Advocacy group Common Sense Media held a summit in Washington, DC on Monday as part of a national campaign on the highly contested topic of student data privacy.

A recent study by Fordham University Law School found that as schools and districts adopt cloud computing services, they are transferring student information to third-party providers, often leaving it open to data mining and commercial purposes such as reselling and ad targeting. These services may be in violation of federal law. These agreements allow vendors to do whatever they want with student demographic records and other personal information. Of the districts studied, fewer than 25% of the agreements between districts and vendors specified the purpose for disclosures of student information, and fewer than 7% restricted the sale or marketing of student information by vendors in any way. And that is to say nothing of the risk of hacking or other security breaches.

There are a number of attempts in the works to establish better guidelines for the $8 billion educational software industry. The Software&Information Industry Association, a trade group, yesterday announced a list of best practices for agreements between software groups and schools:

That data should be used only for educational purposes, that its use should be fully disclosed and transparent and full consent obtained from families, that all reasonable security procedures should be followed and schools be notified in case of actual data breaches.

Even as the industry is taking baby steps to govern itself, lawmakers are converging on a solution with more teeth. California State Senator Darrell Steinberg just introduced a bill in that state enforcing some of these same principles: educational purposes only, encryption and deletion of data. Massachusetts Senator Ed Markey plans to do the same at the federal level.

At the Common Sense Media event, according to the lively discussion on Twitter, industry representatives like Cameron Evans of Microsoft and Joel Klein of Amplify argued that a rush to legislate might cause more problems than it solves. Best practices for data privacy and security continue to evolve as the technology does. The large-scale use of cloud computing and web-based data storage itself dates back only to the mid-2000s. It is difficult for the law to catch up. Also, while contracts may specify “educational purposes only,” the nature of the beast in ed-tech is that a large source of educational innovation is coming from for-profit startups whose involvement with the day-to-day experience of teachers and students is becoming increasingly intimate, if not intrusive. In practice the line between educational and commercial purposes may be somewhat blurry. As Katherine Varker, Associate General Counsel, McGraw-Hill Education, asked at the summit: ’Where does targeted advertising end and personalized learning begin?’

[Cross-posted at Hechinger Report]

Anya Kamenetz

Anya Kamenetz writes the Digital/Edu blog for The Hechinger Report. She is a contributing writer at Fast Company and the author of several books and book chapters about the future of education, including DIY U: Edupunks, Edupreneurs, and the Coming Transformation of Higher Education (2010).