One of the most prominent legal issues in the edtech space revolves around the Family Educational Rights and Privacy Act (FERPA), a law passed in 1974 to protect the privacy rights of students.
Today, the law repeatedly comes up as new technology products, many of which ask for students’ personal information, make their way into classrooms. Yet, a recent finding made by the U.S. Department of Education’s Family Policy Compliance Office on an outstanding FERPA complaint has privacy advocates hopeful that the law will be upheld—and may have edtech companies scrambling to ensure they are compliant.
According to filings from the Department, on December 16, 2012 parents issued a complaint against Agora Cyber Charter School, a virtual public school based in Pennsylvania, for violating their child’s privacy rights. The complaint alleged that parents were forced to agree to third-party privacy policies that did not protect their child’s personally identifiable information in exchange for educational services.
Last November, after reviewing responses from Agora, the Department found that the cyber charter did violate FERPA. To use services from Agora, which contracted with third-party service providers such as K12 Inc., Blackboard, and Sapphire, parents were required to agree to policies set forth by those providers. K12’s Terms of Use policy required students to enter identifiable data and granted the company and its affiliates “the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote [information put into the platform] in any form, anywhere and for any purpose.”
The Department ruled that requiring students to use third-party services that share student data with unauthorized parties as a condition of enrollment is a violation of FERPA. In its letter, federal education officials wrote that “a parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.“
While the case at Agora took nearly five years to close, privacy experts are hopeful that this means the Department will be more responsive in the future towards agitators of the law.
“I think this letter is a really good sign and signals that the Department of Ed, after issuing a lot of assistance and guidance as to how FERPA applies, is now saying that it is going to start enforcing the law,” says Amelia Vance, policy counsel at the Future of Privacy Forum.
Vance also notes that the bigger implication of this finding is that schools requiring the use of edtech products as a condition of enrollment will have to make sure the service either complies with FERPA’s school official exception requirements, or parents will have the right to opt-out. These rights were not clear in past, Vance explains, meaning the ruling offers stakeholders a more tangible interpretation of the law.
“FERPA was written by lawyers and they are very bad—as a lawyer myself—at writing things in plain English,” says Vance. “To have [privacy rights] stated pretty clearly in this letter, I think, is really important.”