Dear T.O. Ess,
Thanks for attending the Student Privacy in the Age of AI, Immigration, and Integrated Data: A Preview of AACRAO's Essential New FERPA Publication webinar. I appreciate your question regarding vendors increasingly asking institutions to accept “terms of service” instead of signing a contract. I am not necessarily seeing an uptick in this trend; however, many education‑technology vendors do ask institutions to accept standard online Terms of Service (TOS) instead of signing a negotiated contract. While this may work for consumer products, it creates significant compliance and governance risks for institutions handling student data. You ask: How can institutions encourage vendors to agree to a contract?
As you are aware, under FERPA’s school official exception, institutions may share PII from education records with vendors only if:
- The vendor performs a service the institution would otherwise perform.
- The vendor is under the institution’s direct control.
- The vendor uses PII only for the institution’s purposes.
- The vendor does not redisclose PII.
- The vendor meets security, retention, and destruction requirements.
Even though FERPA does not explicitly require a written contract, the Department of Education has stressed that a contract is the clearest, most enforceable way to demonstrate this control.
To encourage vendors to sign a contract, institutions can:
- Emphasize that vendors designated as “school officials” must be subject to institutional control over how they access, use, and disclose student information. A contract is the clearest way to demonstrate this control and is generally recognized as the compliance standard.
- Adopt policies stating that any vendor accessing PII from education records must sign a FERPA‑compliant data‑sharing or service agreement. This shifts the burden to the vendor rather than the institution.
- Explain that contracts clarify responsibilities, reduce liability, and prevent misunderstandings. Vendors often agree once they understand that contracts protect them from accidental FERPA violations.
It is also important to point out to vendors why Terms of Service are not sufficient for FERPA compliance. This includes stressing that:
- Vendors change TOS at any time without institutional approval—meaning the institution does not have direct control.
- TOS often allow vendors to use data for analytics, product improvement, or sharing with affiliates—uses which may not necessarily be permitted under FERPA.
- Most TOS lack essential elements such as limits on redisclosure, data‑destruction requirements, security obligations, subcontractor oversight, and designation as a “school official.”
- TOS are designed to protect the vendor, not to meet federal privacy requirements.
For more information on contracting with outside entities, see the 2012 AACRAO FERPA Guide, pages 24,159, and 381.
I hope this is helpful.