How Schools Can Comply with the Three Biggest Online Student Privacy Laws

Keeping students’ data safe from prying eyes and malicious actors isn’t as simple as it used to be. 

Students are constantly engaging online with each other, teachers, and educational platforms. Since the Covid pandemic, education has become even more digitized, and the threat has only expanded. More than 90% of students carry personal laptops and smartphones, according to a study by EDUCAUSE, which makes things almost impossible to govern. School campuses can be large, which means that there are more people to protect and more who need to follow best practices online.

According to studies, there have been more than 1,332 data breaches in education in 2021 alone, of which 344 lead to data losses. Social engineering is one of the biggest culprits, along with email compromise. 

But how do schools regulate what websites can be visited and what data is disclosed?

Why Should Schools Care About Data Protection?

Schools and other state and local authorities in the education sector hold incredibly detailed student information—from financial aid to education records to healthcare data— in preparation for health and safety emergencies. 

Information security laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Family Educational Rights and Privacy Act (FERPA) all apply to educational institutions that collect personal data. Not complying with these regulations can result in severe penalties and legal action.

There may also be reputational damage to consider. If education records or personally identifiable information (PII) is leaked, there will be a huge fallout from which some schools never recover… as was the case with Lincoln College—a private school based in Illinois that closed permanently following a ransomware attack in 2022.

The Big Three Privacy Laws for Student Data

There are three main privacy laws designed to protect the rights of students. Each is administered by different branches of the federal government.

Let’s take a closer look at each one:

FERPA: The Family Educational Rights and Privacy Act

Enacted in 1974, the Family Educational Rights and Privacy Act stands as a cornerstone in safeguarding the privacy of student education records within educational institutions across the United States. 

It was enacted to ensure that sensitive student information remains protected. FERPA grants certain rights to parents until the student reaches the age of 18 or attends post-secondary education, at which point these rights transfer to the student themselves, termed as “eligible students.”

Who Does FERPA Apply To?

The applicability of FERPA extends broadly to educational institutions and agencies that receive federal funding from the U.S. Department of Education. Under FERPA, student education records encompass a wide array of information directly related to the student and maintained by the educational institution. These records include but are not limited to academic transcripts, disciplinary records, and special education files, covering students who are part of the Individuals with Disabilities Education Act (IDEA) program.

However, certain records fall outside the purview of FERPA, such as law enforcement unit records maintained by school resource officers and other law enforcement authorities. 

Disclosing and Handling Information Under FERPA

Despite stringent privacy protections, FERPA does outline specific scenarios where educational institutions may disclose student records without explicit consent. These include compliance with court orders or subpoenas, requests from school officials with legitimate educational interests, and circumstances involving health and safety emergencies.

FERPA also permits the release of directory information—non-sensitive details like a student’s name, address, and dates of attendance—without necessitating consent, albeit educational institutions must notify parents and eligible students about directory information and offer an opportunity to opt-out.

To ensure compliance with FERPA regulations, educational institutions bear the responsibility of informing parents and eligible students annually about their rights under the law. This may be accomplished through various means, such as student handbooks, PTA bulletins, or other school-wide announcements. Institutions must provide mechanisms for parents and eligible students to request the non-disclosure of directory information.

Complying with FERPA

Complying with FERPA requires specific actions from schools, including:

• Implementing policies for vetting apps, sites, and platforms used for education. There is a checklist by the DOE that will help you vet your vendors. They also encourage schools to speak to their IT and legal departments during the vetting process. 
• Following basic cybersecurity best practices to keep data safe, including using role-based access rules, using a VPN on unsecured connections, identifying authorized and non-authorized assets, and teaching teachers and students to use unique passwords and lock devices. 
• Being transparent about data collection – let parents and students know which is being collected and how it will be used. 

This not only protects students but fosters an environment of trust and openness. 

More Information

Educational stakeholders can turn to resources provided by the Department of Education, including the Protecting Student Privacy website or watch the video below.‍

COPPA: Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998. It’s overseen by the Federal Trade Commission (FTC) and aims to safeguard the online privacy of children under the age of 13. Unlike FERPA, which primarily concerns student educational records, COPPA targets the collection of personal information from minors in the online realm.

Who Does COPPA Apply To?

COPPA mandates several key regulations to protect children’s privacy online. First and foremost, website operators and online service providers must obtain verifiable parental consent before gathering any personal information from children under 13. This consent requirement serves as a safeguard against the unauthorized collection and use of minors’ sensitive data.

Disclosing and Handling Information 

COPPA also requires that websites and online platforms hosting content targeted toward children have to maintain clear and comprehensive privacy policies. These policies must outline the types of information collected, how it will be used, and any third parties with whom it may be shared. That way, parents can make informed decisions regarding their children’s online activities. COPPA provides provisions allowing schools to act as proxies instead of parents, provided that the platform is solely used for educational activities and not for commercial purposes. 

COPPA mandates that collected information be securely stored and protected from unauthorized access or disclosure. This measure helps mitigate the risk of data breaches and identity theft, safeguarding the personal information of young users.

COPPA’s scope extends to encompass a wide array of online entities, including websites, mobile apps, and online services that cater to children under 13. Educational institutions operating online portals or platforms fall within the purview of COPPA, necessitating compliance with its stringent privacy regulations.

Schools bear the responsibility of diligently vetting and selecting online products and services, ensuring that they align with COPPA’s privacy standards.

Complying with COPPA 

Per the FTC, every school should have a compliant privacy policy that contains a prominent link on the home landing page, a list of parties that collect personal information (e.g., social networks or ad networks), which information will be collected and how it will be used, and a section detailing the rights of parents. This includes the right to refuse or ask for a review/deletion of data that is being collected about eligible students. 

The school has to provide direct notice of its data collection processes before any data is collected, and any changes to those practices have to be disclosed. 

Schools can collect disclose or obtain consent through:

• Government-issued IDs that can be verified 
• Consent forms
• Knowledge-based challenge questions for parents 

More Information

The FTC has released a guide called Protecting Children’s Privacy Under COPPA that provides more information. Below is also a short explainer video.

CIPA: Children’s Internet Protection Act

The Children’s Internet Protection Act (CIPA) of 2000 protects children from exposure to inappropriate or harmful online content. Unlike FERPA and COPPA, which primarily focus on privacy concerns, CIPA is specifically designed to regulate children’s access to objectionable material on the internet, particularly in schools and libraries.

Who Does CIPA Apply To?

CIPA mandates that schools and libraries participating in the Federal Communications Commission’s (FCC) E-rate discount program, which provides discounts for internet access and internal connections, must implement measures to protect minors from accessing obscene or harmful online content. To fulfill this obligation, institutions have to deploy web filters and other solutions designed to block or filter out objectionable material.

CIPA Requirements 

Under CIPA, schools and libraries are obligated to develop and maintain an internet safety policy outlining their approach to safeguarding students from inappropriate online content. This policy must be publicly accessible, and institutions must hold at least one public meeting to discuss and disseminate information about their compliance efforts.

Furthermore, CIPA mandates that schools implement measures to monitor the online activities of minors, ensuring compliance with their internet safety policies. 

The 2012 Protecting Children in the 21st Century Act, an amendment to CIPA, requires schools to educate students on responsible online behavior. This educational curriculum covers various aspects of online interaction, including appropriate conduct on social networking platforms and in chat rooms, as well as strategies for dealing with cyberbullying incidents.

Complying with CIPA

The American Library Association shares practical tips for complying with CIPA: 

• Post printed as well as digital signs to let users know that filtering software is being used per CIPA requirements. 
• Explain CIPA policies. CIPA does allow schools to unblock sites if they’ve been blocked by mistake, and users can request that some websites be unblocked if they have educational value. 
• Adult users aged 17 and older can request that the entire filter be turned off. They don’t need to offer an explanation. 
• All of these guidelines should be posted clearly so that users understand their rights. 

More Information

Schools can find out more about CIPA and apply for funding through the Universal Service Administrative Company (USAC). And lastly, below is a quick explainer.

Conclusion

To recap what we’ve covered:

• COPPA focuses on protecting children’s online privacy
• FERPA safeguards the privacy of student education records, 
• CIPA addresses children’s access to inappropriate online content in educational institutions

Each of these laws plays a crucial role in ensuring the safety and privacy of children in various online and educational settings.

It’s in the best interest of everyone involved with education—including parents, management, and students—to understand student privacy laws and confirm that they or their schools are committed to complying with them and following best practices.