If data is the new oil, then schools are the new Ghawar field. Nearly every single person in a generation passes through a school, and virtually all of them encounter computer-based technology. And everything that a computer assesses, measures, and facilitates, it can also record and store.

You may think that such data is fiercely protected by the Family Educational Rights and Privacy Act (FERPA). As originally passed, FERPA did not even allow schools to share student data with other government agencies. But in 2008 and 2011 the law was weakened, allowing student data to be shared with just about any agency or company authorized by the school district, or authorized by a company authorized by the school district--and this sharing can occur without parental permission or notification.

Teachers must now be aware that every use of technology in the classroom represents a possible exposure of student data. Google has been hugely successful in getting its apps into classrooms--but Google has also admitted to mining student data with those apps. School districts have had their data banks hacked and taken hostage. Companies are anxious to gather up all the data about each child; Knewton once bragged that given the access to data, they could tell children what to eat for breakfast on the day of a math test. Some people look with admiration at the Chinese system which stores data from cradle to grave to be used by government and employers to decide a citizen's fate.

Schools are where one thorny modern issue--data privacy--meets our most vulnerable population--students. As a parent, you may carefully monitor your child's phone, her social media use, and all her other online activities. But how well-protected is your child at school?

A new report from The Parent Coalition for Student Privacy and the Network for Public Education (of which I am a member) takes a state by state look at that protection. The 2019 State Student Privacy Report Card takes a look at seven categories and scores each state, then averages those scores for an overall grade. The picture is not pretty; no state earned an A, and 28 states failed with either a D or an F. The report card looks primarily at 99 laws passed in the last five years, considering their thoroughness and quality. Those covered a wide range, from those based on California's landmark Student Online Personal Information Protection Act (SOPIPA) that addressed issues such as targeted advertising to laws that regulate school access to students' social media accounts. Eleven states were found to have no student data privacy laws at all.

Through the seven categories, the study considered how many different groups were covered (i.e. pre-K, K-12, higher ed), how transparent the policies are (are parents aware of what's going on), how well does the law recognize the principle that parents and students own their data, how freely the data may be used for commercial purposes, how well-protected the data must be, how strongly the rules are actually enforced (serious fines or wrist slaps), and other miscellaneous laws that some states have cooked up.

For a quick interactive view of the report results, the report comes with an interactive map that lets you see how states score in each category at a quick color-coded glance.

The picture is not pretty, and it the battle over student data privacy is not likely to be settled any time soon. The last big dustup started in 2011 when $100 million (most of it Bill and Melinda Gates money) was used to launch inBloom, a plan to harvest huge amounts of student data to store and market, without parental notification or permission. The company was unveiled publicly in 2013 and shut down in 2014, victim of huge public backlash. Years later, tech folks were still conducting extensive autopsies of inBloom and concluding that the problem was a "failure to communicate the benefits of its platform and achieve buy-in from key stakeholders." In other words, they failed to properly manage the PR.

The lesson was expensive, and it has led to a bigger role for data "advocacy" groups like the Future of Privacy Forum, an organization funded by Amazon, Facebook, Microsoft, Google, the Bill and Melinda Gates Foundation, and the Chan-Zuckerberg Initiative, among others. This is not a list of organizations known for their fierce support for data privacy, and in fact their spokespersons can be found writing op-eds like this one, arguing that Louisiana's student privacy laws are too harsh. FOPF has also expressed its objections to the Student Data Privacy Protection report card.

The issues here are many and complex, and only become more so as social and emotional learning software becomes a big new push. Are we looking at a future in which human resources can just order up employees who are strong in math, fair at writing, and have never had trouble with authority figures? Are we looking at a future in which the old "this will go on your permanent record and you'll never get a job" threat will become reality? Will the Cambridge Analytica scandal become quaint and moot because full voter profiles, based on voters' first 18 years of life, become readily available for a price?

The other question worth asking-- how hard is it to protect the privacy of people who are barely wiling to protect it themselves? In the news this week, Facebook was caught buying rights to all of the data accessible through users' phones, apparently in perpetuity. The amount of money necessary to get people to download an app that would spy on them 24/7? Twenty bucks.

The report is a good look at where each state is right now. If parents want the state of student privacy to get better, they'll need to speak up, because the prevailing winds are not currently in the direction of more data privacy.