In the past, maintaining student privacy was a matter of locking records in a filing cabinet. Now, in the digital classroom era, schools need increased security to keep students’ data safe and maintain compliance with updated student privacy laws.
Students engage with technology from K-12 and on to college or a trade school. Whether it’s a computer lab at the local elementary school, a homework assignment that must be submitted online, or a collaborative, cloud-based platform that enables teachers and parents to interact, the learning education environment has been digitized.
Students are immersed in technology outside the classroom, too. Many have their own cell phones or, at least, access to a home or public computer. They text each other, post to their Instagram accounts, or play popular online games, such as Fortnite, Roblox, or Minecraft, to pass the time. The coronavirus pandemic forced many students to move much of their daily activities to online platforms.
With every keystroke on school devices or through platforms monitored by them, children provide their schools and other organizations with data that may or may not be protected by federal and state laws. Consequently, all the data a student generates is bound to be at risk, from their behavior on a school’s online platform (which might be inadvertently tracked by the vendor) to their educational records.
What student privacy laws protect students’ data?
In the United States, three student privacy laws have been enacted to uphold student privacy and data security: the Family Education Rights & Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Children’s Internet Protection Act (CIPA). Each is administered by different branches of the federal government, and each seeks to police possible cyber dangers to minors.
FERPA: Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that aims to protect the privacy of student education data by giving parents certain rights to the records until the student becomes eligible to possess the right to their record.
Who does FERPA apply to?
Because FERPA is a federal law, it applies to all educational institutions and agencies that receive federal funding from the U.S. Department of Education.
What education records fall under FERPA?
As defined by the law, student education records refer to all records that directly relate to the student, as maintained by the school or educational agency. This includes records on children with disabilities who fall under Part B of the Individuals with Disabilities Education Act (IDEA).
Excluded from the definition are law enforcement unit records and other documents that may be kept by the school resource officer and other law enforcement authorities.
When does the right to obtain student data transfer to the student?
The right transfers to the student when they reach the age of 18 or attend a school beyond the high school level. Students to whom the right has been transferred are called “eligible students.”
Who else may access students’ educational records?
Typically the school must have the written permission of the parent or eligible student to release any part of the student’s information record. However, 34 CFR § 99.31 allows schools to disclose such records without requiring consent in the following cases::
- To comply with a court order or subpoena.
- When requested by school officials with legitimate educational interest.
- When requested by other schools where the student intends to transfer.
- When required for financial aid, audit, or evaluation purposes.
- For accreditation,
- In case of health and safety emergency.
- When requested by local and state authorities within a juvenile justice system and subject to specific state law.
Schools may also disclose directory information — such as the student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance— without requiring consent.
What responsibilities do schools have with regard to FERPA?
To remain compliant with FERPA, schools must do the following:
- Inform parents and eligible students of their rights under FERPA each year. The notification is left to the school’s discretion and may be in the form of a student handbook inclusion, PTA bulletin, or other announcements.
- Inform parents and eligible students about directory information and provide a reasonable amount of time for them to request that it not be disclosed.
Where can I learn more about FERPA?
The Department of Education has a website, “Protecting Student Privacy,” that outlines best practices that every educational stakeholder — students, parents, teachers, vendors, researchers, etc. — should adopt in order to manage student data while maintaining student privacy.
COPPA: Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (COPPA) of 1998 falls under the jurisdiction of the Federal Trade Commission (FTC). Unlike FERPA, which focuses on student rights, COPPA regulates how website operators or online services can collect personal information from children under 13 years of age.
In a nutshell, COPPA regulations include:
- Providing notification and getting parental consent before collecting information.
- Keeping such collected information secure and confidential.
To whom does COPPA apply?
COPPA applies to all online portals, such as websites and applications that may be accessed by children below the age of 13. As such, these include sites and apps operated by educational institutions.
What obligations do schools have with regard to COPPA?
According to the FTC, schools can stand in for parental consent if the site or app is used solely for educational purposes and for no other commercial purpose.
In addition, schools must practice due diligence when vetting products and services and provide appropriate information to parents. These include the names of apps, websites, or services and their information and privacy practices.
Where can I learn more about COPPA?
To learn more, take a look at the FTC’s guide, Protecting Children’s Privacy Under COPPA.
CIPA: Children’s Internet Protection Act
What is it?
The third major technology law protecting students is the Children’s Internet Protection Act (CIPA) of 2000, which is concerned with children’s access to the obscene or harmful parts of the Internet. The act requires libraries and K-12 schools to use web filters and other measures to protect children.
To whom does CIPA apply?
CIPA applies to all schools and libraries that participate in the FCC’s E-rate discount program, where they receive discounts for Internet access or internal connections.
What obligations do these institutions have as part of CIPA?
With CIPA, schools, and libraries must be able to prove that they have an Internet safety policy in order to obtain E-rate discounts. These protections must include either blocking or filtering online content that is considered obscene or harmful to minors. In order to demonstrate compliance, these schools and libraries must publicize their compliance policies and hold at least one public meeting.
In addition, schools must also have a provision to monitor the online activities of minors and, per the 2012 Protecting Children in the 21st Century Act, must educate these same minors on how to act online. Their education curriculum must encompass appropriate online interactions on social networking and in chat rooms, as well as cyberbullying and response.
Where can I learn more about CIPA?
You can find out more about CIPA or apply for E-rate funding by contacting the Universal Service Administrative Company (USAC)
Or, you can print out read this PDF: Children’s Internet Protection Act (CIPA)
Best practices for compliance with FERPA, COPPA, and CIPA
The shift to online classrooms and digital learning, means that concerns about student privacy and data collection are more critical than ever. Here are some best practices to ensure your organization’s compliance.
Vet all learning tools
- Implement a policy for vetting educational technology tools. This allows both teachers and students to know what sites, apps, and platforms are verified safe for learning.
- The DOE has a helpful checklist for evaluating educational technology products, vendors, and their Terms of Service.
- The DOE also encourages schools to tap both their IT resources and legal counsel when vetting tools for FERPA compliance.
Implement basic security measures
At the very least, schools should follow basic cybersecurity practices to safeguard data. These include:
- Identifying which assets are authorized and unauthorized
- Implementing role-based access and reviewing them periodically
- Using VPN when on unsecured connections
- Teaching cybersecurity practices such as using unique passwords, locking unattended devices, and being on guard against phishing and malware attacks.
Be transparent about data collection
FERPA requires institutions to notify parents and eligible students of their rights each year. To make the process smoother, the DOE suggests that schools inform parents and students what data is being collected and how it will be used, even if the information is not protected by FERPA or the two other student privacy laws. Being transparent helps build trust in the school, the learning process, and the platforms that are used.
- A prominent link on the homepage
- A list of all parties that collect personal information, including third parties like social networking plugins or ad networks
- What personal information is being collected, and how it will be used
- A section on parental rights, including the right to refuse or to request a review or permanent deletion of any data collected.
Provide direct notice before collecting data
A direct notice of collection practices must be provided prior to collecting data. In addition, any change to the information practices should be posted and updated on the site.
Obtain verifiable consent before collecting or disclosing data
The FTC provides a list of acceptable methods, which include:
- Using a consent form
- Implementing knowledge-based challenge questions designed to be answered by parents
- Asking for a government-issued ID that can be verified against a database, as long as the photo is deleted after verification is complete.
For more COPPA best practices, refer to the FTC’s 6-Step COPPA Compliance Plan.
The American Library Association has compiled some practical tips to help schools and libraries comply with CIPA:
Use physical (hard copy) and electronic signs to inform users that filtering software is used to comply with CIPA as a federally funded institution
Because filtering software can be imprecise, CIPA allows organizations to unblock sites that may have been erroneously blocked. Users can request websites to be unblocked, provided they are legitimately useful for educational purposes.
For libraries, adult users aged 17 and above can request to have the whole filter turned off without having to explain why. The library should post signs notifying users of this option.
These three student privacy laws, administered respectively by the Department of Education, the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC), seek to monitor and protect students in schools and in the commercial marketplace.
Note that the best practices briefly outlined above are simple suggestions we’ve compiled from authoritative organizations. All educational shareholders, from the institution’s management stakeholders to the students and their parents, should familiarize themselves with these student privacy laws to ensure that they or their schools are in compliance.