400 edtech companies have signed a "student privacy pledge", but they suffer
no penalty when they violate it.
Aside from the lack of enforcement, the pledge itself is too weak.
It excludes only a limited subset of the possible
misuses of student data. The right way to handle most student data is
never to let any organization other than the school get its hands on
the data.
There are a few special circumstances in which student data needs to
be held by an organization outside the school itself. Standardized
tests are one of these. In those circumstances, the proper pledge is,
"We pledge not to keep any copy of the student's data other than name,
address, identification number and overall test results. We pledge
not to allow any use of these data, except that specific schools
by the student can verify the test results."
Another special case is for plagiarism checking. The school should
never reveal to such a site anything about the student who wrote the
paper being checked — not even that the same student wrote some other
previous paper. The school should invent a new "student name" for
each paper and only the school should know which student that
corresponds to.