From Data Privacy to Data Justice

Federal Laws on Student Privacy That Should Be Familiar

By Amelia Vance

Educational technology tools can contribute significantly to improving student engagement, fostering parent involvement, highlighting school inequities and supporting evidence-based policymaking. They also raise critical concerns regarding student privacy.

The rules and regulations governing student privacy in a public school district form a complex tapestry of local, state and federal laws, so understanding this intricate legal framework is more critical now than ever. Here is a succinct summary of some of the cornerstone privacy laws educators should recognize.

FERPA

At the federal level, information in a student’s education record is governed by the Family Educational Rights and Privacy Act. Enacted in 1974, FERPA guarantees parents have access to their children’s education records and restricts who can access and use student information. When a child turns 18, FERPA rights belong to the student.

FERPA permits schools to share information contained in a student’s education record under certain circumstances. For example, most educational technology companies, such as those marketing gradebook systems or classroom learning programs, receive student information under the “school official” exception. The exception says that a school may share education records with a third-party service provider if there is a “legitimate educational interest” in disclosing the information, the third party is performing a service the school would otherwise perform itself and the third party is under the school’s “direct control.”

FERPA is quite strict, but not always clear, about what third parties may do with information they receive under the school official exception. Schools must ensure the third party uses FERPA-protected information only for the educational purpose at hand. Third parties cannot create user profiles to target students or their parents with advertising, collect information beyond what is necessary to fulfill their agreements or share information from education records, except with subcontractors who are helping fulfill the third party’s contract.

Directory Information, another FERPA exception, is student data that a school may make public, such as a sports team roster, yearbook information or even data that can be provided to third parties. However, schools must give parents the opportunity to opt out. Many other exceptions enable various school functions, such as sharing data for students transferring to other schools, health and safety emergencies and education research.

PPRA

The Protection of Pupil Rights Amendment of 1978 sets ground rules for schools to follow when conducting certain surveys or evaluations, including some social-emotional or school climate surveys. It safeguards sensitive student information by mandating parental consent. Schools generally must disclose the survey materials to parents and ensure parents either opt in or opt out.

COPPA

The Children’s Online Privacy Protection Act, adopted in 1998, is all about controlling the data collected from children under 13 by companies operating websites, games and apps. The law insists on transparency through a clear privacy policy, direct notice to parents and parental consent before collecting data.

School officials can step in to provide consent but only for educational purposes. This means the companies can’t use the data for any other commercial purpose. It’s common practice for schools to have policies requiring administrator approval before teachers allow students to use certain apps and services.

IDEA

The Individuals with Disabilities Education Act, enacted by Congress in 1975, ensures free and appropriate education for children with disabilities. Crucially, it protects the confidentiality of personally identifiable information and maintains parents’ right to consent to sharing such information. Parents also have the right to review records concerning their children’s assessments, eligibility and individualized education plan.

State Laws

Through their own legislation, states have taken three major routes to regulate student data use: (1) by regulating data management by schools and state-level education agencies, often expanding FERPA’s requirements; (2) by regulating companies that collect and use student data, such as California’s Student Online Personal Information Protection Act, which prevents online service providers from using student data for commercial purposes; and (3) by taking a blended approach as Colorado and Utah have done to regulate both education entities and third parties.

An Evolving Scene

The legal landscape is not only complicated but ever-evolving. Some 130 state student privacy laws have been passed since 2014, and new federal regulations loom on the horizon as school cyberattacks becoming more frequent.

To respond to this growing need in the field, AASA launched the Student and Child Privacy Center to bridge the resource gap by providing low-barrier insights to education leaders, especially those who do not have access to costly legal expertise.

AMELIA VANCE is chief counsel of AASA’s Student and Child Privacy Center. KATHERINE KALPOS and MORGAN SEXTON of the Student and Child Privacy Center contributed to this article.