Overview of Federal Regulations
The United States does not have a comprehensive law that covers data privacy; instead, there are federal and state laws that cover various types of data privacy, such as financial data or health information. As of 2024, only California and Virginia have enacted comprehensive state privacy laws.
In recent years, two major federal legislative proposals—the American Privacy Rights Act and the American Data Privacy and Protection Act—surfaced, both aiming in different ways to address data privacy, algorithm transparency, and other concerns in a comprehensive manner. While these proposals are not likely to pass any time soon, it is encouraging to see substantive, high-quality policy proposals circulating.
Related to the data privacy of students, there are currently two federal laws worth mentioning.
The Family Educational Rights and Privacy Act of 1974 (FERPA)
FERPA is the federal law that protects the privacy of student education records and applies to all schools and education agencies that receive funds under an applicable program of the U.S. Department of Education.
The last regulatory updates to FERPA predate the widespread use of technology in learning environments, including the storage of education records, the technological generation of records, and the use of technology to support and assess students. School districts and education institutions that are subject to FERPA must interpret this law for how data is accessed, used, and stored in light of artificial intelligence. For instance, using a program to detect AI usage may require students’ work to be processed through an outside third party, which may be a violation of FERPA.
In 2023, UC Santa Cruz issued guidance and warned that using services that purport to detect when AI is used in assignments should not be used without disclosure and consent required under FERPA unless certain preconditions were undertaken pertaining to the service having been purchased and vetted by the institution or that the tool is “protected from external access.”
Some of the key components of FERPA as it relates to schools include the following:
- Parents and guardians have rights to access, review, and request amendments to their child's education records until the student turns 18 or enters post-secondary education.
- Schools must obtain written consent before disclosing personally identifiable information (PII), with certain exceptions (e.g., health/safety emergencies, transfers, legal requirements).
- Education records include items like grades, disciplinary records, and transcripts, while directory information (e.g., name, grade level) can be shared unless parents and guardians opt out.
- Educators and schools must protect student data, including when using digital tools and educational apps, ensuring vendors comply with FERPA rules.
- Annual notifications to parents and guardians are required about their FERPA rights, with the ability to opt out of directory information sharing.
The Children’s Online Privacy Protection Act (COPPA)
COPPA sets specific requirements for operators of websites or online services that knowingly collect personal data from children under the age of 13. Primarily, it requires direct parental or guardian notification and parental or guardian consent for the collection of these children’s personal information and allows parents and guardians to control what happens to this data. It establishes that companies that collect this information must have clear policies for what information is collected and how it is secured.
COPPA aims to safeguard young students' personal information from being collected and used without parental or guardian consent, thereby enhancing their online privacy and safety.
Schools often use various online educational tools and platforms. In certain situations, schools can provide consent on behalf of parents and guardians for the collection of students' personal information, particularly when the data is used solely for educational purposes. This places a responsibility on educators and administrators to ensure that the digital tools they employ comply with COPPA regulations and adequately protect student data.
In January 2025, the Federal Trade Commission (FTC) finalized amendments to the COPPA rule to address evolving digital practices and enhance children’s online privacy protections. Key updates include:
- Separate Parental or Guardian Consent for Data Disclosure: Operators are now required to obtain distinct verifiable parental or guardian consent before disclosing a child's personal information to third parties. This change aims to give parents and guardians more control over their children's data, especially concerning targeted advertising practices.
- Data Retention and Deletion Policies: The amendments mandate that operators retain children's personal information only as long as necessary to fulfill the purpose for which it was collected. They must establish and disclose data retention policies and are prohibited from retaining such information indefinitely.
- Enhanced Oversight of Safe Harbor Programs: The FTC introduced stricter requirements for COPPA Safe Harbor programs, including more detailed reporting and public disclosure of member operators. This measure aims to increase transparency and accountability among organizations that self-regulate under COPPA guidelines.
These updates underscore the importance for educators and school administrators to stay informed about COPPA regulations. Ensuring that the educational technologies and online services used within schools comply with these enhanced privacy protections is crucial to safeguard student data effectively.