Student Privacy Laws

James Chiodo, Certified Information Privacy Professional CIPP/US

Complying With Student Privacy Laws

School Student Records

Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal statute that protects the privacy of student educational records. The law does not apply to all schools, only schools that receive federal funds from the U.S. Department of Education. Almost all public and most private schools receive federal funds.

And it only applies to student information stored in “education records.” FERPA defines a student’s record as any information recorded in any way, including, but not limited to computer media, print, handwriting, microfilm, audio tape, and video. All e-mails and electronic records are covered by the term “computer media.”

FERPA provides the parents of students with specific rights about their children’s school records. When a child becomes 18 years old or attends a school beyond the high school level, the rights are transferred to the student, referred to as “eligible student”.

Here are the rights for eligible students and parents under FERPA:

• To review the student’s education records kept and stored by the school. Any requested copies of a student’s records may incur a charge from the school.

• Requests that student’s records be corrected if they believe that the records are not accurate. If the school does not correct the records, an eligible student or parent has the right to request and receive an official hearing. If the school does not make the requested changes to the student’s records, the eligible student or parent has the option to have a statement included with the student’s records explaining their opinion about the inaccuracies of the student’s information.

• Receive yearly notice of their rights under FERPA

• File a complaint with the Department of Education as there is no private right of action allowed under FERPA.

• Schools are required to have written consent from the eligible student or parent before they release any student’s records. FERPA lets schools release records without permission to certain entities or parties for the following circumstances.

  1. Local and state authorities pursuant to state law
  2. To obey a subpoena or judicial order
  3. School administrators with valid educational interest
  4. Groups conducting specific studies authorized by the school
  5. Accrediting schools to which a student is transferring
  6. Entities providing financial assistance to a student
  7. Groups conducting studies for the school
  8. Authorities when there are safety and health emergencies; and
    without consent from parents or students schools can disclose student “directory” information such as a student’s address, name, date of birth, phone number, attendance information, awards and honors.

Schools must inform eligible students and parents about school directory information and give them a reasonable period of time to ask that the school not reveal their directory information. Schools are required annually to advise eligible students and parents about their FERPA rights.

Student Privacy Protection Act

The Student Privacy Protect Act amends and adds language to FERPA that forbids the funding of educational institutions that permit third parties to access student information unless:

• the institution, prior to getting parental consent, informs parents of the information that the third party would have access to, that the information will only be made available if the parent approves it, the parent can correct incorrect information, and that the external party or institution is responsible for any violations

• the institution can guarantee that the information will not be used to determine the identity of the student

• the student information remains the property of the institution and when the individual is no longer served by the institution, the information is destroyed

• any third party having access to student information agrees to be liable for FERPA violations.

The Student Privacy Protection Act also:

• gives FERPA rights to parents of any students for whom the institution maintains student information, including home-schooled students.
removes the exception that allowed educational institutions to allow the release of student information without the consent of the parents to organizations studying student aid programs or predictive tests.

• requires parental consent before representatives under the control of the Department of Education, or state educational authorities can access student records for: (1) evaluation and audits of federally maintained education programs that are directed by local or state public education institutions, or (2) enforcing federal legal requirements.

• forbids educational institutions receiving federal funds from amending student information with personally identifiable information collected from state or federal agencies by using data matches,

• prohibits money from being used to: (1) keep track of a student’s career and educational development activities, or (2) force a secondary or elementary school student to unwillingly choose a job related training or career.

• requires de-identification and anonymization of student information allowed to be collected or released under different exceptions,

• makes educational institutions, agencies, and third parties receiving federal funds that do not obey FERPA liable for a financial award to people affected by their fail to obey FERPA. Federal agencies can also be held liable for not obeying FERPA.

• forbids predictive modeling of a student’s behavior, psychological testing including their beliefs or values. Prohibits video, camera, or computer monitoring or surveillance without the consent of parents and teachers and without a public hearing,

• forbids surveys asking for specific information about students or their families, including information on their religious beliefs, gun ownership, and political affiliation.

Student Online Personal Information Protection Act (SOPIPA)
California student privacy law

California continues to lead the in way passing Internet privacy laws. The Student Online Personal Information Protection Act (SOPIPA) that took effect in 2016 broadly covers the protection of student privacy for K12 students.

SOPIPA governs the collection and use of student data by online services, websites, mobile and desktop applications. This act applies to any individual or business that collects information from K12 students even if they do not have a contract with a school. These regulations apply in addition to the Children’s Online Privacy Protection Act (COPPA) requirements covering children under the age of 13 and The Family Educational Rights and Privacy Act (FERPA). However, FERPA only applies to schools that receive federal funds from the U.S. Department of Education.

Here is a brief summary of the SOPIPA:
SOPIPA prohibits an operator of an Internet website, online service, online application, or mobile application from knowingly engaging in targeted advertising to students, their parents, or legal guardians, using covered information to amass a profile about a K12 student, selling a student’s information, or disclosing covered information. The bill requires an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, to protect the information from unauthorized access, destruction, use, modification, or disclosure, and to delete a student’s covered information if the school or district requests deletion of the data. The bill would authorize the disclosure of covered information of a student under specified circumstances.

Even if your business is not based in California, SOPIPA applies if you collect information about K12 students in California.

Are You Required to Comply With the SOPIPA?
If your products or services were designed and are being used by K12 students in California, SOPIPA applies to you or your business. It protects personally identifiable information and other covered information in any format that is provided to you by a parent, student, or agent of the school, school district, or county education office for school purposes. It also includes information collected by you through your products or services that identifies or is descriptive of a student.

What type of student information is covered by SOPIPA?
The amount of information covered is significant and includes information that is descriptive of a student or otherwise identifies a student, including, but not limited to information in the student’s educational record, first and last name, email address, telephone number, home address, or other information that allows online or physical contact, test results, discipline records, grades, special education information, juvenile dependency records, criminal records, health and medical records, evaluations, disabilities, biometric information, social security number, religious information, socioeconomic information, political affiliations, food purchases, photos, text messages, search activity, documents, geolocation information, or voice recordings.

How does SOPIPA limit your use of student information?
Here is a partial list of what you can’t do with K12 student information:

• Employ targeted advertising on your website, application, service, or target advertising on another website, application, or service when the advertising is based upon covered information and persistent unique identifiers that you have acquired.

• Use student information, including persistent unique identifiers, gathered or created by your website, application, or service to assemble a profile about a K12 student except in the continuance of K12 school purposes.

• Sell a student’s information, including covered information. This does not apply to the merger, purchase, or other type of acquisition of your business by another entity, provided that you or the successor entity continues to be subject to the provisions of this section with respect to previously acquired student information.

How can I legally use the student data that I collect?
You can use the student’s deidentified information:

  1. to improve your educational services and products
  2. to prove the efficacy of your services and products
  3. for improving and developing your services, applications, and educational websites
  4. for marketing your services and products to parents of students
  5. for research purposes allowed by federal or state law under the guidance of the school or Department of Education

How do I comply with SOPIPA?
Besides complying with the guidelines about the use of student information you are required to implement and maintain security practices and procedures that are reasonable and appropriate to the type of covered student information. And to protect the student information from unauthorized access, use, disclosure, modification, or destruction and to delete a student’s covered information if the district or school requests a deletion.

What about other state laws governing student data?
If you think that you dodged the SOPIPA regulations in California because you collect student data in another state, think again. There are at least 20 other states who passed laws affecting the collection and use of student data. And some of these laws are very strict, Idaho Code §33-133 bans vendors from using K12 student information for any secondary purpose, such as advertising, marketing, or sales.

The New York law among other regulations includes strict guidelines about security including data encryption, protecting student information when being transmitted over networks, incident response plans, and other measures. The New York law outlines encryption requirements that are similar to the very tough requirements of HIPAA (Health Insurance Portability and Accountability Act).

North Carolina law requires that contracts with other entities include provisions that protect student security and privacy and stipulates penalties for not complying with the laws and regulations.





Other state student privacy laws include: 

New York
Louisiana law
North Carolina
Rhode Island
West Virginia

In addition to various state laws, the federal Children’s Online Privacy Protection Act (COPPA) also applies when collecting personal information from children under the age of 13.

Effects on Vendor Agreements
Some state privacy laws require that school agreements with vendors contain provisions that list the security and privacy requirements required by vendors. Regardless of any notice to vendors in their agreements with educational institutions the state student privacy laws will apply to the vendors. If your company provides services to educational institutions, make sure that your privacy and security practices comply with the student privacy laws in the states where you provide your services.

Recommended steps for you to take

1.  Thoroughly review your student data collection and use practices to make sure that they comply with FERPA, SOPIPA, and other state privacy laws if applicable.

2.  Review your current contracts with service providers and subcontractors who have access to K12 student information, and if needed, update these agreements to include provisions that address restricting the use of student data, protecting the data, data retention, data access, and how to respond if there is a security breach of student information. Your contracts may need to address student privacy laws from other states if your business operates in more than one state.

3.  Conduct risk assessments to determine the best security procedures to protect student information.

4.  Train your employees and associates about student privacy law requirements. This training should also include anyone else with whom you share access to student information. Make sure that your IT team completely understands how to comply with security requirements for protecting student data.

5.  Install comprehensive security measures to protect student information including strong encryption software. This should include protecting data being transmitted and data in storage. Take the extra step and use security measures that are above the required industry standards for protecting student information.

6.  Consider hiring a Certified Information Privacy Professional to help you understand and comply with FERPA, SOPIPA, and other state student privacy laws.

Additional Resources

Protection of Pupil Rights Amendment (PPRA)
Department of Education’s Model Notification of Rights for Elementary and Secondary Students. 
Department of Education’s Model Notification of Rights under FERPA for Post-secondary Institutions.
Department of Education’s Model Notification of Rights under FERPA for Directory Information.
Department of Education’s Model Notice and Consent/Opt-Out for Specific Activities under PPRA.

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More