If you are considering building digital products for students or children, it is vitally important to be well-versed in the laws and regulations governing student and child privacy. This post is the first in a series aimed at providing an overview of the most important federal regulations to keep in mind when building software aimed at young audiences for both educational and recreational purposes.
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
This series is a non-exhaustive list of regulations and does not include everything you need to know to be compliant with the laws. Beyond the federal laws, there are state and local laws that must be consulted, as well as school district ethical guidelines to consider before you get started.
Please note: This is not a legal resource and none of the information contained herein should be taken as legal advice or opinion. If you have specific compliance questions, please consult a lawyer who specializes in these types of regulations.
Family Educational Rights and Privacy Act (FERPA)
At a glance
- Purpose: Protect student personal information held by educational institutions
- Who must comply: Any institution receiving funds from the U.S. Department of Education
- Compliance criteria: Grant access to parents and students to view, amend, and control the sharing of their education record
- Consequence for noncompliance: Loss of federal funding and in some cases, monetary penalties from the state
The Family Educational Rights and Privacy Act (FERPA) is one of the most important federal regulations in education. Enacted in 1974, it protects student education records by granting rights to parents and eligible students—students who are 18 or older or enrolled in postsecondary school.
The U.S. Department of Education (ED) defines a student’s education record as any data record that contains information directly related to a student and which are maintained by an educational agency or institution. This includes
- GPA and transcripts
- Enrollment information
- Admission information
- Class schedule
- Academic accommodations
- Discipline actions
- Billing information in some cases.
One big exception is “directory information.” Directory information is information that is generally not considered an invasion of privacy if disclosed. Some examples of directory information include name, address, email, date of birth, grade level, participation in official extracurricular activities, height and weight of athletes, and awards and degrees received.
Any institution that receives funds from the federal government through a U.S. Department of Education program is responsible for complying with FERPA. This includes public schools, charter schools, and even private schools, because almost all of these receive some federal funding from the ED. Post-secondary schools’ FERPA requirements are slightly different however, as they are not necessarily required to grant rights to student education records to the student’s parents (depending on age and tax status).
FERPA gives parents and eligible students the right to view their educational records, the right to require updates to their records if they are inaccurate, and some control over sharing of data in the student’s education record with any third parties. However, there are some cases where a school can release student data without requiring consent; I encourage you to look at the policy for more specifics.
Every school must notify parents and eligible students of their rights under FERPA yearly. This includes how to enact those rights including how to request access to education records, how to request corrections to the records, how to consent to the disclosure of data in the records, and how to file a complaint if the school doesn’t comply with FERPA. The Family Policy Compliance Office (FPCO)is responsible for implementing FERPA and responding to FERPA complaints.
How does this affect you
The ED places the burden of enforcement of FERPA on the schools which leads to schools placing the burden on their vendors to comply with FERPA. If a school is found non-compliant, it risks losing its federal funding and could incur additional monetary sanctions from the state, not to mention additional revenue losses due to the damage to its reputation caused by a serious FERPA violation. Because FERPA is the most important federal regulation governing student data and privacy and comes with very stiff consequences if violated, you must build your software with FERPA in mind.
Be aware of what data you are collecting and how you are handling that data. What you collect and what you can do with the information is dependent on whether your partner institution is using a legal exception to share the data with you or whether they received written consent from the parents and students.
If you are collecting student information under the directory information exception (see above for what constitutes directory information), you need to ensure that you are not collecting any information from students whose parents opted out of sharing directory information with third parties. Most often, student software is collecting information under the school official exception because it is difficult to manage the large number of people who have opted out of directory information sharing. The school official exception applies when institutions outsource functions and services that the school would otherwise use its own employees to fulfill. And in some cases, the school will collect written consent from parents and eligible students to share data with their third party software vendors.
Regardless of how you are being granted access to student data, you cannot use the data for any other purpose other than for which it was disclosed. In some cases, information collected under the directory information exception and properly de-identified data is ok to use for other purposes, but any other personally identifiable information must be used only for the purpose for which it was initially collected. You cannot sell student data or otherwise offer identifiable data to advertisers for targeted marketing.
All other data best practices also apply to building ethical and responsible software. A lot of the information in a student’s education record is similar to data used by banks and if compromised can be used for nefarious and criminal activity such as social engineering and identity theft. Be sure that you are taking all precautions for protecting the students’ data in your system and have a plan in place for responding to potential data breaches.
Beyond the data privacy and protection compliance considerations, there are also some feature considerations to keep in mind when building software for students. FERPA requires parents and students are granted access to their full student education record within 45 days of requesting access. This includes any information that is held within your software. Make sure you build processes to allow your software to comply with this requirement, whether manual or even better, automated.
For more information about FERPA compliance when building digital products, this paper from the Office of Educational Technology is extremely helpful.
The main goal of FERPA is to protect students’ data privacy. Following data privacy best practices is always a good idea, but is even more important when dealing with student data that falls under the purview of FERPA. You will be most successful building software for student audiences when you build FERPA-first. I hope this introduction to FERPA and things to consider for compliance has helped you take the first step to get there.
As stated above, this post is not a legal resource and none of the information contained herein should be taken as legal advice or opinion.