The U.S. Education Department wants to encourage colleges and the tech companies they work with to protect student data from misuse. But the agency’s power to protect the privacy of people taking free, online courses is essentially nonexistent.
“Data in the higher-education context for MOOCs is seldom Ferpa-protected,” Kathleen Styles, the Education Department’s chief privacy officer, said on Tuesday at a symposium on student privacy. In other words, people who take free online courses known as MOOCs, or massive open online courses, are not covered under the Family Educational Rights and Privacy Act, known as Ferpa, which stipulates how colleges must protect the “education records” of their students.
That puts those taking MOOCs in a kind of limbo. They are not technically students, even though the courses are offered by colleges, some of which receive a portion of revenue from fees for certificates of completion.
The Education Department has little power to impose its own privacy standards in those courses, said Ms. Styles, “because MOOCs are seldom paid for with Title IV, government-funded dollars.”
Still, the issue is murky. The two highest-profile MOOC providers—edX, the nonprofit founded by Harvard University and the Massachusetts Institute of Technology, and Coursera, the Silicon Valley company founded by Stanford University professors—actually disagree on whether Ferpa applies in free, online courses.
And edX is acting as if the law does apply.
“edX is subject to and will comply with all Ferpa requirements governing the use and redisclosure of personally identifiable information” it collects on MOOC registrants, according to an excerpt of edX’s standard agreement with its college partners, provided to The Chronicle by Tena Herlihy, the organization’s general counsel. The company also mentions the federal law in a privacy policy posted on its website.
“The community is trying to still figure out whether and how Ferpa applies,” said Ms. Herlihy in an interview. And so the MOOC provider seems to be playing it safe, treating the data of freelance learners as if they were students enrolled at a university.
Coursera, by contrast, does not believe federal student-privacy laws apply to MOOCs, according to Vivek Goel, the company’s chief academic strategist. But the company does follow the “principles” of Ferpa when handling the data of its users, according to Mr. Goel.
Some universities that offer MOOCs on Coursera’s platform have taken a similar stance. The University of Pennsylvania guards the personal data of MOOC registrants as closely as that of the students enrolled on its campus, say officials there—but because it wants to, not because it has to.
“From a legal perspective, it’s our view that, because they are not registered as students at the University of Pennsylvania, they are not protected by Ferpa,” Edward B. Rock, a professor of business law at Penn’s law school, said in an interview.
The University of Illinois at Urbana-Champaign, another Coursera partner, takes the same position in an online FAQ for faculty members: “The university does not consider participants in our Coursera courses to be students of the University of Illinois and thus Ferpa regulations do not apply.”
Every Click, Every Word Recorded
Colleges and the technology companies they work with collect a lot of data from students who take MOOCs. At Tuesday’s symposium, Justin Reich, a research fellow at Harvard University, enumerated some of the data collected in the MOOCs Harvard offers on the edX platform.
Students registering on the edX website are asked to submit their name, gender, level of education, year of birth, and address, said Mr. Reich. Then they can sign up for courses offered by any of the dozens of institutions that provide courses on the edX platform.
“As soon as they enter those courses, the platforms are going to start tracking data about pretty much every action they take on that platform,” said Mr. Reich. That includes not only traditional records like grades, but also “every click that every student has produced, every word of text they’ve submitted,” he said.
Coursera, the Silicon Valley-based MOOC provider, also collects plenty of data from people who register for free, online courses offered by its partner colleges. The company asks for names and email addresses, and conducts surveys throughout many of its courses, according to Mr. Goel. And, like edX, it collects “clickstream” data and text from discussion forums.
“Within forum postings, people will give very detailed personal information about themselves,” said Mr. Goel.
Very few of the millions of people who have taken MOOCs through Coursera and edX probably know how much data on them are tracked in the courses, or how the data are cared for.
Ms. Styles cited a May report by the President’s Council of Advisors on Science and Technology, which made the general point that terms of service and privacy policies are not widely read or understood.
“Only in some fantasy world,” wrote the council members, “do users actually read these notices and understand their implications before clicking to indicate their consent.”
The edX and Coursera representatives acknowledged that the same is probably true in the case of MOOCs.
“If they do glance through the terms of use,” said Mr. Goel, “I think the click-through rate to the privacy policy is an infinitesimal percent of the infinitesimal percent of people who actually read the terms of service.”
Steve Kolowich writes about how colleges are changing, and staying the same, in the digital age. Follow him on Twitter @stevekolowich, or write to him at steve.kolowich@chronicle.com.
