Exams administration board pays $750,000 to settle student privacy allegations

The College Board, a not-for-profit organization that administers standardized tests used for college admissions in the US, has agreed to pay $750,000 to settle claims that it violated high school students’ privacy. 

The Board allegedly sold personal information collected from students when they took the “SAT” exams and other tests. The settlement, reached with New York Attorney General Letitia James, also requires the Board to stop selling students’ personal data and comply with relevant privacy laws. 

Attorney General James found that the College Board sold data about more than 237,000 New York students in 2019 alone. 

The Board was found to have unlawfully sold data, including students’ “grade-point average” (GPA), their anticipated study areas, whether they were interested in religiously affiliated colleges, and their family income.  

How did the Board ‘sell’ students’ data? 

The College Board’s alleged sale of students’ personal data occurred via the Student Search Service, which was set up in 1972 to provide insights about students to educational institutions for recruitment and marketing purposes. 

In 2022, the Board reportedly earned nearly $6 million by licensing data through the Student Search Service, with similar amounts raised in each of the preceding five years. 

Following an investigation of the Student Search Service, the College Board was found to be a “third-party contractor” under Section 2d of the New York Education Law (NYEL). As such, the Board is prohibited from using student data for commercial or marketing purposes. 

What’s Section 2d of the New York Education Law? 

Section 2d prohibits third-party contractors from disclosing any student’s personally identifiable information (PII) received from educational agencies to “any other party” without the prior written consent of a student’s parent (or the student, if they are over 18). 

Regulations issued under the NYEL also prevent the disclosure of students’ PII for “commercial or marketing purposes”. 

The NYEL and its regulations draw their definition of PII from the Family Educational Rights and Privacy Act (FERPA) regulations (34 CFR § 99.3), which states that PII “includes, but is not limited to”: 

• The student’s name 
• The name of the student’s parent or other family members 
• The address of the student or student’s family 
• A personal identifier, such as the student’s social security number, student number, or biometric record 
• Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name 
• Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty 
• Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates 

The NYEL regulations were not in effect throughout the entire relevant period of the settlement. However, the Attorney General notes that the Board lobbied the New York State Education Department (NYSED) for an exemption to the rules in 2019. 

Did students consent to the disclosure of their PII? 

In some cases, the College Board obtained consent for sharing students’ PII. Getting consent gave the Board a legal route to share students’ PII before the NYEL regulations tightened the rules. 

However, the Attorney General also criticized how the Board obtained students’ PII and requested their consent to disclose it. 

“The surveys and/or sign-up flows were presented to students as optional, although many students were first solicited to participate in [the Student Search Service] in the high-pressure context of an important exam and were encouraged to sign up because it will connect them with scholarship and college opportunities.” 

This settlement is one of many recent examples of authorities applying strict interpretations of privacy law. 

From the Federal Trade Commission’s (FTC) scores of recent privacy enforcement actions to the establishment of the California Privacy Protection Act (CPPA), regulators are clearly attempting to rein in the egregious sharing of personal data. 

Coupled with the proliferation of new data protection legislation – with nearly a third of US states having passed or enacted “comprehensive” privacy laws in the past two years – the privacy tide is undeniably turning in the US.