School districts, like the rest of society, are well into the digital age. Interactive technology is now a staple of education, affecting all aspects of teaching and learning.  

These advances create amazing opportunities while also presenting new challenges, particularly in the area of student privacy. Recently, the coronavirus pandemic has resulted in an unprecedented shift to remote or virtual learning. This shift raises additional concerns regarding student privacy in the digital age.    

FERPA and the PPRA The Family Educational Rights and Privacy Act (FERPA) is the primary federal law protecting the privacy of student education records. FERPA gives parents certain rights with respect to their children’s records. Those rights transfer to the student when the student reaches the age of 18, or attends a school beyond high school, and becomes an “eligible student.” Schools must notify parents and eligible students annually of their rights under FERPA.    

Generally, parents and eligible students have the right to inspect and review the student’s education records and to request that a school correct records that they believe to be inaccurate or misleading. One of the most important aspects of FERPA is that it requires schools to have written permission from the parent or eligible student in order to release any information from a student’s education record. However, there are several important exceptions to the permission requirement.    

For example, FERPA allows schools to disclose student education records without consent to other schools to which a student is transferring, to organizations conducting studies for the school, to comply with a judicial order or lawfully issued subpoena, and to appropriate officials in cases of a health or safety emergency.    

In some circumstances, schools may also disclose student “directory” information without consent, such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Parents and eligible students must have a reasonable opportunity to opt out of having student directory information disclosed.   

Online educational services sometimes use FERPA-protected information. For example, student names and contact information may be required in order to create accounts or to log in to certain platforms. Other services may not require FERPA protected information.    

When online services and virtual learning platforms do use personally identifiable student information, the most important exception to the parental consent requirement is the “school official exception.”    

Under the school official exception, schools and districts may disclose personally identifiable information from students’ education records to a provider under certain conditions. The provider must perform a service or function which the district would otherwise perform in-house, must meet the criteria set forth in the district’s annual notification of FERPA rights to be a school official with a legitimate educational interest in the records, be under the direct control of the district with regard to the use and maintenance of the records, and it must use the records only for authorized purposes without re-disclosing personally identifiable information unless otherwise permitted by FERPA.   

In addition to FERPA, the Protection of Pupil Rights Amendment (PPRA) provides parents with certain rights with regard to marketing activities in schools. While FERPA protects personally identifiable information from education records maintained by a school district, PPRA applies when personal information is collected directly from the student. PPRA requires that a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities. PPRA also requires districts to develop and adopt policies, in consultation with parents, about these activities. However, neither parental notice, the opportunity to opt-out, or the development and adoption of policies are required for school districts to use personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services to students or schools.   

COPPA The Children’s Online Privacy Protection Act (COPPA) requires the Federal Trade Commission (FTC) to issue and enforce regulations regarding children’s privacy online. COPPA specifically imposes requirements on operators of websites or online services directed to children under 13 years of age or that know they are collecting personal information from a child under 13 years of age.   

Personal information under COPPA includes a child’s first and last name, home address, online contact information, telephone number, Social Security number, any identifier that can be used to recognize a user across different websites or online services, a photograph, video, or audio file containing a child’s image or voice, geolocation information; or information that the operator collects online from the child and combines with an identifier described above.   

According to the FTC, operators covered by COPPA must post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children, and provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children. Parents must be given the choice of consenting to the operator’s collection and internal use of a child’s information, while prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents). Parents must also be provided with access to their child’s personal information to review and/or have the information deleted and to prevent further use or online collection of a child’s personal information. Providers must maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security. Personal information collected online from a child may be retained for only as long as is necessary to fulfill the purpose for which it was collected. After which, reasonable measures must be taken to delete the information to protect against its unauthorized access or use. A child’s participation in an online activity cannot be conditioned on the child providing more information than is reasonably necessary to participate in the activity.    

COPPA directly applies to commercial operators, not schools. However, as with FERPA, an important exception to the requirement that operators obtain “verifiable parental consent” before collecting personal information is that school districts can grant consent on behalf of parents when the use of the website or online service is “solely for the benefit of students and the school system” and is specific to “the educational context.” In other words, the school’s ability to consent for the parent is limited to situations where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.   

In order for an operator to rely on consent obtained from the school under COPPA, it must provide the school with the same type of notice regarding its practices as to the collection, use, or disclosure of personal information from children as it would to the parent.   

As a best practice, the FTC advises that schools should provide parents with a notice of the specific websites and online services whose collection it has consented to on their behalf under COPPA. In addition, the school may want to make the operators’ direct notices regarding their information practices available to interested parents. The school could make these disclosures and maintain the information on a website or provide a link to the information at the beginning of the school year, perhaps in connection with an Acceptable Use Policy or similar document.   

CIPA The Children’s Internet Protection Act (CIPA) addresses concerns related to children’s access to obscene or harmful content over the internet. CIPA imposes certain requirements on schools that receive discounts for internet access or internal connections through the E-rate program—a program that makes certain communications services and products more affordable for eligible schools.   

Schools subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an internet safety policy that includes technology protection measures. The protection measures must block or filter internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting their internet safety policy, schools must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.   

Schools subject to CIPA have two additional certification requirements. Their internet safety policies must include monitoring the online activities of minors. They must also, as required by the Protecting Children in the 21st Century Act, provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.   

Schools subject to CIPA are required to adopt and implement an internet safety policy addressing, among other things: access by minors to inappropriate matter on the internet; the safety and security of minors when using e-mail and chat rooms, and measures restricting minors’ access to materials harmful to them. CIPA does not require the tracking of internet use by minors or adults.   

Virtual Learning In Spring 2020, the Student Privacy Policy Office of the United States Department of Education (USDOE) provided guidance on virtual learning in response to the demand created by the coronavirus pandemic.    

The USDOE recognized that schools can use video conferencing or other learning software apps to hold classes virtually pursuant to the “school official exception” to FERPA’s parental consent requirements discussed above.    

Schools can disclose students’ education records or personally identifiable information as long as the provider:    

  • performs an institutional service or function for which the school district would otherwise use its own employees;
  • has been determined to meet the criteria set forth in the district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records or personally identifiable information;    
  • is under the direct control of the district regarding the use and maintenance of the education records or personally identifiable information; and    
  • uses the education records or personally identifiable information only for authorized purposes and does not re-disclose the records or information to other parties (unless the provider has specific authorization from the school district to do so and it is otherwise permitted by FERPA).    

The USDOE confirmed that it is permissible to record virtual classes and share the recording with students who are unable to attend a live session as long as the video recording does not disclose personally identifiable information from student education records without appropriate consent. FERPA would not prohibit the teacher from making a recording of the lesson available to students enrolled in the class.   

The Policy Office clarified that it is permissible for a teacher working from home to conduct a teacher-student conference virtually. However, if the teacher’s spouse is present in the room during the conference, the teacher may not disclose personally identifiable information from the student’s education record within hearing range of his or her spouse absent written consent from the parent.   

The agency advised that non-students can observe a virtual lesson as long as personally identifiable information from student education records is not disclosed during the lesson. However, as a best practice, schools should discourage the observation of virtual classrooms by non-students to avoid the possibility of disclosure of personally identifiable information from a student’s education record.    

The USDOE noted that the directory information exception permits certain personally identifiable information to be disclosed during classroom instruction.  It further advised that the directory information exception may not be used to opt out of the disclosure of a student’s name or email address in a class in which the student is actually enrolled.    

The agency also recommended that schools take steps to instruct students that they should be careful not to share or record any personally identifiable information that may be disclosed in a virtual classroom.   

A full review and analysis of the laws discussed above is beyond the scope of this article. The material presented is for general informational purposes and is not legal advice. It is important to address any specific questions or concerns with your board counsel.   

John E. Croot, Jr. is a partner with Adams, Gutierrez & Lattiboudere, LLC.