By: Scott Gutierrez

Your smartphone can track your location, your favorite places to shop, and the topics you most often engage with on social media. But be warned college students: Your phone also may know the next time you skip class.

Dozens of  colleges and universities in the United States now use apps installed on students’ personal phones to monitor student attendance. The apps connect through campus Wi-Fi or Bluetooth technology, and can alert a professor or advisor when students don’t show up to class or arrive a few minutes late. SpotterEDU, a system employed by about 40 schools, including Syracuse, Auburn, Central Florida, Indiana, and Missouri, logged more than 1.5 million student check-ins last year.

It sounds invasive, but school officials say the technology is intended to help students succeed. By monitoring student attendance, schools argue they can watch for students who frequently miss classes and reach out to find out why. Schools are then able to sooner identify students who are struggling with class work or mental health issues and provide appropriate support services.

SpotterEDU was initially founded by a former assistant basketball coach to monitor student athletes and ensure they stay academically eligible to play. Instead of relying on GPS, the app connects with small beacons hidden in lecture halls and classrooms. The University of Missouri recently expanded the program to require all new students –not just athletes–  to participate. The university says students are informed ahead of time and that school officials will work with those who don’t have a smartphone to ensure they can participate. It’s unclear from news reports how many other schools require student participation.

Another dozen or so schools are experimenting with an app that tracks students through campus WiFi networks as they travel to dorms, the cafeteria, or the library. Students are allowed to opt out, but for those who don’t, the data is scrubbed of identifying information and sent to a company, Degree Analytics, for analysis of any patterns in study habits or when students gather socially. The idea is to search for insights from the data that help tailor academic services to better meet students’ needs.

In some cases, schools calculate personalized “risk scores” based on factors such as how often the student visited the library. With SpotterEDU, the data can be broken down based on race or between in-state and out-of-state students to look for “patterns in academic retention and performance.”  It also can keep track of attendance points to be factored into final grades.

At the University of Alabama, where the Crimson Tide is a perennial contender for the national football championship, the school uses smartphones and location-technology to reward student attendance at games with “loyalty points” toward ticket deals.

Right to access student records

Privacy advocates and some in academia are alarmed at the practice of surveilling student behavior and the potential for abuse. Amidst the debate, students and their parents may have questions about what sort of data is collected and how it is protected, particularly when shared with third party vendors.

The Family Educational Rights and Privacy Act of 1974 (FERPA) is the primary law governing the privacy of student records in higher education and K-12 schools. FERPA ensures students and their parents the right to review educational records and to correct any inaccurate or privacy-violating information. It also prohibits schools that receive federal funding from disclosing educational records without written consent from the student, or a parent if the student is under 18.

FERPA contains a number of exemptions, however, including student “directory information,” which may be disclosed without consent if the school gives public notice of the categories of information contained in its directory and a reasonable amount of time for students or their parents to opt out of disclosure. Directory information can include the student’s name, address, telephone number, major of study, dates of attendance, and honors or awards earned.

It also does not require consent when information is shared with third-party contractors or consultants “to whom an agency or institution has outsourced institutional services or functions” or “for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction.” However, FERPA requires schools and institutions to enact “reasonable safeguards” to protect the confidentiality of student records and the personally identifiable information they contain.  Third parties such as SpotterEDU and Degree Analytics must comply with FERPA’s disclosure requirements and be under the school’s “direct control” when accessing student records. Schools also must have a written agreement specifying the “purpose, scope and duration” of any studies; and that the use of student information will be restricted to that purpose and not identify students or their parents; and it must be destroyed or returned once it is no longer needed.

Data breach notification

Unlike other federal privacy laws governing health records or financial institutions, FERPA does not require schools to notify students and parents if their information has been exposed in a data breach or released to unauthorized parties. It only requires schools to keep a record of the unauthorized disclosure. A few years ago, the U.S. Department of Education adopted a policy requiring schools that receive federal student financial aid under Title IV to report data breaches to the department within one day of a breach being discovered. But the department’s authority to enforce the policy is unclear. Previously, it had encouraged schools to notify students when a breach included Social Security numbers and other identifying information that could lead to identity theft.

State laws, such as the recently-enacted California Consumer Privacy Act, may require notification in cases where a third-party company is responsible for an unauthorized disclosure of educational records.  But even if a student discovers their information has been exposed, FERPA does not provide a private right to sue the school or institution that is responsible. In Gonzaga University v. Doe, the U.S. Supreme Court held FERPA lacked “clear and unambiguous” language that Congress intended to create a private cause of action. The Court’s 2002 decision thus rejected a former Gonzaga student’s FERPA claim brought under 42 U.S.C. § 1983. Therefore, a student or parent’s only right of recourse is to file a complaint with the Department of Education’s Family Compliance Office, which can threaten to withhold federal funding or issue a cease and desist order against schools that fail to comply.

FERPA’s potential shortcomings related to student data have prompted Congress to consider changes. In 2015, two members of Congress introduced the bipartisan “Student Privacy Protection Act,” which would have established safeguards for the storage of student data and required schools to designate a privacy officer and develop breach notification policies. Another proposal recently introduced would amend the law to specifically ban the use of student data for the marketing or development of commercial products or services. In addition, as the U.S. tries to catch up with European privacy laws, several members of Congress have introduced a comprehensive bill to establish a national right to privacy and improve data safeguards for online consumers.

The fact that colleges are increasingly collecting data on student habits and behavior that is shared with private entities should prompt Congress to act. Educational records already contain sensitive data such as disciplinary records, Social Security numbers, and financial information. Adding reams of data and personalized risk scores creates another potential vulnerability. As recent news reports demonstrate, hackers are increasingly targeting schools for access to sensitive student information.

Beyond the issue of data privacy, there is the question of whether tracking students on campus sends the wrong message. More than 70 percent of American college students recently surveyed by Educause were confident in their school’s ability to safeguard their personal information and data, but only 44 percent understood how their institution used such information, and only 45 percent believed it benefitted them.  As a lawyer for the Electronic Frontier Foundation, a privacy watchdog, noted: “A public university is a teacher, telling students what is proper in a democratic society.”