In recent months, the White House and members of Congress have called for an overhaul of the forty-year old Family Educational Rights and Privacy Act (“FERPA”) ((20 U.S.C. § 1232g; 34 CFR Part 99), which safeguards the privacy of students’ educational records.
Originally enacted in 1974, FERPA applies only to federal funded elementary, secondary and postsecondary educational agencies and institutions. Thus, FERPA does not extend to restrict private companies from disclosing student information. Given the nature of education today, there are many private companies providing services to students and their parents, including college planning consultants, career services providers, college testing and application companies and other third party vendors. Right now, a student and a parent have to review applicable state law and the privacy policies of these private companies to determine how the student’s personal records will be protected.
In addition to the White House, members of the Senate and the House have talked about introducing new student-data-privacy legislation. The pending House version, written by Representatives Jared Polis (D-CO) and Luke Messer (R-IN) is expected to closely align with President Obama’s policy initiatives.
Specific areas of focus for improving existing federal law include expanding the definition of “education record” to include digital data and metadata, broadening FERPA’s applicability to education technology vendors, adopting data security standards and providing for a tiered enforcement structure and regulating the sharing or sale of student data to third parties for purposes unrelated to education.
In the interim, the Privacy Forum and the Software and Information Industry Association the private sector has published a set of voluntary standards to protect K-12 student privacy. To date more than 125 signatory companies, including Apple and Microsoft have pledged to follow the standards.
Some twenty states have also taken action to fill what has been perceived as a gap in federal student privacy law and regulation, with a majority of states having introduced bills that address student privacy in recent years. Last fall, California adopted the Student Online Personal Information Protection Act (SOPIPA) which restricts the use of students’ educational data by third-party vendors.
Institutions and vendors active in the education industry likely will want to actively monitor federal and applicable state privacy laws and regulations (and, importantly, the direction in which any new legislation may be trending), and consider refining their practices as necessary to remain compliant with the evolving privacy landscape.