If you are considering building digital products for students or children, it is vitally important to be well-versed in the laws and regulations governing student and child privacy. This post is the second in a series aimed at providing an overview of the most important federal regulations to keep in mind when building software aimed at young audiences for both educational and recreational purposes.
- Family Educational Rights and Privacy Act (FERPA)
- Protection of Pupil Rights Amendment (PPRA)
- Children’s Online Privacy Protection Act (COPPA)
This series is a non-exhaustive list of regulations and does not include everything you need to know to be compliant with the laws. Beyond the federal laws, there are state and local laws that must be consulted as well as school district ethical guidelines to consider before you get started.
This is not a legal resource and none of the information contained herein should be taken as legal advice or opinion. If you have compliance questions, please consult a lawyer who specializes in these types of regulations.
Protection of Pupil Rights Amendment (PPRA)
At a glance
- Purpose: Protecting sensitive personal information collected from students
- Who must comply: Any K-12 institution receiving funds from the U.S. Department of Education
- Compliance criteria: Gather written consent from parents for federally funded surveys, allow a parent to opt a child out of non-federally funded surveys, and allow parents to opt a child out of any non-emergency physical exam administered by the institution
- Consequence for noncompliance: Loss of federal funding and in some cases, monetary penalties from the state
The Protection of Pupil Rights Amendment (PPRA) protects the rights of parents and students to consent so sharing highly sensitive information in surveys, analyses, or evaluations. It was enacted in 1978 to protect students from overly intrusive and personal data collection.
PPRA classifies its highly sensitive information as data that falls into any of the following categories.
- Political affiliations or beliefs of the student or the student’s parent
- Mental and psychological problems of the student or the student’s family
- Sex behavior or attitudes
- Illegal, anti-social, self-incriminating, or demeaning behavior
- Critical appraisals of other individuals with whom respondents have close family relationships
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers
- Religious practices, affiliations, or beliefs of the student or student’s parent
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
Like the Family Educational Rights and Privacy Act (FERPA), any program that receives funding from the U.S. Department of Education program is responsible for complying with PPRA. Unlike FERPA, PPRA does not apply to post-secondary institutions, only K-12 institutions.
PPRA requires schools and contractors to make instructional materials, surveys, evaluations or analyses available for parents to review ahead of time. If the survey is federally funded and involves information from any of the highly sensitive categories above, written consent of the parent is required for their child to participate in the survey. If the survey is not federally funded but still deals with highly sensitive information, the parents must still be notified in advance and given the opportunity to opt their child out of participating.
In addition to these surveys, parents are also granted rights under PPRA to opt their children out of any non-emergency, invasive physical exam or screening administered by the school. Exceptions to this policy include exams to protect the immediate health and safety of the student; hearing, vision, or scoliosis screenings; and any physical exams permitted under state law. Parents also have the right to opt their child out of any activities that collect the child’s personal information for marketing purposes or any distribution to third parties.
How will this affect you
FERPA protects PII from education records maintained by the school or institution which becomes your responsibility through the legal method that the institution shares that information with you and your digital product. PPRA protects personal information collected from the students themselves. If FERPA data is used to create accounts for students in your product, but your product gathers subsequent information from the student, you now need to be compliant with PPRA.
As always, you must be aware of what data you are collecting and how you are handling that data. PPRA has no expiration on the limitations governing the use of personal information collected from students. As such, your data privacy and data retention policies are of the utmost importance because even after a student is no longer using your product, their data is still subject to all of the rights granted under PPRA.
As stated above, this post is not a legal resource and none of the information contained herein should be taken as legal advice or opinion.
PPRA’s main goal is gathering fully informed consent before collecting data and potentially limiting how much highly sensitive data is collected about students. Next to FERPA, PPRA is one of the most important federal regulations to familiarize yourself with if you want to build digital products for an educational audience. I hope this primer has given you the basics to start thinking about how to make your product PPRA compliant.