When colleges and universities started shutting down in March of 2020 in response to the spread of COVID-19, they were forced to move from in-person or semi-digital environments to fully online in a matter of days. This led to one of the largest educational technology experiments in history, with the average institution needing to move more than 500 courses online.¹ Many colleges were already developing or expanding online education programs prior to the pandemic, but for others the move to online education is new. With the fall 2020 semester, some institutions have attempted to re-open for in-person classes or opted for a hybrid model of holding classes online while bringing some students back to campus, but many are primarily offering distance learning.²

The educational technology (ed tech) used for delivering online classes is serving an essential role in allowing schools to continue teaching under unusual conditions. However, the ongoing shift to remote learning is leading privacy professionals, faculty, students, and others to focus on both pre-existing and new privacy issues related to the technology facilitating online learning. Given the younger age of the students in K-12, educators have recognized for some time that the use of ed tech in secondary school education raises privacy concerns. The devices used for K-12 education are more likely than those used in higher education to be issued to students or accessible in the classroom, and researchers and privacy advocates have long been concerned about the use of these devices for surveillance,³ school shooting prevention,⁴ and other secondary purposes that raise privacy issues.

Until fairly recently, higher education institutions focused more on the cybersecurity aspect of data protection. It was not until 2018 that privacy first showed up on the top 10 list of information technology issues in EDUCAUSE’s⁵ information technology poll of institutions.⁶ Privacy advocates and the media have brought greater attention to privacy in higher education in part due to the collection of student data for predictive analytics uses⁷ and greater on-campus surveillance of students.⁸ The increased use of remote learning, and the increasing amounts of student data they generate, will add to privacy concerns. There are clearly important questions about what happens to the data collected in the course of providing distance learning that institutions and ed tech companies need to answer.

Distance learning will likely be an important issue of discussion and scrutiny in higher education for some time. Schools will continue to rely on it as the pandemic continues, but there is also the potential for a longer-term shift to more distance education in the post-pandemic future. This paper offers an overview of privacy issues and concerns related to online learning in higher education.

The primary law regulating privacy in both K-12 and higher education is the Family Educational Rights and Privacy Act (FERPA).⁹ FERPA provides students the right to access records an institution keeps on them, the right to request to have the records amended, and offers some control over the disclosure of personally identifiable information (PII) from education records. FERPA applies to all academic institutions receiving funds under applicable Department of Education programs.

FERPA is essentially technology neutral and does not address online learning specifically. Currently, there is no official FERPA certification program for assessing third-party ed tech compliance for higher education. Products and services may outline how they comply with FERPA, but ultimately every institution must perform its own assessment to determine how their use will affect the institution’s ability to comply.

FERPA’s definition of PII is more expansive than direct identifiers such as social security numbers or biometric features. It also includes semi-direct identifiers such as date of birth and mother’s maiden name, as well as “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”¹⁰ However, data that is anonymized (“de-identified”) so that it does not contain personally identifiable data can be shared with any third party without consent.¹¹

Generally, FERPA requires written consent from students attending a postsecondary institution before releasing educational records that contain PII. However, FERPA contains several exceptions to the consent requirement. The “school official” exception is the one most relevant to distance learning and use of ed tech vendors. This exception permits disclosures from student education records to school officials who have a “legitimate educational interest” in having access to a student's records. School officials in this capacity includes not only administrators and teachers, but also information technology personnel, and others.¹² This exemption permits the disclosure of PII from education records in the course of outsourcing to ed tech companies. Vendors can act as de facto school officials as long as the services or functions they provide are ones “for which the educational agency or institution would otherwise use its own employees.” However, schools must retain direct control over how PII is used and maintained, and they remain legally responsible for what happens to any data disclosures to ed tech companies.

The Gramm-Leach-Bliley Act (GLBA),¹³ passed in 1999, largely reformed regulation of the financial services industry, but also included provisions relating to consumer financial privacy. The Federal Trade Commission (FTC) considers higher education institutions to be financial institutions subject to the GLBA if they participate in Title IV educational programs (that is, the school accepts federal financial aid for students). GLBA regulations include a privacy rule governing data privacy practices, but the FTC deems higher education institutions to be in compliance with the privacy rule if they are in compliance with FERPA. The Safeguards Rule of the GLBA, which is not covered by compliance with FERPA, concerns data confidentiality, but primarily from a standpoint of cybersecurity requirements. The Department of Education recently indicated that it will audit institutions for compliance with the Safeguards Rule of the GLBA.¹⁴ Requirements for compliance include performing a risk assessment that addresses network and information system security controls, incident response, and security training of employees. Schools must implement a safeguard for each risk identified.

The California Consumer Privacy Act (CCPA) is a state law passed in 2018 that gives California consumers new rights and additional controls over personal information that businesses collect and use. As of January 1, 2020, companies and institutions conducting business either in California or with the state’s residents come under regulation by the CCPA.¹⁵ With the increase in remote learning and the potential for more California residents attending schools based in other states, the CCPA is relevant to schools across the country. Most colleges and universities would seem to be unaffected, as the law only pertains to for-profit entities. However, schools’ increasing use of for-profit vendors in providing distance learning may make the CCPA applicable. Whether a vendor falls under the purview of the CCPA is based on certain criteria. A business/vendor must either have an annual gross revenue of greater than $25 million, derive at least half their annual revenue from sales of personal information, or receive or share/sell personal information of 50,000 or more California residents (usually defined as a state taxpayer).

Notably, the CCPA contains a “right to deletion,” which enables consumers to request that the institution delete any and all information collected. However, this requirement is preempted to the extent that FERPA (a federal law) requires institutions which receive federal financial assistance collect, store, and disclose certain data. This means that institutions will need to assess what data they must necessarily store to comply with federal law. They will also need to determine what personal information they or their third-party vendors collect that is subject to erasure and other rights provided to California residents by the CCPA.

In recent years, over 40 states have enacted laws governing how schools and their service providers collect, use, and protect student data.¹⁶ Most of these laws solely cover K-12 student data, but some also govern how public and private higher education institutions use student data. For example, a Louisiana law covering both public K-12 and higher education institutions requires, among other things, deletion of personal data collected during the application process, and a prohibition on certain student analytics.¹⁷ A few state laws, however, have been drafted solely to address higher education privacy and security, including a Virginia law which prohibits higher education institutions from requiring a student to disclose the log-on credentials of personal social media accounts.¹⁸

There are other general privacy laws that some states have enacted, such as data breach notification laws, that may also have privacy and security implications for educational institutions and the ed tech vendors they contract with in the course of providing online education.

Europe’s General Data Protection Regulation (GDPR) is a legal privacy framework adopted in 2018 that sets guidelines for collection and processing of personal information from individuals living in the European Union (EU). Higher education institutions may also need to comply with the privacy provisions in Europe’s GDPR¹⁹ if they provide online classes to individuals in the EU. Compliance may also be required if they accept applications from EU residents, have study abroad programs in the EU, interact with EU-based alumni, or collect or use data about EU residents. All of the personal data processed in providing an online course is subject to GDPR compliance. The GDPR provides rights and imposes restrictions on data processing under principles of purpose limitation and data minimization that require additional safeguards above and beyond what FERPA requires. For example, GDPR’s definition of “personal data” is broader than FERPA, requiring protection of additional information such as IP addresses. These, and other GDPR-specific stipulations would need to be detailed in ed-tech vendor contracts that involve collecting data to ensure that GDPR requirements are being met on behalf of the institution.

Higher education has slowly and steadily adopted distance learning over the past two decades. By the fall of 2018, 35 percent of all postsecondary students were enrolled in distance learning classes,²⁰ and just prior to the pandemic, 88 percent of all postsecondary institutions offered at least some completely online courses.²¹ The technologies for providing remote learning have rapidly grown and transformed. There are now a multitude of ed tech tools used in higher education online programs: learning management systems like Canvas and Blackboard, lecture capture software such as Kalture, video conferencing platforms such as Zoom and WebEx, online exam proctoring tools such as ProctorU, and many others. Some schools also choose to outsource the partial or full provision of their distance learning programs to companies known as online program managers (OPMs). The following section provides an overview of the main technologies used for online learning and the privacy concerns they pose.

Initially introduced in the late 1990s, learning management systems (LMSs) have become the central technology tool for colleges in creating, distributing, and managing educational content. They have seen a rapid transformation from their beginnings as simple web pages and content libraries, and they now provide a number of tools for course organization and delivery, collaborative interaction, measuring and assessing student learning, and other functions. In recent years, the LMS market has moved away from in-house LMSs to cloud-based solutions provided by companies such as Canvas.

In the past, many schools mainly used LMSs to support and supplement in-person classes, providing the ability to create structured course content, access reading materials, and administer quizzes, among other functions. LMSs are now often used for hybrid and remote learning as well. Most LMSs have functionality for providing virtual classrooms and online learning through various integrated tools. Many universities have leaned more heavily on these functions of their LMS platforms with the shift to online learning caused by the COVID-19 pandemic.²²

LMSs, with their host of applications, often serve as large repositories of student data that institutions can use for analytic purposes. Increased remote learning will add new volumes of video and learning data captured in the course of online classes. As data continues to amass in LMSs, privacy risks increase, both from the potential for data breaches and the potential for misuse of data. Concerns have also been raised about what happens to these troves of data when LMS companies are sold.²³

Videoconferencing tools are often essential to remote learning, enabling live classes and allowing students and teachers to communicate and collaborate virtually. Most LMSs have integrated videoconferencing capabilities,²⁴ but Zoom and other videoconferencing platforms are frequently being used as separate, supplemental tools during the pandemic as well.²⁵

Video streams and recordings (as well as audio) from online learning may be considered education records under FERPA in certain circumstances. The video needs to be directly related to a student. This includes classes and other educational situations where students are on video asking questions, making presentations, or appearing in any other way that would make it possible to personally identify the student. This can be simply attending a videoconferenced class with the camera on.²⁶

Video from classes are often recorded and saved so they can be rewatched by students later. This means that missteps, embarrassing moments, and other video data that students may not want others to see can be collected and stored. Turning on the camera for remote classes also means virtually allowing others into a student’s home.²⁷ A great number of personal details can often be gleaned through the presence of other people, personal objects, photographs, and calendars. Without proper security and privacy controls, other parties could potentially access these recordings.

Students from high-risk populations, including undocumented immigrants, may face immediate threats to their safety as a result of images, videos, and other information collected in online classes. For example, remote students who are citizens of countries with censorship laws may face prosecution for comments made in online classes.²⁸ In addition to students, family members, and friends who happen to be captured on video (or audio) during a student’s class could also potentially be at risk.

While FERPA does protect against sharing of video educational records with law enforcement without consent, there are exceptions. The "law enforcement" exception relates to records and surveillance video maintained by the school's “law enforcement unit” (those designated to monitor the safety of the school and enforce laws).²⁹ Under FERPA, these records are not considered educational records and can be disclosed without consent to law enforcement. Video data from online learning, while considered an education record under FERPA, may be disclosed to law enforcement only in the event of a “health or safety emergency”³⁰ or by judicial order or subpoena.³¹ However, videos of online classes usually include images of multiple students, creating concerns that law enforcement could potentially misuse this data should they gain access to it, targeting vulnerable populations. This could possibly be done by mining videos using facial recognition tools.

In addition to the privacy risks from school or law enforcement access, entrance to live videoconferences by uninvited individuals is a high-profile problem that became apparent in the early days of the COVID-19 outbreak. Unauthorized entries into meetings and classes were frequently made by individuals, often for the purpose of disruption.³² The prevalence of this occurring on Zoom popularized the term “Zoom-bombing.”³³ Increased awareness of this issue has led to better security practices in using videoconferencing tools. Platforms have improved safeguards and security options, and users have learned to configure settings to make meetings more secure through password requirements, restricting screen sharing to host only, creating waiting rooms for new participants, and other changes. However, Zoom-bombing still remains a problem for schools.³⁴

Creating a distance learning program has large costs in up-front development, data storage, and maintenance that many institutions do not want to take on themselves. Some colleges thus choose to outsource creating and administering their online learning courses to third-party contractors known as online program management companies (OPMs). As online learning continues during the pandemic and beyond, more and more schools will likely consider partnering with an OPM.³⁵

Many OPMs provide a bundle of services that go beyond the implementation of online learning technology. They can also handle marketing, recruitment, and retention services for institutions. While some OPM contracts are fee-for-service based, others are revenue-based. Revenue-based agreements provide OPMs with sizable financial incentives to enroll students, as they often receive half or more of tuition revenue.³⁶ As OPMs serve multiple online college programs, personal information from student applications can be repurposed for marketing, raising potential privacy concerns. Contracts can permit student application information from one school to be used by the OPM to market another school to students that the OPM provides services for (and thus may have a financial incentive in increasing enrollment for). The value of this data to OPMs can be significant. In 2014, OPM 2U paid the University of California-Berkeley $4.2 million to use data from student applicants to market another school to those students.³⁷

Institutions are facing increasing pressure from the higher education policy community to be more transparent about the terms of their relationships with OPMs,³⁸ including clarity about data privacy. A recent analysis of public colleges’ contracts with OPMs conducted by the Century Foundation found that 32 percent had “vague and/or no protections on the use of students’ data and information.”³⁹ Schools often omit any mention of the role of OPMs in their online programs, much less clear details of the privacy protections implemented under their auspices.⁴⁰

With an inability to have in-person exams during the shift to online learning, college use of remote proctoring software and services, like Proctorio and Examity, has surged.⁴¹ These tools can work within existing LMSs, or as a stand-alone service.⁴²

Proctoring tools can be invasive and capture large amounts of data. Audio and video of the student and the environment the student is taking the exam in is recorded, eye movements are tracked, mouse movements and other computer activity are recorded, and proctors can remotely access and control the student’s computer.⁴³ Proctoring has become increasingly automated, requiring little human involvement. Facial recognition can be used to help authenticate the student’s identity. The system then monitors the test taker for the duration of the exam, flagging suspicious or abnormal test-taking behaviors using advanced analytics.

If not fully automated, and a human proctor is required, remote proctoring is ordinarily done from an office, where supervisors can monitor the actions of the proctors. The lockdowns due to the COVID-19 pandemic, however, have forced many companies to allow their proctors to work remotely, raising additional privacy concerns regarding the lack of oversight of proctor behavior.⁴⁴

When an online proctored test begins, students are usually required to show photo identification to their laptop camera.⁴⁵ Depending on the ID used, the proctor collects data such as name, signature, address, driver’s license number, and passport number. Breaches or misuse of identification data that include citizenship or national origin information raise privacy concerns for both undocumented students and other groups at risk of discrimination, persecution, or law enforcement actions based on this information.

Like videoconferencing, there are many opportunities beyond the direct recording of the student for privacy leaks through objects in the test taker’s environment that the camera may capture. The risk is greater in certain ways, as remote proctoring often requires the test taker to begin by showing the entire room that the test is being taken in. Also, unlike remote classes, where a student has the option of turning their camera off, during a remote proctored exam students must leave their camera on and stay in front of the camera for the full duration. Given that test taking can be a high-stress situation, embarrassing moments may be captured.⁴⁶

Almost all LMS platforms have some ability to track the learning activity of students. Schools’ primary stated aim of this tracking is to improve student retention and graduation rates. However, colleges are also increasingly tracking where students go. Institutions use students’ phones to collect data on their location, citing a number of purposes, including monitoring attendance and tardiness,⁴⁷ mental health,⁴⁸ and for campus safety.⁴⁹ Many institutions have increased tracking for COVID-19 tracing purposes, sometimes through required downloads of tracking apps.⁵⁰ Some schools have also considered the use of wearable health monitoring devices.⁵¹ Using technology for contact tracing may have benefits in expanding traditional manual tracing systems and providing rapid alerts to potentially exposed individuals, but it raises a number of privacy and civil liberties concerns.⁵²

While schools mainly use networks of Bluetooth transmitters and wireless access points on campus to collect location information on students, with the continuing pandemic there may be an increased desire to track both on-campus and hybrid learning students—not only when they are on campus, but as they leave to go home or otherwise go off campus. While direct tracking by the institution is less of a concern with fully remote students, who are not required to use special tracking apps or devices during the pandemic, mobile apps may still be collecting GPS location data. Some schools have their own mobile apps⁵³ that provide campus-based maps and information, but may be used by remote students as well to access grades, class schedules, and other information, and thus schools could still potentially track these remote students’ location. LMSs can include mobile apps as well that allow students to access educational materials and participate in online classes and class discussions. These and other third-party ed tech apps may collect location data, either for potential use by the institution or for marketing and advertising purposes.⁵⁴

Predictive analytics is the analysis of current and historical data through various statistical means and data mining tools to make predictions about future events. Higher education uses predictive analytics for a number of purposes, including identifying students most in need of advising services, developing adaptive and personalized learning programs, and managing enrollment and retention. In the past it was an involved process to export data from LMSs for analysis, but current LMS technologies often integrate data extraction and analytic tools.

Institutions are understandably interested in how students are adapting to the increased use of online learning. A poll conducted by EDUCAUSE in May 2020 found that demand from college administrators for analytics on student success increased 66 percent since the start of the pandemic.⁵⁵ The largest increase in demand for data was for information related to students’ usage of technology tools.⁵⁶

The desire to make analytics increasingly precise creates an incentive for schools to collect greater amounts and more types of data, leading to surveilling students not only more intensely while learning, but also outside of a learning environment, for instance seeing how often students visit the library or a gym.⁵⁷ Analytics providers are also now beginning to use machine learning and other artificial intelligence approaches. These often require very large volumes of data to train the algorithms used, increasing the potential privacy harms of breaches. There is also concern that predictive analytics efforts will have a larger privacy impact on low-income students and students of color, groups that tend to have a higher percentage of the at-risk student populations that predictive analytics focuses on.⁵⁸

Declining costs of cloud storage have made it easier and cheaper to store data, and educational technology continues to enable greater ways to collect more and more data. This creates incentives for both institutions and ed tech providers to amass data for refining analytic tools and for potential use in future applications. The more prevalent use of remote instructional tools and services due to the pandemic will add increasing amounts of video, experiential learning and testing data, and other information about students collected in online learning environments that will be of potential value for colleges.

FERPA does not provide any specific requirements for minimizing the amount of data collected, or for retention or deletion of data, other than mandating that institutions retain records for compliance with any legal or policy requirements, such as an outstanding request for inspection. Schools may retain some data, such as student transcripts, indefinitely. However, when schools disclose PII to ed tech vendors, the FERPA requirement that the vendor protect the PII from unauthorized disclosure implies adequate destruction of data when no longer needed per Department of Education interpretation and guidance.⁵⁹ FERPA does not explicitly require institutions to establish any policies for data retention and deletion. It only specifies that when institutions choose to delete PII, they must use “reasonable methods." FERPA, however, does not provide details on such methods. Deletion may mean the overwriting or destruction of data using various means, but can also mean removal of PII through de-identification. De-identified information from education records is not subject to any further deletion requirements as, by definition, it is no longer PII under FERPA.

De-identification of data is the process of altering data, such as by removing or obscuring PII, to prevent it from being used to identify a person. De-identified data may be shared under FERPA without consent, and with any third party.⁶⁰ FERPA’s requirement for successful de-identification is “a reasonable determination that a student’s identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information.”⁶¹ While FERPA does not specify methods for de-identification, the Department of Education’s Privacy Technical Assistance Center has released some definitions of de-identification techniques and guidance.⁶²

When organizations, including higher education institutions, share data with third parties, they often rely on de-identification as a privacy protection. However, in recent years, de-identification of data has been shown to be problematic through studies demonstrating the ability to match anonymized data back to an individual (“re-identification”).⁶³ Re-identification is often done using external databases to infer information about the anonymized data (known as linkage attacks). FERPA’s standard of reasonably available information presents a challenge. It is difficult to assess what information someone may be able to use in any given re-identification attack. Anonymized datasets also cannot be taken back once released, so even if data is effectively de-identified based on current standards, future techniques and newly available information could remove those protections.

Ideally, institutions should have someone with data privacy expertise assess the techniques that they or their vendors are using to anonymize data, what other controls are in place, and whether the risks of re-identification are low enough. They should also be forward looking—taking advantage of new privacy technologies for anonymization as they become available. Differential privacy has emerged as one of the most promising de-identification techniques, as it can provide formal, mathematical assurances of privacy. Private companies such as Apple are using differential privacy, as is the Census Bureau for the 2020 Census.⁶⁴

To fully protect students’ privacy, institutions and their ed tech providers need to do more than comply with the bare minimum protections required by law. This should start with minimizing the amount of data they retain in the first place by only collecting data that has clear and necessary uses and developing policies for keeping that data only as long as it is needed. This includes clearly detailing what video and other online learning related data will be stored, and for how long.

As colleges pass data privacy obligations on to vendors and partners in the provision of online learning, schools ultimately remain responsible for protecting students. As a first-order concern, schools should ensure that the distance learning technologies they use are compliant with FERPA and other laws as applicable. With the COVID-19 pandemic, technology companies have more frequently posted information about their products and privacy policies that explain how their use of student data complies with FERPA.⁶⁵ This may provide only part of the privacy picture, however. The detailed, full privacy policies of ed tech companies can be looked to in assessing actual privacy practices. Unfortunately, privacy policies are often lengthy, filled with jargon and legalese, and difficult to understand.⁶⁶ How companies will protect data privacy in practice is often hard to assess.

In the K-12 context, there has been some progress in holding ed tech companies accountable through tools such as Common Sense Media’s privacy reviews of ed tech apps⁶⁷ and the Future of Privacy Forum and the Software & Information Industry Association’s Privacy Pledge,⁶⁸ a signed code of conduct for ed tech vendors. The FTC can bring civil enforcement actions against companies that sign the pledge and do not adhere to the commitments it outlines. While this pledge is targeted toward companies that provide ed tech designed for K-12 institutions, it includes signatories such as Blackboard and Canvas that provide their same platforms and tools with modifications for higher education as well.

While students and teaching faculty should carefully review the privacy policies of any remote learning ed tech they are considering using (or OPMs they are considering partnering with), assessing privacy policies should only be a first step for institutions. Schools need to fully understand what technical and administrative protections for data are in place, and ensure that ed tech companies meet both the requirements of the institution’s stated privacy practices and their system security plan to ensure privacy is protected in all phases of data collection, use, and storage. Both privacy policies and vendor contracts should, at minimum, include terms covering what data will be stored, limitations on the use of data, how data will be protected, and when and how data will be deleted. There should be clear and transparent answers to questions about a company’s data use practices: whether data is being used in secondary ways, especially uses other than the ways in which it is being explicitly used for; if any data being shared with third parties, and if so, for what purposes; whether data is being used to build any sort of profile on students, and if this profile is for non-primary or non-explicit uses; and under what terms and conditions data is shared with the government and with law enforcement. There should also be clear limits on data collection. Schools should ensure that the vendors they contract with minimize the amount of data they collect, only gathering and retaining information that has necessary, clearly stated purposes.

Institutions should also keep in mind that FERPA and other privacy laws provide a floor for privacy protection, not a ceiling. They can, and should, act in the best interests of their students and use their power as the customers of ed tech companies to enhance overall privacy. For example, unless institutions take steps to prohibit the practice, there is a risk that ed tech companies will seek to monetize student behavioral data as a funding stream, leading to extended surveillance of students’ learning experiences.⁶⁹

The COVID-19 pandemic presents unique challenges to students, faculty, and staff of colleges in forcing an unprecedented move to online course delivery and learning. To aid in the pandemic-led shift to online classes, a wide number of technology companies have offered free or discounted tools for distance learning. Many colleges quickly adopted new ed tech and made short-term contracts and agreements with vendors; faculty often cobbled together various tools and apps themselves to continue their classes virtually.⁷⁰ As online learning continues through the pandemic, it may lead to a longer-term shift to distance learning in higher education. However, as outlined in this paper, there are a number of privacy considerations and vulnerabilities in online learning that institutions should address.

Both institutions and ed tech companies need to be clearer about their policies and practices for collecting and using student data. A lack of transparency has been a particular problem in aspects of higher education online learning. Relationships between schools and OPMs are often unclear, including terms of data use and protections.⁷¹ And there is often little transparency into how video and other data captured during online classes and proctoring of online exams will be used, who will be able to view it, and how securely and for how long it will be stored.⁷² While it is perhaps understandable that colleges needed to quickly pivot to remote learning as the pandemic began, now is the time to ensure the technologies being used are protecting the privacy of student data. Schools may not only need to update their privacy policies and vendor contracts, but also their own privacy practices and principles to reflect increased reliance on online learning and new data sharing and data integration practices.