Some privacy debates about student data have focused on access to and use of data by vendors who provide schools with various services. Relying on vendors to handle a broad range of tasks inevitably requires schools to share students’ data. Vendors must recognize the sensitivity of certain student data and act responsibly by employing good practices and providing clear and transparent policies than engender trust with schools, parents, and students.

Student Privacy Pledge

Over 300 companies have signed onto the Student Privacy Pledge, a voluntary pledge by industry to safeguard student privacy regarding the collection, maintenance, and use of student personal information. The commitments are intended to concisely detail existing federal law and regulatory guidance regarding the collection and handling of student data, and to encourage service providers to more clearly articulate these practices.

Click to see more

Parents need to trust both schools and the service providers that work with schools. In an effort to ensure parent’s can be confident in how organizations use student data, the Future of Privacy Forum and the Software & Information Industry Association developed the Student Privacy Pledge in 2014. The Pledge is legally enforceable: by taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices.

Companies can apply to join the Pledge here.

Privacy and Security Tips

The Future of Privacy Forum has developed simple privacy and security tips for ed tech vendors. Check them out below.

Click to see more

Federal Laws

There are a number of important laws of which vendors of education products or services should be aware. These laws either restrict how schools can provide access to student data, limit the uses that can be made of that information, or require parental consent which can restrict how vendors may use data.

Click to see more

Family Educational Rights and Privacy Act (FERPA)

Under the Family Educational Rights and Privacy Act (FERPA), a school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. However, there are a number of exceptions to this rule, which the Department of Education has laid out in a simple chart.

The most common exception applied to education service providers is the “school official” exception. Under this exception, a “school official” may obtain access to personally identifiable information contained in education records without prior consent, provided that the school had determined they have a “legitimate educational interest” in the information. The Department of Education interprets school official to generally include: professors, instructors, administrators, health staff, counselors, attorneys, clerical staff, trustees, member of committees, disciplinary boards, contractors, volunteers or other parties to whom the school has outsourced institutional services or functions.

The terms school official and legitimate educational interest are not defined by statute; rather, the school must define them and inform eligible students in its annual notification of FERPA rights. However, this exception requires that vendors act under the direction and control of the school.

The other most common exception to disclose personally identifiable information about a student without explicit consent relates to“directory information” from a student’s education record. The Department of Education defines “directory information” as “information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Examples of “directory information” include:

FERPA Directory Information
Student’s Name
Telephone listing
Email Address
Date & Place of Birth
Major/Field of Study
Dates of Attendance
Grade Level
Participation in officially recognized activities & sports
Weight & Height of Athletes
Degrees, Honors, & Awards Received
Most recent educational institution attended
Student ID, User ID, or otehr unique identifier (that cannot be used to access education records withought a pin or password)
    • FERPA gives parents and students the right to opt out of having their “directory information” shared.
    • FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.

Education service providers should also be aware of other student rights granted under FERPA, including that:

  • Schools must provide parents (or certain eligible students) with an opportunity to inspect and review their student’s education records within 45 days. If a service provider is maintaining or storing student records, they should be aware of the time limits for processing such requests.
  • As a separate matter, parents (or certain eligible students) have the right to request that schools amend their student’s education records that include inaccurate or misleading information. Schools are not required to amend the record, but are required to consider the request.

The Department of Education has offered some guidance on Protecting Student Privacy While Using Online Educational Services, and requirements and best practices relating to sharing student information with Education Service Providers.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose…. because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”


PPRA Sensitive Information
Political Affiliations
Mental & Psychoogical Problems
Email Address
Sex behavior & Attitudes
Date & Place of Birth
Illegal, anti-social, self-incriminating & demeaning behavior
Critical Appraisals of other individuals
Legally recognized privileged or analogous relationships
Participation in officially recognized activities & sports

State Laws

Do you know if the states you are working in have a student privacy law? Just since 2013, 39 states have passed 106 new student privacy laws. Most of those laws impose new requirements on districts, states, and school service providers.

Click to see more

Prior to student data privacy taking off as an issue in 2014, many states had preexisting privacy laws. Some states have privacy laws that are not specific to education but still affect educational data. For example, 10 state constitutions have recognized a right to privacy,[1] and many more have general privacy protections in place for their citizens. These laws affect students, teachers, schools, and districts. Many states have specific laws regarding the disposal of records that contain personal information.[2] Some states also require government entities to have a written privacy policy in place.[3] And some, such as California, require government agencies to have a specific person responsible for compliance with privacy law.[4]

States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA;[5] 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.

The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.

Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.

SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.



[1] “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.

[2] “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.

[3] Cf. Alaska Stat. § 45.48.530; Ariz. Rev. Stat. Ann. § 41-4152; Colo. Rev. Stat. § 6-1.713; N.J. Stat. 56:8-162

[4] Cal. Civ. Code § 1798.22: “Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.”

[5] Epic.org, Student Privacy


It is absolutely essential to be transparent about your privacy practices, not just because it builds trust with parents, districts, and states, but because a lack of transparency can raise privacy concerns.

Click to see more

There are many great ways to be transparent about your student privacy practices.

Post FAQs

While some technical questions from districts, educators, or parents may require you to dig out answers, there are some questions that will frequently be asked that you can post on your website. Some common questions include:

  • What data does your product collect?
  • Is any of that data Personally Identifiable Information (PII) (or information that could become identifiable if it were combined)?
  • Who do you share PII with?
  • How does your business make money? Do you sell student data?
  • Does your service create a profile of students for purposes other than an educational purpose?
  • Does your service have advertising? Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web.
  • When users (whether a student, educator, school, or district) request deletion of data, will you delete it?
  • Do you allow parents to directly access data about their child held by your service, or do they need to go through their local school or district to access the data?
  • Do you have appropriate security for the data you collect?
  • Will you give your users notice and the ability to consent before major changes to your privacy policy?
  • Have you signed on to the Student Privacy Pledge, gotten an iKeepSafe seal, signed the Massachusetts or California Student Privacy Alliance contracts, or been reviewed for privacy by Common Sense Media? Have you had an independent privacy audit done, or shown in some other impartial way that you are committed to protecting privacy?

Check out this FAQ from SchoolMessenger or this FAQ from G Suite for Education.

Make Your Privacy Policy Easy-To-Read

Your privacy policy shouldn’t be a complex document with lots of legalese; aim to make it easy for a parent to scan through in 10 minutes, with links to more information for district technical staff or others who need more information. For a great example, check out Quizlet’s Privacy Policy.


Do you have other transparency solutions for companies or resources we should share? Email us at [email protected]



Resources for Service Providers

There are many great resources for service providers on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “K-12 Service Providers” in the “Resources for…” drop-down menu.

Click to see more

Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)

Student Data and De-Identification: Understanding De-Identification of Education Records and Related Requirements of FERPA: Guidance document prepared by the Future of Privacy Forum and Foresight Law + Policy provides an overview of the different tools used to de-identify data to various degrees, based on the type of information involved, and the determined risk of unintended disclosure of individual identity. Proper data de-identification requires technical knowledge and expertise as well as knowledge of, and adherence to, industry best practice.

Data de-identification represents one privacy protection strategy that should be in every student data holder’s playbook. Integrated with other robust privacy and security protections, appropriate de-identification – choosing the best de-identification technique based on a given data disclosure purpose and risk level – provides a pathway for protecting student privacy without compromising data’s value. This paper provides a high level introduction to: (1) education records de-identification techniques; and (2) explores the Family Educational Rights and Privacy Act’s (FERPA) application to de-identified education records. The paper also explores how advances in mathematical and statistical techniques, computational power, and Internet connectivity may be making de-identification of student data more challenging and thus raising potential questions about FERPA’s long-standing permissive structure for sharing non-personally identifiable information.


The Software and Information Industry Association has developed “best practice” principles for educational service providers and third party vendors.

Some states, cities, and large school districts have produced guidance for vendors. New York City Public Schools has fashioned a vendor’s guide to providing professional services for their schools. The Ohio Department of Education has made an Approved Vendor Assessment list available to the public.

CoSN has announced an intiative to bring together 13 school different school districts to develop best practices for digital media use in K-12 education.

The National Center for Education Statistics has put out a best practices brief focusing on Vendor Engagement Tips from the States, specifically related to the Statewide Longitudinal Data Systems Grant Program.


In addition to student privacy specific guidance, education service providers should be familiar with general privacy rules that are relevant when personal information is collected. When other sensitive information such as health data or financial data is collected or used additional regulatory requirements apply. If you collect, store, or use health or financial information please seek further advice from a legal professional.

If an education service provider submits an app to a major app store or includes social media plug-ins, they need to comply with the developer requirements of those platforms. The Future of Privacy Forum and the Center for Democracy and Technology have issued“Best Practices for Mobile App Developers.” The Federal Trade Commission and the California Attorney General’s Office have also offered guidance for mobile app developers. Additionally, specific guidance for app developers is available through each major app store, including Apple, Google Android, and Facebook.

Other general privacy guidance is available from the International Association of Privacy Professionals Resource Center. Also, the Future of Privacy Forum and other organizations such as the Center for Democracy and Technology, Electronic Privacy Information Center,World Privacy Forum, and the Electronic Frontier Foundation work on a variety of privacy issues and have available resources on their websites.