Without time to prepare, students and teachers have rushed together into the world of distance education. My inbox is fuller than usual with offers of free content, pleas to “try our platform,” and promises that “our product will make distance learning a breeze.”

At first, the noise from the ed tech sector was too much even for me, a veteran school librarian whose job is to wade through a constant deluge of resources. But here we are, in unchartered territory, trying to make the best out of a bizarre situation.

Unfortunately, in our rush to keep school going, we’ve opened an ugly can of child privacy worms—a can that librarians regularly advocate to keep tightly shut.

In the last two weeks, reports of “Zoombombing”— the dropping in of unwelcome persons into Zoom rooms—have become more prevalent. An article in The Washington Post reported that dozens of Zoom recordings have been saved to unprotected cloud storage spaces and can be easily found through simple, online searches (Harwell, 2020). New York City public school teachers have been told to stop using Zoom altogether because of the increased sounding of security and privacy alarms.

While Zoom may be getting the most press right now regarding privacy breaches, unfortunately, issues with this singular platform are not the only cause for concern.

Librarians and educators must be aware of two laws, COPPA and FERPA, that help protect student privacy and their personally identifiable information (PII). PII can include a child’s name, address, social security number, screenname, geolocation information, grades, IEP/504 designations, medical information and more. Let’s break down each of these laws and see how they might guide our actions during distance learning.

First, the Children’s Online Protection Act, commonly referred to as COPPA, requires websites, apps, and other online services to obtain parental consent before collecting any personally identifiable information from children under the age of 13. COPPA also requires sites that collect information from minors to:

• have clearly visible privacy policies
• give parents direct notice of their privacy policies
• allow parents to review any data collected from their child
• maintain the confidentiality and security of any information collected.

Children under the age of 13 are likely giving up PII to companies currently offering free services while the adults have not paused to consider the COPPA compliance of each company. So, what can librarians do?

1. Continue supporting teachers with the tools they have rather than rushing to recommend new ones. When educational organizations enter into agreements with ed tech companies, they’ve already done due diligence to ensure a child’s data will be protected. So instead of forwarding a “try this free” email to your staff, offer teachers ideas to creatively use tools their students already have accounts for. Why introduce a new app for creating books when a Google slide-deck could ultimately support the same writing goal?
2. Do the behind-the-scenes work. If librarians need to recommend free tools to teachers, we must conduct research on the product’s compliance with COPPA. Does the site have their privacy policies clearly posted? Do you understand how your students’ PII will be collected, stored, and secured?
3. Help teachers communicate with parents. The Federal Trade Commission allows schools to act in lieu of parents when granting a company consent for data collection. Schools, though, assume the responsibility of notifying parents about the applications their children are using and how each platform collects, utilizes, and protects their child’s data. When you recommend a new COPPA compliant tool to your teachers, create simple and clear communications about that company’s privacy policies that can be forwarded to families.

The second law to consider during distance learning is FERPA, the Family and Educational Rights and Privacy Act. FERPA requires schools to maintain varying levels of security regarding student records and PII. Distance learning puts students and teachers into a unique circumstance where FERPA violations may unintentionally occur. Librarians can help by providing basic guidelines for upholding student privacy during remote learning.

1. Utilize settings to create a secure classroom environment. Teachers who are not frequent users of virtual classrooms may be unaware of the various setting options. These allow them to control who can enter their classrooms and what participants can do once they’ve arrived. Librarians can read up on the setting options for their school’s virtual classroom platform and develop clear, easy to follow recommendations that can help teachers proactively create secure learning environments.
2. Do not disclose PII during virtual meetings. With students tuning in from their homes, our classrooms are larger than ever before. Whether a parent is providing tech support, or a sibling working nearby, it is safe to assume the students in front of your screen are not the only ones hearing your lesson. Educators should refrain from asking about student health, helping a child with a forgotten password, or addressing academic concerns in a large, virtual setting. Instead, teachers can set up one-on-one virtual meetings with families or communicate the concerns they have for individual students via email or phone call.
3. Monitor who has access to lesson recordings. Many platforms have the option to record a live meeting and archive it for later use. This can be an excellent way to provide instruction to students who were unable to join the live session. To protect student privacy, teachers must ensure that the recordings are not available to the public. If users are saving recordings to a cloud service like Google Drive or Drobox, the list of those with access should be limited to users within the organization, who then communicate links directly to students via email or other private communication channels rather than posting them to a public facing classroom webpage.
4. Don’t over-share on social media. Many screenshots of Zoom calls or Flipgrids shared on social media include PII, like student names, alongside faces. School names and locations are often easy to find in the teachers’ social media profile. Most screenshots also have Zoom Room IDs visible in the upper left corner which is a fast way to attract unwanted guests to the digital classroom. Well-meaning educators have posted invitations to “family story nights” or other events, including a link to the meeting space in their public social media posts. Unfortunately, those publicly advertised events become a devil’s playground for pranksters, trolls, and other bad actors. Virtual room links and passwords should only be shared directly with families and students via private means, such as email, in order to protect the privacy of students and the security of the digital classroom space.

Clearly, we are in uncharted territory, but librarians have always been champions of student privacy, and we can continue to do so during this time of remote learning. Rather than waiting for a mistake to happen, librarians can step up and proactively help their staff avoid some of the child privacy violations that have, unfortunately, occurred in other places. For more information about child privacy and remote learning during Covid-19, visit studentprivacy.ed.gov.

Kristen Mattson is a high school library media specialist in Aurora, IL.