In recent months, the White House and members of Congress have called for an overhaul of the forty-year old Family Educational Rights and Privacy Act (“FERPA”) ((20 U.S.C. § 1232g; 34 CFR Part 99), which safeguards the privacy of students’ educational records.

Originally enacted in 1974, FERPA applies only to federal funded elementary, secondary and postsecondary educational agencies and institutions. Thus, FERPA does not extend to restrict private companies from disclosing student information. Given the nature of education today, there are many private companies providing services to students and their parents, including college planning consultants, career services providers, college testing and application companies and other third party vendors. Right now, a student and a parent have to review applicable state law and the privacy policies of these private companies to determine how the student’s personal records will be protected.

In addition to the White House, members of the Senate and the House have talked about introducing new student-data-privacy legislation. The pending House version, written by Representatives Jared Polis (D-CO) and Luke Messer (R-IN) is expected to closely align with President Obama’s policy initiatives.

Specific areas of focus for improving existing federal law include expanding the definition of “education record” to include digital data and metadata, broadening FERPA’s applicability to education technology vendors, adopting data security standards and providing for a tiered enforcement structure and regulating the sharing or sale of student data to third parties for purposes unrelated to education.

In the interim, the Privacy Forum and the Software and Information Industry Association the private sector has published a set of voluntary standards to protect K-12 student privacy. To date more than 125 signatory companies, including Apple and Microsoft have pledged to follow the standards.

Some twenty states have also taken action to fill what has been perceived as a gap in federal student privacy law and regulation, with a majority of states having introduced bills that address student privacy in recent years. Last fall, California adopted the Student Online Personal Information Protection Act (SOPIPA) which restricts the use of students’ educational data by third-party vendors.

Institutions and vendors active in the education industry likely will want to actively monitor federal and applicable state privacy laws and regulations (and, importantly, the direction in which any new legislation may be trending), and consider refining their practices as necessary to remain compliant with the evolving privacy landscape.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Barbieri Robert Barbieri

Robert Barbieri’s practice involves all aspects of corporate and securities law, including securities law and compliance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and corporate governance. He has experience representing public companies with respect to capital markets…

Robert Barbieri’s practice involves all aspects of corporate and securities law, including securities law and compliance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and corporate governance. He has experience representing public companies with respect to capital markets transactions and SEC reporting requirements, as well as advising emerging companies on entity formation, financing, and general corporate matters. Read his full rc.com bio here.

Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.