A model Google contract that has strong student privacy protections

We have received many questions from parents and teachers  over the last few weeks concerned about the privacy practices and policies of the various ed tech tools and programs being adopted hurriedly by schools and districts in the wake of the coronavirus crisis.  One of the most widely used programs, even before many schools were shut down, was Google classroom or G-suite.

We just received a copy of the model G-suite contract that upstate NY administrators negotiated this fall with Google that complies with NY State’s student privacy law, Education § 2-d.  Because of the relative strength of this law, New York state received a B-, the second highest grade of any state in our state privacy report card, .

Parents in NY and elsewhere should ask their districts for a copy of their contract with Google Suite to see if it includes the same or similar privacy-protective provisions.  If not, ask why, and whether their district could negotiate a similar contract, or if in NY State, simply opt into this one.  If your NY district refuses to make available the contract upon request, you should remind them that they are required to post all contracts online that allow for the disclosure of student data, according the regulations promulgated by NY State Education Department in January.

BOCES model contract with Google – G Suite 19-20

BOCES district Opt-In – Erie1 9.3.19

How to safeguard your family’s health while they use screens and digital devices

by Cindy Eckard, reposted from Screens and Kids

Some basic measures could help protect your family from avoidable aches, strains, eye health impacts and sleep disruptions while using the schools’ digital devices at home. Some of the following suggestions also relate to the potential for these devices to cause fires. Be careful.

This is not to be construed as medical advice. Consult your device manufacturer for explicit safety warnings and instructions.

However, the following suggestions have been culled over several years from a variety of professional sources identifying a broad number of associated health risks:

Princeton Univ. (ergonomics; eyestrain)
HP’s health & safety warnings
Dell’s health and safety warnings
The Sleep Foundation (blue light & sleep)
Johnson & Johnson Vision (myopia)
Prevent Blindness (blue light)
American Heart Assoc.  (kids’ screen time)
World Health Org. (gaming disorder)
OSHA/NIH (ergonomics checklist)
Oregon OSHA (improving work spaces)
Cornell University (children’s ergonomics)

Hewlett Packard’s information is extensive, and includes helpful videos – it’s a very good resource.

According to Dell (a Chromebook manufacturer) laptops were never designed to be safe full-time workstations – they require modification to make them ergonomically safer.

1. The screen should be just below eye level. Depending on the height of the user and the relative height of the surface the device is resting on, it’s likely you’ll need a monitor stand to raise the screen to the proper level.

OSHA/NIH Graphic

This lightweight, inexpensive, adjustable, folding monitor stand can be found on Amazon. It easily adjusts to the height of any user.

2. Once the monitor is raised to the correct height, the keyboard is at an awkward angle, so an external keyboard is recommended, along with a mouse (not a scratchpad).

There are many options available – here is a lightweight, inexpensive external mouse and keyboard.

Now your laptop can be used in a manner that experts suggest might help you and your child avoid discomfort or injury.

1. Sit up straight at a table or desk, with feet flat on the floor
2. Keep arms at 90-degree angle
3. Adjust the device so that the top of the monitor is just below eye level
4. Keep monitor at least 15″ from the face
5. To prevent glare, set up workstation perpendicular to windows (remove light sources from directly in front of, or behind, the monitor)
6. Blink. Keep blinking. Remind your kids to blink.
7. Take frequent breaks – stretch, get a drink of water… dance!
8. Turn off devices around sundown
9. Remove all devices from bedrooms at night
10. Consult your device manufacturer’s health and safety warning documentation

1. Use devices on laps, or place on beds or cushions
2. Have screen closer than 15″ from face
3. Look down at screen, or use device lying down on bed, couch or floor
4. Sit on feet, or sit slouched over device
5. Work for more than 30 minutes without a stretch/water – or dance!- break
6. Stare into monitor without blinking
7. Allow young kids to use devices without supervision, or rely on devices to keep kids occupied
8. Stay on devices – or allow kids to – close to bedtime
9. Put light source in front of or directly behind monitor
10. Allow or require kids to use devices without offering alternatives

As we all face unchartered waters in the coming days and weeks, it’s especially important that our children have the benefit of every health and safety protection we can give them.

Cindy Eckard

Montgomery MD parents ask, is our children’s privacy safe when they use Google classroom?

Many districts are now using Google classroom and Chromebooks for remote instruction while schools are closed.  Below is a sample letter for Montgomery County (MD) Safe Tech Subcommittee of MCCPTA’s Health and Safety Committee, that they are encouraging parents  to send to their district to ensure their children’s privacy while using this program.

As MCPS diligently works on distribution of Chromebooks for remote learning should school be closed longer than two weeks, I, along with the MCCPTA Safe Technology subcommittee, urge MCPS to take important precautions to protect our children’s personally identifying information as part of the roll-out. Here’s why:

As you know, we’ve been trying for over half a year to secure verification from Google that our student’s data has been deleted in accordance with the Data Deletion Day policy we worked with MCPS to develop. Without any visibility into the contracts between MCPS and Google, we have no idea what Google’s obligations are with regard to our student’s data: whether, how, and when they share and use this data.

Further, the New Mexico Attorney General’s Office filed a lawsuit against Google for deceptive trade practices in terms of how it collects, shares and uses student’s personal data. The suit alleges that “children are being monitored by one of the largest data mining companies in the world [Google], at school, at home, on mobile devices, without their knowledge and without the permission of their parents.” The New Mexico AG finds that once Google accumulates student data, it shares it across all of its business segments “for its own commercial purposes” despite having promised to use it only for educational purposes.

Up until last week, kids currently only used Chromebooks in school for limited periods of time, thus exposing only a limited amount of information to Google. Once we allow students to use Chromebooks at home, they’re likely to use them for school work for exponentially more time — given social distancing, no teacher oversight, etc. This will turn the small spigot of information that currently flows to Google into a virtual fire hose.

Prior to rolling out the Chromebooks for home-based learning, MCPS must require a written promise from Google stating that they segregate student usage information from all of their other lines of business; do not share, or otherwise utilize this data for any other purpose other than to provide the educational services; will delete all student data collected during this national crisis at the end of the current school year.

Google is required to protect our children’s data under their current contract with MCPS. They would be negligent to deny this request, and ‘crisis capitalists,’ as well.

We look forward to working with you on this. As you know, my experience in the cybersecurity arena is long and deep. I have additional experience as a first responder and know the value of being prepared and staying ahead of potential damage and threats to communities. I feel strongly that we do this now, and offer my continued assistance.

Sincerely, [sign here]

Advice to parents on maximizing privacy & minimizing screen time while your child’s school is closed

For the millions of parents whose children’s schools are closed, here is some advice on trying to minimize the risks from your children’s overuse of screens, and to maximize their privacy if they are using ed tech apps.


Many ed tech programs are neither private nor secure; they collect and share children’s personal data, often without your knowledge or consent.  This 2018 US Dept of Ed guidance has said that schools cannot require parents to agree to the terms of online apps or programs if they violate federal privacy law.   Ransomware, hacking, and identity theft also increase when using online programs, as the FBI has warned .  Generally,  your child’s data can only be used only for educational purposes, and the app’s privacy and terms of services should clearly say this.

For more specific advice on  what federal student privacy law requires and red flags to look for in reading a privacy policy,  check out our Parent Toolkit for Student Privacy.   Teachers should consult our Educator Toolkit .  If you sign your children up for an online program,  better to use one that does not require you to create an account or offer any personal information.  If you must, use an alternative email address  for the that you can later delete, and do not provide any personal information  that you would not like shared with others.

Many schools  and colleges are using Zoom.  Be aware that EPIC filed a privacy complaint against Zoom for intentionally allowing web cameras to be operated without users’ knowledge or consent.  You might consider keeping a band aid or other removable sticker on your computer’s web camera until you or your child intends to use it.  Its standard privacy policy, according to Future of Privacy Forum, allows targeted advertising, which violates FERPA and many state student privacy laws.  UPDATE:  Jitsi has been recommended to me to use for video conferencing; it’s free, open source and doesn’t require you make an account first .

When considering applications and tools for remote online learning, you can also check out the privacy reviews of specific apps and programs on Common Sense Media or the AppCensus, which analyzes Android apps.

Limits on screen time

World Health Organization guidelines  advise that children aged between the ages of 2 and 5 should be limited to no more than an hour of screen time per day. Older kids are not immune to health risks: myopia, sleep loss, screen addiction, ADHD and more have been linked to excessive screen use.  The more  time teenagers spend on computers and social media has also been correlated with higher rates of depression.

Some experts advise two hours of screen time maximum per day for the oldest kids, with frequent breaks; including blocks of time where they can chat online with their teacher or classmates.

In truth however, many children do not have access to devices and broadband to make online instruction a practical reality, and there is growing consensus that  it is NOT an effective educational method.  Most students enrolled in online schools actually regress in terms of learning.  More reasons why we are skeptical of online learning in general are explained in this NPE guide, What Every Parent Should Know about Online Learning.

Alternatives to online learning

In my opinion and that of some teachers I have consulted, rather than having your children sit at computers to do schoolwork would be to for their teachers to send them homework in written form, if possible.  Or you could purchase workbooks.

Personally, I have found Singapore math workbooks to be excellent.  As for reading, you could ask your children to choose a book to read for one half hour to an hour every day, depending on their age, and ask them to write something about what they’re reading or keep a diary of their time spent during this period.

As long as they maintain “social distancing”, take your children go outside every day or have them exercise inside.  Put on some music and dance! 

Try not to worry if your kids aren’t spending much time studying.  Don’t be concerned about the state tests either. The US Department of Education has issued guidance that states and districts where schools are closed for long periods can submit applications to waive or postpone their mandated tests this year.

For more screen-free ideas and updates, check out the advice from the Campaign for Commercial Free Childhood  Liat Olenick, NYC teacher, has provided valuable ideas on Twitter on how teachers and schools can support families during extended periods of closure.

Sen. Gillibrand’s press conference today about her bill to create a Data Protection Agency

This afternoon I spoke at a press conference in NYC to support Sen. Gillibrand’s new bill to create a new federal agency specifically devoted toward protecting privacy, called the Data Protection Agency.  The bill is posted here; more about it is here.   

The statement I gave is below; and below that is the press release, with quotes from Sen. Gillibrand and the other two privacy experts pictured above, Caitriona Fitzgerald of EPIC and Prof. Ezra Waldman of NY Law School.

Hi, my name is Leonie Haimson, and I’m co-founder and co-chair of the Parent Coalition for Student Privacy.  We are one of the many organizations that have  submitted complaints to the FTC about the way companies like Facebook, Google and Google Play Apps have been illegally harvesting young children’s information and potentially using it for commercial purposes without parental consent in violation of COPPA.  And yet the FTC’s response to these complaints has been silence, or at best a mere slap on the wrist, a symbolic fine that barely touches the huge profits of these companies.

In addition, the FTC has put out a series of contradictory guidance documents about how COPPA applies to the collection of personal data from children in schools that has managed to confuse nearly everyone.  As a result, each school and district interprets their responsibilities differently about whether or not they even inform parents beforehand, no less ask for their consent, . when their children are assigned programs to use that require them to upload their personal information.

For example, Google Apps for Education, also called G-suite, is used in literally tens of thousands of schools across the country; and yet many parents are concerned about the amount of personal data Google collects from their children, including their geolocation and metadata, and how this information may be abused.

More recently, the FTC has signaled that they may be rewriting regulations for COPPA regulations to further weaken student privacy, in and out of the classroom, causing us to worry that they are more interested in serving the commercial interests of the ed tech industry instead of keeping our children safe from commercial exploitation.  We are also extremely concerned about the non-transparent algorithms increasingly being used in classrooms across the country to direct children’s learning and steer their educational trajectories – algorithms that may feature inherent biases and be based on inaccurate data.

All this further reconfirms our conviction that it is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care.  Thank you Senator Gillibrand, for introducing the Data Protection Act,  and our Parent Coalition is committed to doing all we can to help get it passed.

From: Gillibrand, Press (Gillibrand) <Press_Gillibrand@gillibrand.senate.gov>
Sent: Sunday, February 23, 2020 1:59 PM


Sunday, February 23, 2020

Contact: Evan Lukaske, 202-224-3873


The Data Protection Act Would Create a Consumer Watchdog to Give Americans Control and Protection of Their Data, Promote a Competitive Digital Marketplace, and Prepare the U.S. for the Digital Age

U.S. Still One of the Only Democracies Without a Data Protection Agency

New York, NY — Alongside data privacy experts and advocates, U.S. Senator Kirsten Gillibrand today announced her landmark legislation, the Data Protection Act, which would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. The push for a national agency to oversee data privacy comes as leaders from EPIC, the Parent Coalition for Student Privacy, the New York Law School’s Innovation Center for Law and Technology and Institute for CyberSafety, and more express concern for the growing data privacy crisis that looms over the everyday lives of Americans. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency.

“Technology is connecting us in new significant ways, and our society must be equipped for both the challenges and opportunities of a transition to the digital age. Data privacy is becoming an urgent concern for the everyday lives of Americans and the government has a responsibility to step forward and give them meaningful protection over their data and how it’s being used,” said Senator Gillibrand. “Data has been called ‘the new oil.’ Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences. The U.S. needs a new approach to privacy and data protection. We cannot allow our freedoms to be trampled over by private companies that value profits over people, and the Data Protection Agency would do that with expertise and resources to create and meaningfully enforce data protection rules and digital rights.”

“EPIC applauds Senator Gillibrand for filing the Data Protection Act,” said Caitriona Fitzgerald, EPIC Policy Director. “The United States confronts a crisis. The Federal Trade Commission has consistently failed to protect consumers. The system is broken. A Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges is needed now.”

“It is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care. Thank you Senator Gillibrand, for introducing the Data Protection Act, and our Parent Coalition is committed to doing all we can to help get it passed” said Founder of Parent Coalition for Student Privacy Leonie Haimson.

“Privacy is a civil right, not a good to be traded in the market. The FTC has tried, but it has overseen the erosion of personal privacy with the lightest of light regulatory touches. It is structurally incapable or unwilling to do what needs to be done to protect privacy from companies that will do anything to extract our data. Along with other proposals from Senate Democrats, Senator Gillibrand’s Data Protection Agency is necessary to empower individuals in the digital economy” said Ari Ezra Waldman, Director of the Innovation Center for Law and Technology at New York Law School and Founder and Director of the Institute for CyberSafety.

As the United States transitions into the digital age, the DPA will address America’s growing data privacy crisis. The new agency will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.

Massive amounts of personal information — public profiles, health data, photos, past purchases, locations, search histories, and much more — is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone — including the federal government — can do about it. Not only have these tech companies built major empires and made billions from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.

In recent years, major data breaches have occurred at banks, credit rating agencies and tech firms. In 2017, Equifax failed to safeguard the sensitive credit data of hundreds of millions of Americans, allowing a foreign government to steal and expose this information. In 2018, Facebook exposed the personal information of nearly 50 million users because it reportedly ignored warnings from its own employees about a dangerous loophole in its security. Additionally, the Federal Trade Commission (FTC) has failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.

The Data Protection Agency explained:

The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge in technology, protection of personal data, civil rights, law, and business. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act.

The DPA would have three core missions:

  1. Give Americans control and protection over their own data by creating and enforcing data protection rules.
  • The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
  • The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings.
  1. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 
  • The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
  • The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts—because privacy, including online privacy, is a right that should be enforced.
  1. Prepare the American government for the digital age.
  • The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.

The full text of the legislation may be found here.