Applicable Laws

The primary law regulating privacy in both K-12 and higher education is the Family Educational Rights and Privacy Act (FERPA).¹ FERPA provides students the right to access records an institution keeps on them, the right to request to have the records amended, and offers some control over the disclosure of personally identifiable information (PII) from education records. FERPA applies to all academic institutions receiving funds under applicable Department of Education programs.

FERPA is essentially technology neutral and does not address online learning specifically. Currently, there is no official FERPA certification program for assessing third-party ed tech compliance for higher education. Products and services may outline how they comply with FERPA, but ultimately every institution must perform its own assessment to determine how their use will affect the institution’s ability to comply.

FERPA’s definition of PII is more expansive than direct identifiers such as social security numbers or biometric features. It also includes semi-direct identifiers such as date of birth and mother’s maiden name, as well as “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”² However, data that is anonymized (“de-identified”) so that it does not contain personally identifiable data can be shared with any third party without consent.³

Generally, FERPA requires written consent from students attending a postsecondary institution before releasing educational records that contain PII. However, FERPA contains several exceptions to the consent requirement. The “school official” exception is the one most relevant to distance learning and use of ed tech vendors. This exception permits disclosures from student education records to school officials who have a “legitimate educational interest” in having access to a student's records. School officials in this capacity includes not only administrators and teachers, but also information technology personnel, and others.⁴ This exemption permits the disclosure of PII from education records in the course of outsourcing to ed tech companies. Vendors can act as de facto school officials as long as the services or functions they provide are ones “for which the educational agency or institution would otherwise use its own employees.” However, schools must retain direct control over how PII is used and maintained, and they remain legally responsible for what happens to any data disclosures to ed tech companies.

The Gramm-Leach-Bliley Act (GLBA),⁵ passed in 1999, largely reformed regulation of the financial services industry, but also included provisions relating to consumer financial privacy. The Federal Trade Commission (FTC) considers higher education institutions to be financial institutions subject to the GLBA if they participate in Title IV educational programs (that is, the school accepts federal financial aid for students). GLBA regulations include a privacy rule governing data privacy practices, but the FTC deems higher education institutions to be in compliance with the privacy rule if they are in compliance with FERPA. The Safeguards Rule of the GLBA, which is not covered by compliance with FERPA, concerns data confidentiality, but primarily from a standpoint of cybersecurity requirements. The Department of Education recently indicated that it will audit institutions for compliance with the Safeguards Rule of the GLBA.⁶ Requirements for compliance include performing a risk assessment that addresses network and information system security controls, incident response, and security training of employees. Schools must implement a safeguard for each risk identified.

The California Consumer Privacy Act (CCPA) is a state law passed in 2018 that gives California consumers new rights and additional controls over personal information that businesses collect and use. As of January 1, 2020, companies and institutions conducting business either in California or with the state’s residents come under regulation by the CCPA.⁷ With the increase in remote learning and the potential for more California residents attending schools based in other states, the CCPA is relevant to schools across the country. Most colleges and universities would seem to be unaffected, as the law only pertains to for-profit entities. However, schools’ increasing use of for-profit vendors in providing distance learning may make the CCPA applicable. Whether a vendor falls under the purview of the CCPA is based on certain criteria. A business/vendor must either have an annual gross revenue of greater than $25 million, derive at least half their annual revenue from sales of personal information, or receive or share/sell personal information of 50,000 or more California residents (usually defined as a state taxpayer).

Notably, the CCPA contains a “right to deletion,” which enables consumers to request that the institution delete any and all information collected. However, this requirement is preempted to the extent that FERPA (a federal law) requires institutions which receive federal financial assistance collect, store, and disclose certain data. This means that institutions will need to assess what data they must necessarily store to comply with federal law. They will also need to determine what personal information they or their third-party vendors collect that is subject to erasure and other rights provided to California residents by the CCPA.

In recent years, over 40 states have enacted laws governing how schools and their service providers collect, use, and protect student data.⁸ Most of these laws solely cover K-12 student data, but some also govern how public and private higher education institutions use student data. For example, a Louisiana law covering both public K-12 and higher education institutions requires, among other things, deletion of personal data collected during the application process, and a prohibition on certain student analytics.⁹ A few state laws, however, have been drafted solely to address higher education privacy and security, including a Virginia law which prohibits higher education institutions from requiring a student to disclose the log-on credentials of personal social media accounts.¹⁰

There are other general privacy laws that some states have enacted, such as data breach notification laws, that may also have privacy and security implications for educational institutions and the ed tech vendors they contract with in the course of providing online education.

Europe’s General Data Protection Regulation (GDPR) is a legal privacy framework adopted in 2018 that sets guidelines for collection and processing of personal information from individuals living in the European Union (EU). Higher education institutions may also need to comply with the privacy provisions in Europe’s GDPR¹¹ if they provide online classes to individuals in the EU. Compliance may also be required if they accept applications from EU residents, have study abroad programs in the EU, interact with EU-based alumni, or collect or use data about EU residents. All of the personal data processed in providing an online course is subject to GDPR compliance. The GDPR provides rights and imposes restrictions on data processing under principles of purpose limitation and data minimization that require additional safeguards above and beyond what FERPA requires. For example, GDPR’s definition of “personal data” is broader than FERPA, requiring protection of additional information such as IP addresses. These, and other GDPR-specific stipulations would need to be detailed in ed-tech vendor contracts that involve collecting data to ensure that GDPR requirements are being met on behalf of the institution.