Over the last two years, more than half of the states have enacted legislation aimed at protecting the privacy of high school students. A Student Privacy Pledge has attracted the support of 200 companies in the business of providing online services to students in America's classrooms. The White House, too, has proposed a Student Digital Privacy Act, modeled after California's stringent Student Online Personal Information Protection Act, (SOPIPA), that was passed in 2014 and went into effect in 2016.
Meanwhile, the military, the nation's most egregious violator of student privacy rights, gets a pass.
Several elements are common to most of these laws, according to Jules Polonetsky and Brenda Leong of the Future of Privacy Forum. They summarize the new laws regulating school-based digital data collectors:
[Data collectors] are barred from selling student information, delivering targeted advertising to students, or changing privacy policies without notice and choice. They must use data for authorized educational uses only, support requirements for parental access to data, and delete data when required.
If a school promotes an online product and requires or encourages students to use it, then it has responsibility for making sure the tool complies with many of these new privacy laws.
Like yearbook and ring companies that sell student information to the highest bidder, DOD recruiters and civilian employees routinely pass sensitive information about underage students to the Joint Advertising and Marketing Research Systems (JAMRS), a DOD program. JAMRS subcontracts the massive, Orwellian database of approximately 30 million youth, ages 16-25, to the data goliath Equifax.
On a scale that dwarfs corporate competitors, the DOD delivers targeted advertising to students. It changes privacy policies without notice or choice to consumers. (The recent changes to USMEPCOM Regulation 601-4 concerning the Armed Services Vocational Aptitude Battery, ASVAB, provide an example.) The military does not use the data it collects for educational purposes, and it works against providing for parental consent or access to data. Furthermore, the military retains data collected on students long after laws demand their destruction.
While proposing the Student Digital Privacy Act last year, President Obama forcefully declared, "data collected on students in the classroom should only be used for educational purposes -- to teach our children, not to market to our children." However, the president's proposal leaves the DOD alone.
The framework of the President's proposal is taken from the California law:
Operators may not collect information that is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact. discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.
The DOD collects most of this through the ASVAB enlistment test alone. More than a thousand schools require students to take the test. Overall, 650,000 high school kids take the test in 12,000 schools.
Minnesota, New Jersey, Colorado, New Mexico, and Mississippi, allow students to take the ASVAB as an alternative end-of-year assessment. Kentucky and Missouri encourage students to take the ASVAB to be considered "Career Ready." These policies provide a treasure trove of unregulated data for the Pentagon, all without parental consent. On the other end of the spectrum, Hawaii, Maryland, and New Hampshire do not allow results from the ASVAB to be used for recruiting purposes.
Federal law says military recruiters may request the names, addresses, and numbers of students for direct marketing purposes, an act prohibited in all the new privacy laws. The law, however, allows parents to request that their child's name not be forwarded to the Pentagon. Maryland is the only state that has a law requiring an "opt-out" form to be placed on the mandatory emergency contact card, leading most parents to remove their child's information from lists being sent to recruiters. The new data privacy laws fail to address this obvious invasion of privacy in the 49 states that are reluctant to check this military overreach.
The military has multiple avenues of data flowing into its databases. High school guidance offices and career centers encourage students to visit the websites of each of the military branches, reserves, and Guard units. They all collect volumes of personally identifiable data. Schools also promote the following websites, and they often provide instruction in navigating a host of military or military-supported sites like: www.todaysmilitary.com, www.ecybermission.com, www.march2success.com, www.armystrongstories.com, www.military.com, www.asvabprogram.com , www.march2success.com , and www.myfuture.com .
Unwary students are prompted to click on military links to Facebook, YouTube, and Twitter where newly formed units of recruiters in recruiting companies across the country spend countless hours trolling these sources to assemble a virtual portrait of children before first contact.