Press Releases

WASHINGTON, D.C. – Today, Congresswoman Lori Trahan (MA-03), a member of the House Energy and Commerce Committee’s Innovation, Data, and Commerce Subcommittee, called on her colleagues during a subcommittee hearing on privacy to continue working to pass a comprehensive privacy bill that prioritizes protections for consumers and children.

Trahan focused her questioning on data privacy in the educational technology sector. As kids utilize more and more technologies to learn, it’s more important than ever that parents, educators, and government have a full picture as to how student data is being used and protected.

Footage of Trahan’s line of questioning and witness answers can be accessed by clicking HERE or the image below. A full transcript of the exchange is included below.

Trahan has been a vocal advocate for federal data protections, including calling on companies to improve their data practices. Last August, Trahan led a group of lawmakers in requesting information from top messaging and telecommunications companies about their metadata collection and processing practices, and how they could affect women post-Roe. A month before that, she spearheaded a coalition of fellow members pressing powerful data brokers on their handling of women’s reproductive health data. In 2021, Trahan called on major gaming companies to extend online protections, including data collection limits, guaranteed to children in the United Kingdom under the Age Appropriate Design Code to kids and teenagers in the United States.

Also in 2021, Trahan released draft legislation that prioritizes student privacy by placing limits on how data collected through commercial educational software can be used. Trahan successfully advocated for the inclusion of similar education technology protections in the American Data Privacy and Protection Act, bipartisan privacy legislation passed out of the Energy and Commerce Committee last year.

-----------------------------

Congresswoman Lori Trahan

Hearing Remarks as Delivered

Hearing on “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy”

March 1, 2023

TRAHAN: Thank you Mr. Chairman, Ranking Member Schakowsky for organizing today’s important hearing. Like many of my colleagues on this dais, I’m disappointed that we failed to pass the American Data Privacy and Protection Act in the full House last Congress, and I urge my colleagues – particularly those who are new to the committee – to continue working in a bipartisan way to pass a comprehensive privacy law that meets the needs of the families we represent.

Mr. Chairman, the federal laws that govern our privacy today – in March of 2023 – are the same ones that were in place when we had a hearing on holding Big Tech accountable a year ago in March ‘22. They’re the same laws that were on the books when the CEOs of Google, Meta, and Twitter testified before this same committee a year prior to that – in March 2021. In fact, they’re the same laws that for decades have permitted companies to harvest our sensitive data - things like medical symptoms that we look up on a search engine, or our location that paints a picture of where we work, where we send our kids to school, and where we pray - and sell that data to third parties or use it in ways that are contrary to what any of us would reasonably expect.

Many of us have been sounding the alarm about this for a while.

In the past two years alone, I’ve sent inquiries to phone and messaging apps asking about the misuse and sale of messaging metadata, to data brokers about the sale of geolocation data, and to online gaming companies about their treatment of data collected on teens. These companies can and should be doing better, but without comprehensive privacy legislation like A-D-P-P-A, they won’t act.

And it doesn’t stop there – one type of product I want to highlight the desperate need for an update is education technology. According to a 2021 study from Center for Democracy and Technology, 85% of teachers and 74% of parents believe ed-tech is very important to students’ education, and more teachers are becoming aware of the need to thoughtfully consider students’ privacy. However, a majority of parents still have concerns about student privacy, and a significant number of teachers still have not had training on privacy policies and procedures.

So, Ms. Givens, with the Family Educational Rights and Privacy Act – or “FERPA” – having passed nearly a half century ago in 1974 and still being the law of the land when it comes to student data, can you describe to what extent companies that offer ed-tech software are or are not covered by FERPA?

GIVENS: Thank you for the question and for citing our report. We spend a lot of time with educators, teachers in the classroom as well as students and their families, and so we see firsthand the level of concern about how kids’ data is being used in this environment.

To answer your question, FERPA applies to personal information from education records that are maintained by covered entities. That basically means public K through 12 schools [and] colleges and universities that accept federal student aid. When ed-tech software vendors work with those covered entities, they have to comply with FERPA. But really importantly, FERPA falls short in all of the other ways in which ed-tech vendors might be engaging and receiving information about students.

So first, it doesn’t contemplate harms that might result from other types of information like when the vendor interacts directly with the student and gathers that type of record. Second, FERPA doesn’t address any of the Civil Rights issues that can stem from algorithmic harms as we are seeing increasing use of AI systems deployed in education settings. And third, FERPA’s enforcement mechanisms fall directly on schools and not on the vendors, and the punishments are draconian — you lose your federal funding. We need the burden for privacy compliance to sit not just with the schools, which are so overwhelmed, but with vendors in this space as well. And so complimenting FERPA with comprehensive privacy protections for those commercial uses of this technology is really important as well.

TRAHAN: Thank you. You know, in some cases ed-tech software, as you mentioned, is not offered through business-to-school contracts. Instead, there may be a “free” online game or an educational app. And the data collected while on these sites or apps can later be used to target ads or sold to third parties, particularly for students who are 13 and older. So the idea of consent gets murky, as you mentioned, when we are talking about a student or their parents deciding between participating in class while being tracked versus not participating at all.

Can you speak to how the duty of loyalty and data minimization in ADPPA would be applied to these types of sites and apps?

GIVENS: You’re exactly right. So FERPA only applies to vendors when they are processing education records which doesn’t include any of the many other ways that students are interacting with technology today. I think about the experience with my own children and they download apps, not going through those official channels, they’re sharing a lot of information and they’re doing it to be able to have an educational experience. Again this shows why notice and consent is broken as the model because there isn’t a question of consent, you want to be able to access these platforms. And sadly COPPA [Children's Online Privacy Protection Act] is falling short here too, although of course, it does offer some protections to services targeting children under the age of 13, that too essentially rests on a notice and consent regime that is really hard to operationalize in practice. So, that’s why we need the broader comprehensive privacy protections to regulate those additional uses and create baseline protection for students.

TRAHAN: Thank you so much for your testimony, I yield back.

###