United States: Student Data Protection In An Era Of Education Technology Innovation

Reaching a Congressional Consensus Will Likely Require Additional Deliberation

During the current 114th U.S. Congress, a variety of House and Senate bills have been introduced that propose different approaches to addressing the growing bipartisan concern about protecting the privacy of student data (below, "Personally Identifiable Information" or "PII"). The bills address PII maintained by public and private educational institutions and state educational agencies and, in some cases, PII maintained or accessible by technology service providers or other third parties doing business with these educational entities.

Consensus regarding how and whether to increase federal mandates and penalties concerning protection of PII has not yet been reached, but awareness exists that student PII, whether for K-12 students or older, is becoming increasingly vulnerable to unauthorized disclosure or misuse, in particular for marketing purposes. Another concern is that the Family Educational Rights and Privacy Act (FERPA)—the primary federal statute designed to protect private student information—may not be adequate to respond to technological changes in how PII is stored, shared and accessed, although how and whether to amend FERPA to address this concern is far from settled.

As summarized in this Alert, the congressional proposals introduced thus far take very different approaches, including establishing a study commission to develop legislative proposals with the input of the government and the private sector; imposing additional regulation on K-12 technology service providers; and strengthening and updating FERPA, with or without enhanced governmental and private enforcement mechanisms to incentivize compliance by educational institutions and service providers.

Approach 1: Establishment of a Study Commission

The Every Child Achieves Act of 2015 (S. 1177, the bill reauthorizing the Elementary and Secondary Education Act/No Child Left Behind), passed in the Senate in July with an amendment that would establish a "Student Privacy Policy Committee" made up of congressional, federal, state, local and private representatives; experts in education technology, data storage and student privacy; and educators and parents. The Committee would study the effectiveness of current federal laws and enforcement mechanisms to protect student privacy and parental rights relating to student information and develop recommendations regarding how to improve and enforce federal laws. Specifically, the Committee would:

  • Examine whether there is a need to provide or update standard definitions for terms related to student privacy, including: "(i) education record; (ii) personally identifiable information; (iii) aggregated, de-identified, or anonymized data; (iv) third-party; and (v) educational purpose";
  • Identify which federal laws should be updated and the appropriate federal enforcement authority to execute such laws;
  • Address data sharing in an increasingly technological world, including evaluating protections in place for student data when it is used for research purposes; establishing best practices for any entity that is charged with handling, or that comes into contact with, student education records; ensuring that identifiable data cannot be used to target students for advertising or marketing purposes; and establishing best practices for data deletion and minimization;
  • Discuss transparency and parental access to personal student information by establishing best practices for ensuring parental knowledge of any entity that stores or accesses their student's information; parental rights to amend, delete or modify their student's information; and the designation of a central contact in a state or a political subdivision of a state who can oversee transparency and serve as a point of contact for interested parties;
  • Establish best practices for the local entities who handle student privacy, which may include professional development for those who come into contact with identifiable data; and
  • Discuss how to improve coordination between federal and state laws.

Not later than 270 days after the date of enactment, the Committee would prepare and submit a report to the Secretary of Education and to Congress containing the findings of the study.

A House counterpart to S. 1177 passed in the House in July. This bill, H.R. 5, or the "Student Success Act," contains a "sense of Congress" provision, stating that the Secretary of Education has the responsibility to ensure every entity receiving federal funding under the Act holds PII in "strict confidence" and states that the Secretary should review regulations and ensure all PII is protected. The House bill, therefore, appears to urge the Secretary to more vigorously enforce current law.

In sum, both S. 1177 and H.R. 5 advocate a relatively modest approach to protecting student data privacy. These approaches would avoid establishing a new federal regulatory regime for student data privacy. The bills need to be conferenced, and it remains to be seen whether the proposals will make it into the final law in any form.

Approach 2: Target Operators Providing Certain Technology Services to K-12 Educational Institutions

Another approach that takes a direct aim at online applications used or designed and marketed for K-12 education purposes is set forth in a bill pending in the House Education and the Workforce Committee and the House Energy & Commerce Committee. The Student Digital Privacy and Parental Rights Act of 2015, H.R. 2092 [Rep. Messer (R-Ind.) and Rep. Polis (D-Colo.) co-sponsors], a counterpart to S. 1788, applies to any entity (other than an educational agency or institution) that operates Internet websites; online services, such as cloud computing services; online applications; or mobile applications that are used for K-12 purposes and were designed and marketed for K-12 purposes (defined as "operators" in the Act). The legislation would, among other things:

  • Prohibit an operator of a school's Internet or online service that is designed and marketed for K-12 educational or administrative purposes from presenting students or parents with targeted advertisements that are selected based on information obtained or inferred from students' online behavior, use of online or mobile applications or PII about the students. (The proposed Act would exempt from these prohibitions online advertisements that are contextually relevant and selected based on a single visit or session of use during which the advertisements are presented, provided that information about the students' online behavior is not collected or retained over time.)
  • Prohibit an operator from selling students' personal information to third parties or collecting student information to create a personal profile or for purposes unrelated to educational instruction, school collaboration or administrative activities.
  • Require operators to implement information security procedures and a process for responding to data breaches; to notify the Federal Trade Commission (FTC) and students, parents, educational agencies or institutions, school officials or teachers of unauthorized acquisitions of, or access to, personal information; and to delete certain student information that is not required to be maintained by the school within 45 days after a request from an educational agency, institution or student's parent, or within one year after the operator ceases to provide the service.
  • Require operators to disclose publicly the types of personal information they collect or generate, the purposes for which the information is used or disclosed to third parties and the identity of any such third parties.
  • Instruct operators to establish procedures for parents and system users to access and correct certain information.
  • Allow operators to disclose students' information only for certain lawful purposes or pursuant to a process that requires the student's or parent's express affirmative request. It requires an operator to receive the student's or parent's request before providing transcripts for admission to an institution of higher education or to a potential employer.
  • Provide authority to the FTC to enforce the Act and treat violations as unfair or deceptive acts or practices under the Federal Trade Commission Act.

Approach Three: Amend FERPA to Strengthen Student and Parent Protections and Enhance FERPA Enforcement Mechanisms

The remaining approaches all involve proposed amendments to FERPA.

1. The Student Privacy Protection Act, H.R. 3157 [Rep. Rokita (R-Ind.), Rep. Fudge (D-Ohio), Rep. Kline (R-Minn.) and Rep. Scott (D-Va.)] was introduced on July 22, 2015, and referred to the House Education and the Workforce Committee. The bill applies to public and private elementary and secondary schools, local educational agencies and institutions of higher education, as well as to education service providers defined as any provider other than a school official or employee of services developed and targeted to students for an educational purpose, whether specifically marketed to schools, institutions of higher education, educational agency or institutional employees or officials, or other individuals primarily engaged in the provision of educational services. The bill would, among other things:

  • Amend FERPA to strengthen privacy protections for students and parents through expanding parental access rights to information held by an educational agency or institution, or state educational authority, for the purpose of inspecting, reviewing, challenging and correcting information in the education records of minors.
  • Require that an educational agency or institution, and the state educational authority:

    • establish, implement and enforce policies and procedures regarding information security practices that: serve to protect the education records (and PII contained therein) held or maintained by that educational agency or institution, or state educational authority; and require any party that is given access to such education records (or PII contained therein) on behalf of the educational agency or institution, or state educational authority, to have information security practices that serve to protect such records and information;
    • designate an official who is responsible for maintaining the security of education records; and
    • establish a breach notification policy in the case of a breach of the security practices or the release of the education records or information, under which the educational agency or institution, or state educational authority provides notification of the breach or violation to parents in not less than three days of being made aware of such breach and works with the third parties involved with such breach or violation to gather the information necessary to provide such notification.
  • Establish a marketing and advertising ban that prohibits any person with access to an education record or a student's PII contained in the education record from marketing or otherwise advertising directly to students with the use of the information gained through access to such record or information.
  • Prohibit an educational agency or institution or state educational authority from contracting with or entering into an agreement with an education service provider that has a policy or practice of using, releasing or otherwise providing access to PII in the education record of a student to advertise or market a product or service or for the development of commercial products or services.

    • The Act makes exceptions for contracts related to official school pictures, class rings, yearbooks or other traditional school-sanctioned commemorative products, events or activities; for PII that may be used by an education service provider to develop, diagnose or deliver services to improve a student's academic outcomes or to assist an educational agency or institution to develop, diagnose or deliver services to improve a student's academic outcomes; for an educational agency or institution or state educational authority sharing information on educational opportunities offered by such agency, institution or authority; or for a case in which the parent of a student at an educational agency or institution has provided written consent for an educational service provider to utilize PII.
  • Vest enforcement in the Secretary of Education and authorize the Secretary to terminate federal assistance and impose fines on an educational agency or institution, or state educational authority. Fines may be imposed for a failure to voluntarily comply with the law or for a substantial violation of the law (even a single violation). Fine amounts are a minimum of $100 and a maximum of $1,500,000, depending on the severity of the violation, except in no case may such a fine exceed 10 percent of the annual budget of such agency or institution, or authority. The Act states that action to terminate federal assistance may be taken only if the Secretary finds there has been a failure to comply with the law and the Secretary has determined that compliance cannot be secured by voluntary means.
  • Extend enforcement of the Act, with respect to a release of an education record or PII contained therein, which was made by a party that is not subject to a fine by the Secretary (i.e., education service provider and others), by authorizing the Secretary to:

    • refer such violation, and the supporting material for such violation, to the Commissioner of the Federal Trade Commission or the Attorney General for action; and
    • require the educational agency or institution, or local educational agency or state educational authority involved, to prohibit access to such PII by such party (or individuals who worked for or with such party at the time of such violation) for a period of not less than five, and not more than 12 years, as determined by the Secretary.
  • Establish or designate an office within the Department of Education for the purpose of investigating, processing, reviewing and adjudicating violations of this section and complaints that may be filed concerning alleged violations.

2. The Protecting Student Privacy Act of 2015, S. 1322 [Senator Markey (D-Mass.), Senator Hatch (R-Utah) and Senator Kirk (R-Ill.)] was introduced on May 13, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies and institutions, including local educational agencies, receiving federal funding and to any "outside party"—meaning "a person that is not an employee, officer, or volunteer of the educational agency or institution or of a Federal, State or local governmental agency and includes any contractor or consultant acting as a school official or authorized representative or in any other capacity." Among other things, the bill would:

  • Amend FERPA to prohibit programs administered by the Department of Education from making funds available to any educational agency or institution that has not implemented information security policies that protect PII in education records and require each outside party to whom PII from education records is disclosed to have a comprehensive security program to protect such information.
  • Prohibit such funds from being made available to any educational agency or institution that has a policy or practice of using, releasing or providing access to PII to advertise or market a product or service.
  • Require state agencies receiving such funds, and each educational agency or institution, to ensure that any outside party (including any contractor or consultant acting on behalf of or with the school's authority) with access to such records to: provide parents with access to any PII it holds about their students; provide a process to challenge, correct or delete any inaccurate, misleading or inappropriate data through a hearing by the agency or institution providing the outside party with access; maintain a record of all individuals, agencies or organizations that have requested or obtained access to the education records of a student; and have information security procedures in place.
  • Prohibit funds from being made available to any educational agency or institution, or any state educational agency, unless the agency or institution has a practice that promotes data minimization by meeting requests for student information with non-PII and requires PII held by any outside party to be destroyed when the information is no longer needed for the specified purpose.

It is important to note that the bill's enforcement mechanism is tied solely to federal funds access and would thus place the burden on educational entities to ensure outside party compliance with the law.

3. The Student Privacy Protection Act, S. 1341 [Senator Vitter (R-La.)], was introduced on May 14, 2015, and referred to the Senate Committee on Health, Education, Labor and Pensions. The bill applies to educational agencies or institutions as currently defined in FERPA and defines "student data" as "information about a student collected and maintained by an educational agency or institution, by a person or third party collecting or maintaining such information through the active intervention, facilitation, or authorization of such agency or institution, or by a person or third party acting for such agency or institution."

The legislation would:

  • Amend FERPA to prohibit funding of educational agencies or institutions that allow third parties to access student data, unless:

    • the agency or institution, prior to receiving parental consent, notifies parents of the data that would be accessed, that the data will be made available to the third party only if the parent consents, that the parent has the ability to access and correct inaccurate data and that the agency or institution and the outside party are liable for violations;
    • the agency or institution can ensure that the data cannot be used to determine the student's identity;
    • the student data remains the property of the agency or institution and is destroyed when the individual is no longer served by the agency or institution; and
    • the third party agrees to be liable for FERPA violations.
  • Extend FERPA rights to parents of any students for whom the agency or institution maintains student data, including home-schooled students who do not attend such agency or institution.
  • Remove an exception that currently allows educational agencies or institutions to permit the release of student educational records without parental consent to organizations studying predictive tests, student aid programs and instruction.
  • Require parental consent before authorized representatives under the direct control of the Comptroller General, the Secretary of Education or state educational authorities may access records for audits and evaluations of federally supported education programs administered by state or local public education agencies or institutions, or enforcement of federal legal requirements.
  • Prohibit the Department of Education or fund-receiving educational agencies or institutions from appending student data with PII obtained from federal or state agencies through data matches.
  • Bar funds from being used to track a student's educational and career progression activities or obligate an elementary or secondary school student to involuntarily select a career or related job training.
  • Require aggregation, anonymization and de-identification of student data permitted to be released or collected under various exceptions.
  • Make federal agencies and fund-receiving educational agencies, institutions and third parties that do not comply with FERPA civilly liable for a monetary award to affected persons.
  • Prohibit psychological testing or predictive modeling of behaviors, beliefs or value systems. It would also bar video monitoring or computer camera surveillance without a public hearing and consent of teachers and parents.
  • Prohibit surveys soliciting specified information about students or their families, including information on political affiliation, religious practices or gun ownership.

This legislation would likely place greater responsibility on educational institutions to require compliance with the law by third parties with access to PII and includes a private right of action for violations.

If you have any questions about this Alert, please contact Katherine D. Brodie, Michelle Hon Donovan, Alison Haddock Hutton, John M. Neclerio, any of the attorneys in our Education Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.