New FERPA Guidance on Third-Party Ed Tech Providers

A recent letter from the U.S. Education Department signals that the agency may be tightening its enforcement of the Family Educational Rights and Privacy Act (FERPA) as it relates to school requirements regarding technology in the classroom and the data use policies and practices of third-party education technology (ed tech) providers, reported the Future of Privacy Forum.

The department's correspondence is a response to an investigation of an online public charter K-12 school based in Pennsylvania and the terms and conditions of its third-party online learning platforms. However, the guidance would also impact colleges and universities.

The letter provides guidance to both K-12 and higher education institutions regarding FERPA's requirements for parental consent and education technology company products' terms of service. More specifically, it clarifies the department's position regarding best practices for effectively establishing direct control over the use and maintenance of education records and the personally identifiable information (PII) from such education records by third parties acting as school officials with legitimate educational interests in the online educational service context.

The finding letter makes clear that institutions must retain the responsibility to ensure any mandatory ed tech product is used only in compliance with FERPA protections, even when the institution does not directly own or manage the student account. Institutions may not require students or parents to waive their FERPA rights through an ed tech company’s terms of service.

The correspondence may encourage more third-party education providers to allow institutions to sign students up for the product directly. Separately, institutions may begin to require independent contracts or clauses in company terms of service that more specifically align with FERPA.

The finding letter marks the first instance in which the department directly finds fault with the policies and practices of an ed tech company and may signal the agency's increased interest in investigating and sanctioning practices that are inconsistent with FERPA, reported the Forum. While financial penalties against schools are rare, the department has other enforcement options, including the imposition of a five-year ban on data transfers from an offending school to the ed tech provider.

Institutions should carefully review their student and parental consent policies as well as the content of the privacy policies and terms of service of their ed tech partners to ensure that they adhere to the department's guidance on Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices and Protecting Student Privacy While Using Online Educational Services: Model Terms of Service.


Related Links

Future of Privacy Forum