 
companies should behave in relation to student privacy, and 
especially third-party vendors.
    So I think the Student Privacy Pledge has really helped 
specify and clarify and bring the industry together to commit 
to the eight specific objectives of the pledge. And we have 
been able to say okay, we would like to take these commitments 
and make sure that the other state bills that are moving right 
now, we want to make sure that they kind of work in conjunction 
with each other.
    Mr. Polis. And I want to go to Professor Reidenberg.
    I think one of the dangers, absent the types of controls 
that parents want to see so that their own kid's information 
isn't sold without their permission, the danger seems to be 
that parents understandably--and this has occurred in districts 
in my state--rebelled the other way, where they effectively 
throw vendors out of schools that could otherwise be helpful at 
providing an individualized education, if only the legitimate 
concerns were addressed.
    So I am wondering if you can address how we can harvest the 
great potential and power of educational technology and 
individualized education to boost student learning, while at 
the same time ensure that the concerns of parents are met.
    Mr. Reidenberg. I think that is exactly the challenge. 
Because the concerns parents have arise from the lack of trust, 
I think in part from a lack of transparency as to the sharing 
arrangements that are taking place and what the companies are 
doing. In the absence of effective privacy protection for their 
children's information, parents will oppose the technology. We 
have seen this. We saw this, for example, with the collapse of 
the InBloom platform. There were lots of things that coalesced 
in enbloom to cause its collapse. But one of the major reasons 
was the way InBloom dealt with privacy or didn't deal with 
privacy.
    The other thing that I think is important to recognize, 
parental consent, we have to be very careful when we talk about 
engagement and giving parents the authority to consent and then 
everything is fine. The reason I say we have to be very careful 
is we have to be sure we are not dealing with forced consent. 
You can't put a parent in the position that they have to waive 
their child's privacy for their child to be able to engage in 
school.
    As a parent, we experienced this several years ago. We had 
to sign up for the parent portal for our local school. And in 
signing up for the portal, you have to click I accept. And 
essentially, we had to accept waiving our child's privacy 
rights for my child to be able to get his homework assignments. 
So we have to be very careful about. That it is important to 
have parents engaged. Parents have to have rights to consent. 
But we can't be putting parents in the position where their 
choice is their kids gets an education or they have privacy, 
they can't have both.
    Chairman Rokita. Gentleman's time is expired. I thank the 
gentleman.
    Also pleased to recognize Mr. Messer, from Indiana, another 
welcome member of the full committee, for 5 minutes.
    Mr. Messer. I thank the Chairman and the Ranking Member for 
their leadership on this important issue. Certainly thank the 
panelists as well for being here today an issue that I think a 
lot of parents are concerned about and yet don't they don't 
know a lot about either; that we are trying to wade our way 
through the issue.
    You know, several testimonies have mentioned that the 
Student Privacy Pledge--thank you, Ms. Knox--and actually, Ms. 
Sevier and the PTA and the parent organizations that were part 
of our efforts to pull that together--obviously, we don't have 
a law today. So to have at least 100 industry leaders step 
forward and make clear that we ought to do some simple things, 
like not sell student information, not behaviorally target 
advertising, use data for authorized educational purposes only, 
and all the rest of the pats of the pledge.
    You remember from our meetings together before, I have 
believed all along that the pledge alone wouldn't be enough, 
and that we ought to look at other ways that we can legally 
protect parents' rights to protect their child's privacy.
    Yesterday in the ESEA bill we had an amendment that dealt 
with that. I think amending FERPA is part of that, as well. And 
looking at what other additional protections that we are seeing 
at the states could we could supply up here, like Mr. Polis and 
I are working on. Maybe a federal version. Not exactly the 
same, but a bill that would mirror the HPPA law that you know 
of in California.
    I wanted to maybe start with Ms. Abshire and expound on the 
testimony at the end of the last questions. You know, it is 
important here that we protect student privacy. But it is also 
important that we make--ensure that any new laws intended to 
create student privacy don't create--that are intended to 
create a student privacy floor do not also create a digital 
learning ceiling.
    And could you expound on that a little bit, reference--how 
do we find that spot in policy where we are protecting students 
and their privacy concerns, but still getting the remarkable 
educational benefits that come from having this kind of 
aggregated data?
    Ms. Abshire. Well, I think it is a partnership 
conversation. I think that there is deep experience in the 
field with my colleagues and school superintendents and school 
board members that are grappling with this every day at the 
district level, with organizations such as CoSN and ISTI that 
represent the types of leaders that also toil with these ideas.
    In our work, we are not absent that thinking every day that 
contracts that we sign, systems we put in place, don't hold 
great responsibility for those of us that are in the 
educational system. So it is a constant thought on our mind. 
And the news and the media and the new tools that are emerging 
constantly bring that to the forefront of our thinking. Because 
we know what we have to do to make sure that our children are 
safe in a world that in many ways is unexpected from day-to-day 
as to what will happen.
    But I think at the heart of this is the conversation--deep, 
abiding conversations that we as school leaders and 
policymakers have with the people that we entrust this 
information to, which are our providers. I do commend Microsoft 
and other people for coming to the forefront and putting it 
together. And certainly, people that have worked at the state 
and the national level on this. But it is not gonna be an easy 
conversation.
    Mr. Messer. Sure.
    Ms. Abshire. And that is why I am so thrilled that this is 
happening today. Because we have got to probe at this and look 
at what the technology is doing in terms of securing privacy 
but enabling learning. So I think it is an ongoing 
conversation. I don't think we have the answers in our hands 
today. But I think they are emerging. And I think this panel 
today helped give you some insight.
    And I know the conversations will continue. And we 
appreciate you talking to practitioners and to companies and to 
parents to know that we are all thinking about the same thing. 
No one is ignoring this important issue in elevating learning.
    Mr. Messer. Yes. Thank you very much. You know, I would 
just say again thank the Chairman for today's hearing. Thank 
the witnesses for your remarkable testimony.
    There are incredible benefits to student learning that come 
from this data. But as you heard from the testimony today, 
parents are worried about protecting their children first.
    Ms. Sevier, you want to finish?
    Ms. Sevier. Thank you. I would. If you went to the street 
and you pulled ten parents and you asked them well, how do you 
feel about biometric data and should it be collected on your 
student? Depending on the article that they just read that 
morning, they might just say they are thinking of that grilled 
cheese sandwich and no, you can't scan my child's eyes so that 
they can move through the lunch line. But maybe you have got 
other parents that are thinking about their child that is in 
speech therapy, and that biometric data is being used to 
accelerate their learning. And so it is all about conversations 
and information, definitely.
    Mr. Messer. Great point. Thank you.
    Chairman Rokita. Gentleman's time is expired. I thank the 
gentleman.
    And the ranking member is recognized for closing.
    Ms. Fudge. Thank you, Mr. Chair.
    And again, I thank all of you for being here. Very 
insightful. Very educational. We have learned a great deal 
today, and certainly will take parts of the discussion to try 
to determine how we best can serve students, as well as to make 
sure that their educational experiences are what they can be in 
this age of technology. Thank you all. And thank you, Mr. 
Chairman.
    Chairman Rokita. I thank the gentlelady. As always happens 
with these kinds of hearings, we learn a lot. I especially. So 
I want to thank each one of you for your testimony today.
    Something perhaps not exactly orthodox. I am going to--
because this is so important, I want to just say a few things 
and then I want to yield each of you 30 seconds--and it will 
just be 30 seconds--to make my closing for me, to say what you 
think we need to take away from today, what is most important 
for us as we go back and we look at updating FERPA, overhauling 
it for the 21st Century so that it has the appropriate 
enforcement mechanism; so that it has that right kind of 
balance, so that third parties can be brought into this in a 
meaningful way so that, again, we can do what we all said we 
wanted to do and was first on our mind, and that is protect our 
kids, that they can have a lifelong successful learning.
    So with that, Ms. Sevier, for 30 seconds, what should we 
take away from today?
    Ms. Sevier. The takeaway for today is to consider parents 
as partners in education, and not bystanders; to always support 
outreach and information; to consider not just who has the data 
and how it is being stored, but how it is being used in 
schools. Grilled cheese, speech therapy. And whether or not 
parents have a right to review that information. Because I can 
give content. But if it is a one-time thing, I am still a 
bystander.
    Chairman Rokita. Thank you.
    Ms. Knox?
    Ms. Knox. It is very possible to strike a great balance 
between harnessing the power of personalized learning, while 
also safeguarding our students' data. Ask more from companies. 
There is no question that they need to be transparent, 
articulate clear contracts; that they need to make sure that 
they have comprehensive data security systems; and that they 
commit to not using data for noneducational advertising 
practices.
    Chairman Rokita. And FERPA, if I understand your testimony 
is a primary vehicle for doing that?
    Ms. Knox. We would like it to be part of it. Yes.
    Chairman Rokita. Okay. Thank you.
    Dr. Abshire.
    Ms. Abshire. Yes, sir. Please be careful in your 
consideration of what changes in this law and how they will 
filter down and affect the business of school districts 
educating students. While we are painfully aware of the issues 
around student privacy and PII, I am also painfully aware that 
it is a very difficult and complicated process to manage 
student learning and to be wise stewards of all of this 
information. And so in terms of burden, we often talk about 
that, seek out professionals in the field, practitioners that 
will have to implement what you decide to do around this.
    Chairman Rokita. Thank you appreciate it.
    Mr. Reidenberg.
    Mr. Reidenberg. Three quick things. Without modernizing 
FERPA, innovation is going to be opposed and will stall. It is 
just not going to work. I think Congress--message I would like 
to give is Congress needs to protect all student information, 
not just things that were considered educational records in 
1974.
    And lastly, the privacy protections have to apply to all of 
the participants in the educational environment, which means 
the schools, the vendors, the parents. The entire educational 
community set of actors have to be covered by these 
protections.
    Chairman Rokita. Thank you. There being no further business 
for the subcommittee, it stands adjourned.
    [Additional submission by Mr. Dreiband follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    [Whereupon, at 12:54 p.m., the subcommittee was adjourned.]

                                 [all]