This blog was previously posted on the Future of Privacy Forum blog.
Policymakers, parents, and privacy advocates have long asked whether FERPA is up to the task of protecting student privacy in the 21st century. A just-released letter regarding the Agora Cyber Charter School might signal that a FERPA compliance crack-down – frequently mentioned as their next step after providing extensive guidance by the U.S. Department of Education (USED) employees at conferences throughout 2017 – has begun. The Agora letter provides crucial guidance to schools – both K-12 and Higher Ed – and ed tech companies about how USED interprets FERPA’s requirements regarding parental consent and ed tech products’ terms of service, and it may predict USED’s enforcement priorities going forward.
FERPA compliance can be complicated; the statute was first passed in 1974 and has been occasionally updated to add additional protections and exceptions, some of which include ambiguous language. USED’s Privacy Technical Assistance Center (PTAC) – a program that has received nearly universal praise from state and local officials over the past four years – has spent significant time and effort providing practical guidance, training, and resources for state and local education agencies to clarify FERPA’s requirements for the use of ed tech products.
The Agora letter, issued by the FERPA family policy compliance office in USED, clarifies the Department’s position regarding several key issues. It is sure to attract the attention of schools and ed tech providers seeking to better understand the interaction of FERPA, school requirements regarding technology in the classroom, and the data use policies and practices of ed tech providers. Moreover, this finding letter may signal increased interest by USED in investigating and sanctioning practices that are inconsistent with FERPA.
“A parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.”
USED investigated two allegations made by a parent of a student in Agora Cyber Charter School, an online public charter K-12 school based in Pennsylvania. The first allegation is based on a long-established FERPA principle that “a parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.”
by posting or submitting Member Content to this Site, you grant K12 and its affiliates and licensees the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the content in any form, anywhere and for any purpose.
“Member content” was defined as information the child posted on certain areas of the site, registration data, and other forms of student personally identifiable information (PII).
USED also investigated a parental allegation that Agora violated the requirements of FERPA’s school official exception. This exception allows schools to disclose PII from students’ educational records without parental consent subject to certain requirements: among others, the school must:
- maintain “direct control” over third parties with respect to the use and maintenance of the child’s PII; and
- ensure that the third party only uses that PII for the purposes for which the school made the disclosure.
USED found that the school had not violated FERPA’s school official requirements in 2012, but indicated that schools and ed tech providers must proceed with greater caution in 2018. USED stated that when the complaint was filed, USED had not yet released guidance regarding how schools should establish direct control over third parties and ensure the limited use of personal information under FERPA’s school official exception. Such guidance was issued in 2014 and 2015; USED is likely to hold schools to a higher standard today, in light of its conclusion that the guidance documents:
provide substantial clarity to the education community on best practices for effectively establishing direct control over the use and maintenance of education records and the PII from such education records by third parties acting as school officials with legitimate educational interests in the online educational service context.
The Agora letter has a number of implications for stakeholders. While USED exerts meaningful influence over schools and industry through advisory letters, policy guidance, and other “soft law” measures that shape behavior, this is the first time that the agency has issued a finding letter that directly finds fault with the policies and practices of an ed tech company.
When a school requires that an ed tech service be used as a condition of enrollment, that service must either comply with FERPA’s school official exception requirements or parents must be given the right to opt out of its use.
In the wake of the Agora letter, schools should carefully review their parental consent policies, and more importantly, the content of the privacy policies and terms of service of their ed tech partners. When a school requires that an ed tech service be used as a condition of enrollment, that service must either comply with FERPA’s school official exception requirements or parents must be given the right to opt out of its use. Previous guidance from USED has also noted that schools disclosing student data to ed tech companies or other third parties “considered to have a legitimate educational interest, [the school] must include in the annual notification of FERPA rights the criteria for determining who constitutes a ‘school official’ and the criteria for what constitutes a ‘legitimate educational interest.’”
Both schools and companies should thoughtfully review and adhere to the USED guidance referred to in the Agora letter, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, and Protecting Student Privacy While Using Online Educational Services: Model Terms of Service.
Most importantly, the key stakeholders protected here are the parents and student themselves. FERPA was written to provide express controls for parents over their child’s educational record, and this letter shows that while the technology may change, the underlying right is sound and strong.
Certain issues raised by the Agora letter may have murkier implications. This letter makes it clear that, when schools require students to use ed tech services, those services can only be used under FERPA’s school official exception. How this may play out in schools is difficult to predict: there are some ed tech services, required by schools, which are offered directly to students, and so it is common practice for parents or eligible students to be directed to sign up for an account that requires them to agree to a Terms of Service that may not align with FERPA’s requirements. This finding letter may encourage more ed tech companies to allow schools to sign students up for the product directly, or schools may even begin to require independent contracts or clauses in company Terms of Service that align with FERPA’s school official requirements.
A parent cannot be directed to consent to an account for their child with insufficient privacy or TOS terms as a workaround to the standards required if the school was directly contracting with the provider.
The underlying issue of the letter – that schools retain the responsibility to ensure any mandatory ed tech product is used only in compliance with FERPA protections – extends beyond the particular example of Agora. In many cases, schools may direct parents to directly download, sign up for, or otherwise enroll their child in a particular platform, educational product, or online service, without the school operating as an intermediary. As this letter makes clear, however, even when the school doesn’t directly own or manage the student account, any ed tech use mandated as part of the student’s educational process must comply with FERPA under the school official exception. A parent cannot be directed to consent to an account for their child with insufficient privacy or TOS terms as a workaround to the standards required if the school was directly contracting with the provider.
This letter may also encourage more enforcement actions from states. While 124 new student privacy laws have passed in 40 states since 2013, no enforcement actions have been brought yet under any of those laws. Now that states have this findings letter from USED, they might look for similar Terms of Service language in ed tech products used in their states to bring an enforcement action.
The USED letter to Agora makes clear that the stakes are high. While financial penalties against schools are rare – USED is required to attempt to bring schools into compliance with FERPA before withholding federal funding – the Department has other enforcement options, including the imposition of a five-year ban on data transfers from an offending school to the ed tech provider.