Letter to House Ed & Workforce Committee Urging Changes to FERPA Update
Beckerman: “Any effort to enshrine a strong national standard for data security must clearly outline the rules of the road for Internet companies and their users.”
Washington, D.C. – Today, the Internet Association sent a letter to the leadership of the House Committee on Education and the Workforce and sponsors of the Student Privacy Protection Act of 2015 (H.R. 3157). The letter calls for revisions to controversial provisions in the Student Privacy Protection Act 2015 (H.R. 3157). The revisions are necessary to safeguard the user data and privacy of students and their families, while creating a strong national standard that the industry can work with.
As it stands, H.R 3157 creates a contradictory labyrinth of data security legal frameworks that Internet companies and their employees must circumnavigate. Since H.R. 3157 does not preempt state data breach statutes, industry must monitor over 40 different sets of state laws in addition to its provisions. The letter also outlines how the bill would “impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign-in a visitor or failing to logout of a computer when going to get coffee for 5 minutes.”
“Any effort to enshrine a strong national standard for data security must clearly outline the rules of the road for Internet companies and their users,” said Michael Beckerman, President and CEO of the Internet Association. “As the bill is currently drafted, companies may find themselves having to send multiple notices to the same consumers. These provisions will result in over-notifying consumers and unnecessary compliance burdens.”
Beyond its impact on consumers, the letter also highlights the impact that H.R. 3157 would have on ed-tech providers. The bill refers to “commonly accepted industry standards on privacy protections,” with no reference to the standards. As the letter explains, “In reality, these standards vary significantly according to the sensitivity of the personal information involved.”
“Earlier this year, the Internet Association gave constructive (but not unequivocal) support to the Data Security and Breach Notification Act of 2015 since it preempted all state data breach statutes, contained a narrowly crafted harm trigger, and did not create rulemaking authority. It sought to create a true national standard to protect consumers while recognizing legitimate industry concerns about the cost of compliance with its provisions. As currently drafted, H.R. 3157 has yet to achieve these goals,” Beckerman concluded.
To read the full letter, click here.