As lawyers represent schools, parents, edtech companies, and other education stakeholders, schools must advise clients about how to navigate an increasingly complex web of legal requirements. Moreover, state and federal policymakers are continually regulating what information schools can collect and share online and what website and online application operators can do with it. The following resources are intended to help lawyers access current and accurate information about student privacy.
Schools, school systems, and anyone who has access to students’ personal information must do everything in their power to ensure that student information is protected and used to support students. SEAs should use these principles to build upon, not just comply with federal, state, and local laws. Some signatories include AASA: The School Superintendents Association; the National PTA; the Council of Chief State School Officers; and the National School Boards Association.
Communicating with Districts and the General Public
Parents want to know how their child’s data is being collected, used, and protected, but may not have more than 10 minutes to search out answers. There are many resources that school attorneys can look to for communication guidance.
Highlight model websites for your districts, and provide useful links to resources on the SEA website for both districts and parents. The first place many parents will go to find answers is their school or district’s website. It is vital to have accessible information on your website. This doesn’t have to be complex. A great example is the Chesterfield County Public Schools (see screenshot), which is extremely simple. It has links to:
- A list of what apps the district is using and the privacy policies for those apps (do your districts not know what apps your district is using? Advise them to take a survey, or use a product like LearnTrials or Catch On);
- The Privacy Policies & Guidelines for the district;
- Privacy FAQs; and
- A link to a Google form where parents can ask a quick question that gets automatically sent to the person in charge of privacy for that district.
There are many other great website examples!
- Chesterfield County Public Schools Privacy Page
- Fairfax County Privacy Page
- Ventura County e-Safety Committee Task Force
- Houston ISD Privacy Page
- Denver Public Schools Student Data Privacy Page
- Wisconsin SEA Privacy Page
Don’t be afraid to take content from other SEAs and LEAs and link to other great resources!
There are many other great ways to communicate. Some SEAs have open-to-the-public regional meetings, webinars, or an annual data conference for districts. Others put information about student privacy – like a monthly privacy tip – in their monthly newsletter. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.
- Transparency Best Practices (PTAC)
- Student Data Privacy Communications Toolkit (ExcelinEd)
- A Parents’ Guide to Student Data Privacy (National PTA, ConnectSafely, FPF)
- Data Quality Campaign
Have other communications suggestions or materials that other districts could use? Email them to us at [email protected].
Schools remain accountable for the security of their students’ information, even when it is managed by an outside vendor—thus, schools need to be aware of the laws that guide the collection, use, and storage of data about students and children.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) also requires that schools give parents and students the opportunity to access information in their education records. Students and parents are allowed to review and potentially amend incorrect information within their education record. Procedures should be put in place to simplify this process.
A school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. There are a number of exceptions to this rule, which are laid out in the Department of Education’s FERPA Exceptions — Summary CHART.
|FERPA Directory Information|
|Date & Place of Birth|
|Major/Field of Study|
|Dates of Attendance|
|Participation in officially recognized activities & sports|
|Weight & height of athletes|
|Degrees, honors, & awards received|
|Most recent educational institution attended|
|Student ID, User ID, or other unique identifier (that cannot be used to access education records without a pin or password)|
- FERPA gives parents and students the right to opt out of having their “directory information” shared.
- FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.
Aside from the two most common FERPA exceptions listed above, there are a number of other circumstances when prior consent is not required to disclose information about a student. The following are categories of people/organizations that may not need express student consent to gain access to certain information about students.
|Individual/Entity Seeking Information:||Type of information available without consent…|
|Parents||Of dependent post-secondary students||Generally – any student information|
|Of Non-Dependent Post-Secondary Students|
|Schools||In which the student intends to enroll|
|Financial Aid Offices||Facts relevant to determining a student’s eligibility, amount, or conditions surrounding receiving financial aid|
|Authorized Representative of Federal, State, and Local Governments and Educational Authorities||Auditing, evaluating, or enforcing education programs|
|Organizations||Data used to conduct studies, predictive tests, administering student aid program, or improving instruction|
|Judicial or law enforcement authority||In compliance with an order or subpoena|
|Victims||Results of a disciplinary hearing of a crime of violence|
|Third Parties||Final results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who was found to have committed a violation of the institution’s rules or policies|
|Community Notification Program||Information concerning a student required to register as a sex offender in the State|
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose…. because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”
Protection of Pupil Rights Amendment (PPRA)
|PPRA Sensitive Information|
|Mental & Psychological Problems|
|Sex behavior & Attitudes|
|Date & Place of Birth|
|Illegal, anti-social, self-incriminating & demeaning behavior|
|Critical appraisals of other individuals|
|Legally recognized privileged or analogous relationships|
|Participation in officially recognized activities & sports|
Do you know if your state has a student privacy law? Just since 2013, 41 states have passed 126 new student privacy laws. Most of those laws impose new requirements on districts, states, and school service providers.
States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA; 45 make their data privacy policies publicly available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.
The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.
Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.
SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.
 “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.
 “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.
 Cf. Alaska Stat. § 45.48.530; Ariz. Rev. Stat. Ann. § 41-4152; Colo. Rev. Stat. § 6-1.713; N.J. Stat. 56:8-162
 Cal. Civ. Code § 1798.22: “Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.”
 Epic.org, Student Privacy
SEAs and LEAs have to ensure that all data handled by agencies is stored and collected not only according to the law but also according to privacy policies. Lawyers can best help agencies by making sure they understand the impact student privacy laws and policies have on the agencies’ day-to-day functioning and by emphasizing the important role processes such as contracts with third parties, data maps, and access controls have on securing student data.
Without security, there can be no privacy. LEAs and SEAs have a responsibility to ensure that data is protected through adequate security. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security.
Recommended Security Resources
See the video below for more information about protecting security in the context of ed tech.
Reviewing Edtech Products: Security (iKeepSafe)
Helping Districts with Data Governance
According to the National Center for Education Statistics, “data governance refers to the overall management of the availability, usability, integrity, quality, and security of data.” It is important for SEAs to know what data is collected, where it is collected, how it is stored, and more. Implementing a strong data governance plan “help[s] ensure that appropriate policies and procedures are in place to facilitate access to and use of student data while protecting student privacy.” Education agency attorneys should ensure that agencies maintain data governance plans to help not only map the flow of data, but understand and mitigate any data privacy risks.
Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.*
There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:
- Checklist for Developing School District Privacy Programs (PTAC)
- Data Governance Checklist (PTAC)
- Protecting Privacy in Connected Learning Toolkit for LEAs (CoSN)
- CoSN Trusted Learning Environment (TLE) Seal (CoSN)
- Roadmap to Safeguarding Student Data (DQC)
- Policymaking on Student Privacy: Lessons Learned
Developing a Privacy Program for Your District (U.S. Department of Education PTAC)
*Definition from West Virginia Department of Education
Helping Districts with Vendors
Most schools and districts partner with third parties to improve the ability of schools to use, analyze, store, and protect data. However, surveys have shown again and again that parents are very concerned about third parties having access to student data. Thankfully, many organizations have provided districts resources that can help guide them as they share data with third parties.
Additionally, almost half of US states currently use model contracts when contracting with edtech vendors. Model contracts involve districts working together to create standard, education-contract language for use throughout the state. Model contracts are are a way for districts to minimize the time and money required to engage companies each year–some districts require more than 500 individual contracts. Attorneys for education agencies should ensure that model contracts used effectively promote privacy and security requirements and are appropriate for the planned management and use of technology and student data.
Resources for Dealing with Service Providers
- Model Terms of Service: Protecting Student Privacy While Using Online Educational Services (PTAC)
- Security Questions to Ask of An Online Service Provider (CoSN Toolkit, page 13)
- Suggested Contract Terms (CoSN Toolkit, page 15)
- Protecting Student Privacy While Using Online Educational Services (PTAC)
- Seven Basic Security Checks for Evaluating Educational Platforms (FPF)
- Student Data Privacy Consortium Website (SDPC)
- Ed Tech Product Privacy Evaluations (Common Sense Media)
- Student Privacy Pledge
- Surveying Encryption Practices of Technology Used Within Schools (Common Sense Media)
Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)
Reviewing Edtech Products: Privacy, Safety, Security, and Contracts (iKeepSafe)
Is there a resource or model document for dealing with vendors that we should add? Email us at [email protected].
Resources for Lawyers
There are many great resources for lawyers on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the Resources tab below.
- U.S. Department of Education Privacy Technical Assistance Center (PTAC)
- Data Quality Campaign
- Consortium for School Networking: Protecting Privacy
- Colorado Sample LEA Privacy and Security Policies
- Protecting Privacy in Connected Learning Toolkit for LEAs (CoSN)
- 2016 Forum Guide to Education Data Privacy (NCES)
- The Educator’s Guide to Student Privacy (FPF)
- Privacy and Student Data: An Overview of Federal Laws Impacting Student Information Collected Through Networked Technologies (Berkman Klein Center at Harvard)
- Student Privacy & Data Security: A State Education Agency Discussion Framework (CCSSO)
- California Data Privacy Guidebook (Fagen Friedman & Fulfrost LLP)
- FERPA 101 For Local Education Agencies
- FERPA 201: Data Sharing Under FERPA
- Online Course: Data Privacy? Get Schooled.’
How to Use Your District’s Website to Communicate with Parents About Data Use and Security (U.S. Department of Education PTAC)
The ABC’s of Student Directory Information (U.S. Department of Education PTAC)
Email and Student Privacy (U.S. Department of Education PTAC)
School Volunteers and FERPA (U.S. Department of Education PTAC)
Are we missing a resource you think should be included? Email us at [email protected].
Student Privacy Laws
What federal laws govern student privacy?
FERPA: The primary federal law that protects student privacy is the Family Educational Rights and Privacy Act (FERPA), which was passed in 1974. The main goals of FERPA are to ensure that information about a student is used fairly by providing annual notice to parents about their rights toward student data, namely
- the right to inspect and review records maintained by the school
- the right to seek to amend records they believe are misleading, inaccurate, or otherwise in violation of a student’s privacy
- the right to consent disclose records to other individuals
- the right to file complaints with the Department of Education if they believe their rights under FERPA have been violated
Furthermore, FERPA ensures that information about a student is only used for its intended purpose by requiring that disclosures of student data only occur with written consent. FERPA includes several exceptions to this rule that allow the school to share information without consent in specific cases that benefit students, provided that certain guardrails are in place.
Full FERPA Statute in the USC
PPRA: The Protection of Pupil Rights Amendment (PPRA) is a law that ensures that students are not coerced into divulging certain personal information. This is done by giving annual notice to parents of surveys the school will be giving and giving parents the right to inspect and review the materials. Depending on the funding source of the survey, parents will be given the ability to either opt in to participation or opt out.
Full PPRA Statute in the USC
Applicable Section of CFR
COPPA: The Children’s Online Privacy Protection Act (COPPA) is a law that regulates websites and online applications that collect information from children to ensure that they are not following deceptive practices. In general, these operators are required to provide notice and gather verifiable parental consent before collecting information from a child. Under the law, schools are allowed to provide consent in the place of a parent, provided that the website or online application only uses the information collected for educational purposes.
Full COPPA Statute in the USC
IDEA: The Individuals with Disabilities Education Act (IDEA) ensures that students with disabilities are given an appropriate education that is tailored for their needs. Since this requires collecting very sensitive personal information, the law specifies some additional privacy protections to ensure that this information is not used for other purposes.
Full IDEA Statute in the USC
CIPA: The Children’s Internet Protection Act (CIPA) is a law that provides federal funding to schools that monitor and filter internet content and requires that schools teach students about digital citizenship and staying safe online. Though it is not directly a privacy law, it hits on many aspects of privacy since schools will have to determine the appropriate amount of monitoring and filtering as well as cover protecting personal privacy as part of the digital citizenship curriculum.
Regulations of CIPA in the CFR
NSLA: The National School Lunch Act (NSLA) is a law that governs school lunch programs, and it includes provisions related to protecting financial data submitted as part of free and reduced lunch applications. Aside from being able to share a student’s eligibility status for free or reduced lunch in limited cases and for auditing the management of the program, the information from these applications can only be shared with parental consent.
Full NSLA Statute in the U.S.C.
What do state student privacy laws cover?
Between 2013 and 2018, 40 states passed 126 laws that relate to student privacy. In general, these have coincided with states moving to online statewide testing (which has increased the quantity of data created and shared) and as states have built integrated data systems that combine data from multiple state agencies. Some common goals of these laws are
- building upon FERPA and PPRA by further restricting what student data a school can collect or share with others
- providing further requirements and guardrails related to student data shared with websites, online services, and applications
- designating a chief privacy officer and other individuals at the local level responsible for ensuring compliance with privacy laws
- requiring more transparency about what data schools collect and what it is used for
- requiring that schools and vendors meet certain data security standards
- requiring notification to parents in the event of a data security breach
Do private schools have to follow these laws?
Schools that receive funding from a program administered by the US Department of Education generally have to comply with federal student privacy laws even if they receive most funding from private sources. For example, many private colleges and universities still have to follow laws like FERPA since they receive funds through the Federal Student Aid program.
Student Data Privacy Consortium – Model Contract Language for Data Protection Agreements
The Student Data Privacy Consortium (SDPC) is a non-profit collaborative of schools, districts, regional and state agencies, policy makers, trade organizations and marketplace providers that addresses data privacy concerns. The Consortium’s Privacy Contract Framework develops “common contract” language to help set clear contract term expectations.
Council of School Attorneys
The Council of School Attorneys (COSA) is a national organization of school attorneys that offers resources for practitioners, including a community research database.
Coalition for School Networking
The Coalition for School Networking (CoSN), the leading professional association for school system technology leaders, maintains a comprehensive list of education resources.
- EDUCAUSE Review
This infographic explains some of the trends and recommendations for how to upkeep your security and privacy programs.
- U.S. Department of Education
The purpose of this tool kit is to inform civic and community leaders who wish to use shared data to improve academic and life outcomes for students while prot…
Cyber Insurance protects from damages of equipment caused by breach events and some loss of service. This resource will help you figure out if you are qualifie…
- Common Sense
The Common Sense Privacy Risks and Harms report identifies risks to children and students as they engage online and identifies ways for parents and educators t…