Data Brokers and the Sale of Students’ Data

Data Brokers and the Sale of Students’ Data

Privacy and Policy Implications — and How Students Feel About It

By: Alistair Simmons

July 2023

Overview:

This report investigates the protection and vulnerability of student data within the data brokerage ecosystem. It specifically examines the privacy and policy impacts of the sale of student data and whether students are equipped to protect their own data. First, it examines the existing research on the topic, analyzes additional information about data brokers selling and monetizing data about students, and looks at gaps in U.S. laws and regulations. It finds that data brokers are gathering and selling a wide variety of data points about students in the U.S., including data about students under the age of 18. Then, it presents the results of a survey of college students about the sale of their own data and how they feel about this practice. It concludes with discussing how this practice harms students and how U.S. policymakers can fill in the gaps.

Key Findings:

This study finds:

  • There are numerous sources reporting student data.
    • Most post-secondary institutions directly report student data to National Student Clearinghouse.
    • Directory information is published by schools and collected by data brokers.
    • Student data can be accessed for credit reports and background checks.
    • In the Vermont data broker registry, National Student Clearinghouse, Equifax, Experian, and TransUnion state that they collect data on minors.
  • There are numerous benefits to reporting student data.
    • National Student Clearinghouse reports enrollment data to the Department of Education.
    • National Clearinghouse adds 5 million missing students every year to the Department of Educations’ student loan database.
    • National Student Clearinghouse helped resolve 6.5 million errors in students’ data.
  • There are numerous harms associated with the collection and sale of student data.
    • Expenses from incorrect student data can compound and put students in debt or result in denial of student loans.
    • Scholarships.com collected lists of students who are or are affiliated with someone who is suffering from domestic abuse.
    • “Student data” can include sensitive data points such as teen pregnancy.
    • Student data can be used to make discriminatory decisions about college acceptance.
  • Students have filed lawsuits with data brokers to gain control over their student data and attain redress for harms associated with student data.
    • In Robinson v. National Student Clearinghouse (2021), students sued for having to pay to access their transcripts.
    • In Katherine Sass and Cody Hounanian v. Great Lakes Educational Loan Services (2020), Equifax Information Services (2020), TransUnion (2020), Experian Information Solutions (2020), and VantageScore Solutions (2020), students sued data brokers for inaccurately reporting millions of students’ financial data, causing financial damages.
  • Students need more information and desire the right to consent to the sale of student data.
    • In the student survey, there was a unanimous belief that students should consent to having their data shared.
    • Most students did not know how to verify their student data on National Student Clearinghouse.
  • The current patchwork of privacy laws does not adequately protect student data.
    • Despite sharing data with credit reporting agencies, National Student Clearinghouse states they are not a Consumer Reporting Agency regulated by the Fair Credit Reporting Act (FCRA).
    • The Family Educational Rights and Privacy Act (FERPA) § 99.31 allows schools to disclose student data to certified contractors without prior consent.
    • Schools should notify students that they can opt out of disclosing directory information under FERPA § 99.37.
    • The Children's Online Privacy Protection Act (COPPA) only restricts online companies from collecting data on children under the age of 13.
Author:

Alistair Simmons is an undergraduate student at Duke University and a research assistant on the Sanford School of Public Policy’s data brokerage research project.

 

Publication Note:

The author would like to thank Justin Sherman who leads the data brokerage research project at Duke University’s Sanford School of Public Policy for his guidance and assistance, Professor Lee Tiedrich for helping revise this report, and Professor David Hoffman for his feedback on the report.

The Duke University Cyber Policy Program receives unrestricted funding from a number of organizations which the faculty leaders of the program have determined to have had a long-term commitment to privacy and cybersecurity. Certree has been one of the funders of the program, and their business involves providing privacy protections for student data. None of the program funders have editorial control over the content of this or any other work product of the program. For more information on program funding, refer to Funding Transparency.