FERPA, which applies to almost all public and private schools, provides the primary set of regulations governing student privacy in the U.S. Any agency or institution that violates FERPA regulations loses eligibility for federal funds. However, FERPA’s scope is limited to “educational records”; the legislation does not protect such items as data collected by education websites or digital “pupil-generated content” (such as essays), unless PII is included in that information.
Moreover, several FERPA exceptions allow student records to be disclosed to certain parties or under certain conditions without parental consent. The most significant exception is that without consent, school officials may release student records for any educational purpose they deem legitimate, as when an organizations is conducting studies for or on behalf of a school; records are also available to authorized representatives of the U.S. Comptroller General, U.S. Education Secretary, or state educational authorities.
Changes to FERPA in 2008 and 2011 expanded the definitions of both school officials and authorized representatives. In one of the most important changes, the U.S. Department of Education now considers “school officials” to include “contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform.”
This change has far-reaching implications for student privacy. For example, when school leaders sign a contract to use Google Apps for Education (GAFE), they assign Google the authority of “school official.” The Department also considers “authorized representatives” to be any individuals or entities that local or state educational authorities, U.S. Secretary of Education, or U.S. Comptroller General select as an authorized representative. As a result of these changes, schools may now provide data to private companies without parental consent. Significantly, these private companies are not named “partners,” but rather “school officials” or “authorized representatives.”
The Children’s Online Privacy Protection Act (COPPA), which applies to children under the age of 13, requires companies to obtain parental consent before they can collect personal information from children for commercial purposes. In December 2012, the Federal Trade Commission (FTC) expanded several definitions under COPPA, increasing protection of children by accounting for new tracking technology. While these changes are significant, the law does not apply to teens. Teens are especially at risk because they are online more than young children both in and out of school, and also because developmentally they are particularly susceptible to targeted marketing.
Although it may be impractical or impossible to impose a parental approval requirement for teens’ online activity, teens’ personal information needs to be safeguarded as carefully as younger children’s. Jennifer Harris and her colleagues at the University of Connecticut’s Rudd Center for Food Policy and Obesity have argued, for example, that children need policy protections from unhealthy food marketing at least until the age of 14.
When a school is using an educational application that involves collection of student data, an important question for districts is whether school personnel can provide consent to a company on behalf of parents, or whether parents themselves must provide consent. If a vendor intends to use or share student information for commercial purposes unrelated to the school or district’s educational purposes, then COPPA requires direct parental consent.
Finally, the Protection of Pupil Rights Act addresses consent in relation to the collection, disclosure, or use of personal student information for marketing purposes or as a product (a data set) for sale to others. It allows schools and districts to participate in gathering student information for marketing purposes, but it requires them to tell parents they are doing so and to allow parents to view the data collection instruments and/or opt their children out.