While New York Attorney General Letitia James’s name has dominated much of the news in 2024 already, one of the most noteworthy instances did not garner nearly enough attention. In mid-February, Ms. James announced that the College Board—which many parents know as the company that administers the PSAT, SAT, and AP exams—would pay New York state $750,000 for violating students’ privacy, and it would agree to halt its practice of selling student data.
According to the complaint, the College Board sold the data of the students taking these tests to colleges, scholarship programs, and other customers. Despite being illegal (since a law was passed in 2014), the company exploited what appeared to be a loophole that allowed it to generate more than $28 million in revenue between 2018 and 2022. The full extent of the College Board’s activity makes the settlement amount seem small in retrospect. It also should be a wake-up call regarding the state of student data privacy in our education system.
Leaving policy loopholes aside, our education system has been heavily burdened of late with an endless barrage of cyberattacks. According to New York state Comptroller Thomas DiNapoli, in a report released in October 2023, the number of ransomware attacks and data breaches in New York over the past six years ranks the state third in the country.
And now, on top of attacks by bad actors, our education system is forced to root out those who are exploiting legislative holes. In the case of the College Board, they argued that language holding “third party vendors” to certain standards didn’t apply to them (they apparently didn’t consider themselves contracted vendors). The College Board also engaged in the practice of collecting additional data from teens during the registration process, including highly personal details that would later be used for marketing purposes.
We recently exposed the same practice by online mental health business Talkspace in its partnership with New York City’s Department of Health. As part of the NYC Teenspace offering, the company asks a long list of highly personal mental health questions before the teen is officially registered (and parental consent is asked for—a requirement in New York state). The company maintains that this information is required to “match” a consumer toa therapist, but that is now disputed and the subject of a class action lawsuit against the company.
If our education system can’t fend off the bad actors and can’t identify the exploitative practices of those they want to partner with, how will our children’s privacy ever be protected? It’s not enough to have laws in place; they need to be airtight, and those enforcing them need to be far savvier and experienced in identifying these pitfalls.