Close Menu
Department of Education

FERPA and Online Learning Privacy: Protecting Student Data in the Digital Age

By 20 Mins Read

Last updated 3 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

Introduction

The shift toward online learning has transformed education in the United States. While digital education offers flexibility and innovative teaching approaches, it raises important privacy concerns. Understanding how existing laws protect student data in these new environments is crucial for parents, students, and schools.

This article explains the Family Educational Rights and Privacy Act (FERPA) and explores how its principles apply to online K-12 and higher education. We’ll cover the rights FERPA grants, school responsibilities when using digital tools, common privacy risks, and best practices for protecting student information.

What is FERPA? Understanding the Basics

Core Definition and Purpose

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974 and also known as the Buckley Amendment, is a foundational federal law designed to safeguard student education records. Its purpose is to grant parents and eligible students access to education records while protecting that information from disclosure to third parties without consent.

FERPA applies to educational agencies and institutions receiving funding through programs administered by the U.S. Department of Education. This includes nearly all public K-12 schools and districts, as well as most public and private colleges and universities. However, private and faith-based K-12 schools generally don’t receive such federal funding and are typically not subject to FERPA.

The official resource for FERPA information is the U.S. Department of Education’s Student Privacy Policy Office (SPPO). The detailed regulations implementing FERPA are found at 34 CFR Part 99.

FERPA’s enforcement mechanism involves potentially withholding federal funds from institutions with a policy or practice of non-compliance. While this represents a significant penalty, this measure has never actually been implemented. Compliance is often driven by schools’ desire to maintain their reputation, adhere to state laws, fulfill vendor contracts, and follow Department of Education guidance.

Who is Protected?

FERPA primarily protects parents of students under 18 years old enrolled in K-12 schools. These rights generally belong to both custodial and noncustodial parents, unless limited by court order, state law, or other legally binding document.

A critical aspect of FERPA is the transfer of rights when a student either:

  • Reaches age 18, OR
  • Enrolls in a postsecondary institution at any age

At this point, the student becomes an “eligible student” under the law, and FERPA rights transfer from parents to the student.

FERPA protections apply to current and former students. The law doesn’t cover individuals who applied but never attended classes, nor does it extend to records of deceased students.

What is an “Educational Record”?

FERPA protections center around “educational records.” These are defined as records that are:

  1. Directly related to a student, AND
  2. Maintained by an educational agency/institution or a party acting on their behalf

The format doesn’t matter—FERPA applies to traditional formats like handwriting and print, as well as electronic formats including emails, computer files, databases, videos, audio recordings, and digital information.

Common examples of educational records include:

  • Grades and transcripts
  • Class lists and student schedules
  • Disciplinary records
  • Standardized test results
  • Health and immunization records (in K-12 schools)
  • Financial aid records (in colleges)
  • Emails between students and school officials containing student-specific information
  • Video recordings of students created and maintained by the school
  • Data stored in Learning Management Systems (LMS) or educational software

However, FERPA excludes certain types of records from its definition:

  • Sole Possession Records: Notes kept by a school official for personal use as a memory aid and not shared with others
  • Law Enforcement Unit Records: Records created and maintained by a school’s designated law enforcement unit for law enforcement purposes
  • Employment Records: Records related to school employees who aren’t also students
  • Treatment Records (Postsecondary): Records made by healthcare professionals providing treatment to college students, subject to specific confidentiality rules
  • Post-Attendance Records: Records created after a student leaves, if not directly related to their time as a student
  • Peer-Graded Papers: Grades on papers graded by fellow students before collection by the teacher
  • Personal Knowledge/Observation: Information known or observed by a school official that wasn’t obtained from an education record

The interpretation of “maintained by” the institution can be unclear with online learning data. Historically, this phrase suggested centrally organized records. Online learning generates vast amounts of data that might be decentralized, transient, or primarily stored by third-party vendors. Some legal interpretations suggest certain digital data might fall outside FERPA’s scope if not formally managed according to specific protocols.

What is “Personally Identifiable Information” (PII)?

Personally Identifiable Information under FERPA refers to information in education records that could identify a specific student, either alone or combined with other information.

PII includes direct identifiers such as:

  • Student’s name
  • Names of parents or family members
  • Address
  • Student ID number
  • Social Security number

It also encompasses indirect identifiers that might identify a student when combined with other information:

  • Date of birth
  • Place of birth
  • Mother’s maiden name
  • Other information linked to a specific student

Even metadata (like login times) or aggregated information can be considered PII if a reasonable person within the school community could use it, along with other available information, to identify an individual student.

A student ID number or user ID used for accessing electronic systems is considered PII. However, under specific circumstances related to directory information, such identifiers might be disclosable if they require another authentication factor (like a password) to access education records.

Applying FERPA to the Digital Classroom

FERPA’s core principles apply whether learning occurs in a traditional classroom or through online platforms. Information generated and stored electronically can qualify as protected “education records” if directly related to a student and maintained by the educational institution or a party acting on its behalf.

Virtual Classrooms (Video Conferencing)

Video conferencing tools for live instruction introduce specific FERPA considerations:

Live Observation: Similar to observing a physical classroom, determining who can observe a live virtual class session is generally a local school decision. FERPA neither requires nor prohibits such observation, as typical classroom instruction usually doesn’t involve disclosing PII from education records.

See also  Essential Resources for Teachers

Recordings as Education Records: If virtual class sessions are recorded and these recordings are maintained by the school (or a vendor acting for the school) and directly related to students (e.g., capturing student participation or presentations), these recordings can become education records under FERPA. This triggers FERPA rights, including parental/student access rights and consent requirements for third-party disclosure.

Online learning, especially involving recorded sessions, blurs the line between instruction and record creation. In a physical classroom, student comments are typically transient. In a recorded virtual session, that same participation becomes part of a stored artifact potentially subject to FERPA’s access, amendment, and disclosure rules.

Learning Management Systems (LMS)

LMS platforms contain substantial student information. Data within an LMS—including grades, submitted work, participation records, discussion posts, and activity logs—generally constitutes education records if directly related to specific students and maintained by the school or the LMS provider acting as the school’s agent.

Managing access controls within the LMS is critical to ensure only authorized individuals can view specific student records.

Other Educational Technologies (Apps, Online Services)

Schools must evaluate each educational technology carefully. If using a service requires the school to provide PII (creating accounts with student names or IDs), then FERPA protections apply. The school must either:

  • Obtain prior written consent from parents/eligible students, OR
  • Ensure the disclosure falls under a valid FERPA exception (typically the “school official” exception)

If students can use an online resource without logging in or providing PII from education records, FERPA may not apply. However, schools must remember that PII includes metadata and indirect identifiers that could identify students when combined with other information.

The volume and speed of data generated in online learning present challenges for consistent FERPA application. Traditional classrooms generate discrete records like tests and report cards, but online platforms capture clicks, time spent on tasks, chat messages, and video interactions continuously and automatically.

Emails

Electronic communications between students and school officials that contain PII related to education (discussing grades, progress, disciplinary issues, or educational needs) and are maintained by the school system are considered education records under FERPA. Schools should implement best practices regarding the content and security of email communications involving student PII.

Your Rights Under FERPA in Online Learning

FERPA empowers parents and eligible students with specific rights concerning education records. These rights apply regardless of whether learning occurs in-person or virtually.

Core Rights (Parents and Eligible Students)

FERPA grants four primary rights to parents (for students under 18 in K-12) and eligible students (students 18+ or in college):

1. The Right to Inspect and Review Education Records

Parents and eligible students can access and examine education records maintained by the school, including those held by third-party vendors acting as school agents. Schools must respond within 45 calendar days (some state laws require faster response). This right applies equally to online records in an LMS, video recordings, or relevant emails.

While schools must provide access, they generally aren’t required to provide copies unless circumstances make on-site inspection impractical. If records contain information about multiple students, the requesting parent/student can only access information pertaining to their child/themselves.

2. The Right to Seek Amendment of Education Records

Parents and eligible students can request corrections if they believe information in education records is inaccurate, misleading, or violates privacy rights. This right addresses factual errors, not substantive decisions like grades or disciplinary rulings (unless the record incorrectly reflects the decision made).

Schools must consider amendment requests and respond in writing. If denied, they must inform the requestor of their right to a formal hearing. If the hearing outcome is unfavorable, the parent/student can place a statement in the record explaining their disagreement.

3. The Right to Consent to Disclosures of PII

Educational institutions must generally obtain prior written consent before disclosing PII from education records to third parties. This consent must:

  • Be signed and dated
  • Specify which records can be disclosed
  • State the purpose of the disclosure
  • Identify who may receive the information

This requirement applies when sharing student data with third-party online service providers, unless a specific FERPA exception permits disclosure without consent.

4. The Right to File a Complaint

If parents or eligible students believe a school has violated FERPA requirements, they can file a formal complaint with the U.S. Department of Education’s Student Privacy Policy Office.

Exercising these rights effectively in online learning contexts may require more specific requests than with traditional records. Parents and students might need to specify particular data sets, time periods, or platforms when requesting access.

School Responsibilities in the Online Realm

Educational institutions subject to FERPA have significant responsibilities to protect student privacy, particularly when using online learning tools.

Annual Notification of Rights

Schools must provide annual notification to parents and eligible students regarding their FERPA rights. This notification must inform recipients about:

  • Their right to inspect and review education records and procedures for doing so
  • Their right to seek amendment of records they believe are inaccurate
  • Their right to consent to disclosures of PII, except where FERPA allows disclosure without consent
  • The school’s criteria for determining who qualifies as a “school official” with “legitimate educational interest”
  • Types of PII designated as “directory information” and the right to opt out
  • The right to file a complaint with the Department of Education

The Department of Education provides model notification templates that schools can adapt.

Handling Consent and Its Exceptions

Schools are responsible for obtaining valid consent before disclosing PII, unless a FERPA exception applies. Key exceptions relevant to online learning include:

School Officials with Legitimate Educational Interest

Disclosure is permitted to officials within the school with a legitimate educational need to access information for professional duties. This exception can extend to third-party vendors (like LMS providers or instructional tools) if:

  • The vendor performs a function the school would otherwise use its own employees for
  • The vendor meets the school’s criteria for being a school official with legitimate interest
  • The vendor is under the school’s direct control regarding record use and maintenance
  • The vendor uses PII only for authorized purposes and doesn’t re-disclose it without permission
See also  How to Change Your Student Loan Repayment Plan

Directory Information

Schools may disclose information designated as “directory information” without consent, provided they have:

  • Given public notice of what information is considered directory information
  • Informed parents/students of their right to opt out
  • Provided a reasonable method and timeframe for opting out

Directory information includes PII not generally considered harmful if released (name, address, email, photo, major, etc.). It can include student IDs only if they require another factor (like a password) for authentication.

If someone opts out, the school cannot release their directory information under this exception.

Other Exceptions

FERPA permits disclosure without consent in several other specific situations, including:

  • Disclosures to officials of another school where the student seeks enrollment
  • Organizations conducting studies for the school under strict conditions
  • Authorized officials for audit or evaluation purposes
  • Health or safety emergencies
  • Judicial orders or lawfully issued subpoenas
  • Parents of dependent students at the postsecondary level (at the institution’s discretion)
  • Alcohol/drug violations by college students under 21 (at the institution’s discretion)

Vetting Third-Party Vendors (Online Services/Apps)

A critical responsibility for schools using online learning technologies is thoroughly vetting third-party vendors, especially when relying on the “school official” exception to share PII without direct parental consent. This involves:

Evaluating Terms of Service and Contracts: Carefully review vendor agreements, being wary of non-negotiable “click-wrap” agreements with insufficient privacy protections. Use resources like the PTAC Model Terms of Service checklist.

Ensuring Key Contractual Provisions: Contracts should explicitly include:

  • Purpose limitation (data used solely for specific educational purposes)
  • Re-disclosure prohibition
  • Commercial use prohibition (no targeted advertising or data mining)
  • Data security requirements
  • Data ownership (remaining with the school/district)
  • Data return/destruction protocols
  • De-identification standards
  • Parental access facilitation

The “school official” exception provides flexibility for schools to integrate valuable online tools. However, it places significant responsibility on schools to ensure vendors act as true agents under school control. This requires robust vetting, strong contracts, and ongoing monitoring.

Ensuring Data Security

Schools must implement reasonable administrative, technical, and physical safeguards to protect PII in education records from unauthorized access or disclosure. This includes data stored on school servers, in cloud services, and on devices used for online learning. Schools should develop incident response plans to address potential data breaches.

Online Learning Privacy Risks and Challenges

Despite FERPA’s protections, online learning introduces specific privacy risks:

Data Breaches: Educational institutions and vendors are targets for cyberattacks, including ransomware seeking to extort money by threatening to release sensitive student data.

Unauthorized Access and Disclosure: Weak access controls, inadequate training, or human error can lead to accidental or intentional disclosure of PII beyond what’s permitted.

Third-Party Data Misuse: Vendors might collect more student data than necessary, use it for purposes beyond education (refining algorithms, marketing), mine data for targeted advertising, or improperly share data with other entities.

Video Conferencing Vulnerabilities: Recorded virtual classes create challenges in managing access and consent, especially with multiple students captured. There’s also risk of unauthorized recording or exposure of private home environments.

Online Proctoring Concerns: Remote exam proctoring services often use invasive methods like continuous webcam monitoring, screen recording, keystroke logging, eye-tracking, and room scans. This raises concerns about collecting sensitive biometric data, potential biases against students of color or those with disabilities, and intrusion into private living spaces.

Risks of “Free” Educational Tools: Educators might adopt free applications without thorough vetting, unaware the provider’s business model relies on collecting and monetizing student data.

De-identification Difficulties: Ensuring data is truly de-identified before secondary use can be technically challenging, with residual risks of re-identification when combined with other datasets.

Over-Surveillance and Chilling Effects: Constant monitoring of online activity can create an environment of over-surveillance, potentially discouraging students’ natural curiosity and intellectual risk-taking.

Institutional Capacity: Many schools, particularly smaller ones, may lack the legal, technical, and financial resources to properly vet online services, negotiate strong privacy contracts, implement robust security, and provide ongoing training.

FERPA’s structure can sometimes obscure accountability. The law primarily regulates educational institutions, not vendors directly. When a vendor handles student data under the “school official” exception, legal responsibility remains with the school, potentially making vendor accountability challenging.

Best Practices for Protecting Student Privacy Online

Ensuring student privacy in online learning requires collaboration between institutions, educators, parents, and students.

For Educational Institutions (Schools, Districts, Colleges)

Develop Clear Policies: Establish comprehensive written policies addressing student data privacy, security, and acceptable use of educational technologies. Implement detailed data governance covering the entire data lifecycle.

Implement Rigorous Vetting: Create formal processes for evaluating all online services before adoption. Utilize resources from the Department of Education’s PTAC to assess vendor practices.

Utilize Strong Contracts: Insist on detailed, legally binding agreements rather than standard click-wrap terms. Ensure contracts address FERPA requirements, purpose limitation, data ownership, security obligations, breach notification, and data deletion.

Practice Data Minimization: Collect and retain only student data necessary for legitimate educational purposes. Limit vendor access to the minimum PII required.

Ensure Transparency: Communicate openly with stakeholders about which online services are used, what data is collected, how it’s used and protected, and with whom it’s shared. Make annual FERPA notices easily understandable.

Provide Regular Training: Implement mandatory training for all staff covering FERPA requirements, data security practices, and specific policies for online tools.

Implement Robust Security: Employ layered security including administrative, technical, and physical safeguards. Conduct regular risk assessments and develop incident response plans.

Designate a Privacy Point Person: Appoint a specific individual or office responsible for privacy compliance, vendor management, and training coordination.

For Educators

Adhere to Institutional Policies: Use only school-approved online tools and platforms. Avoid unapproved “free” resources that might compromise student privacy.

See also  Understanding FERPA: What is "Legitimate Educational Interest"?

Understand FERPA Fundamentals: Know the basic requirements regarding confidentiality of education records and restrictions on disclosing PII.

Maintain Secure Practices: Use strong passwords, secure devices, and exercise caution with emails containing PII. Be mindful of what’s visible during virtual classes.

Limit Data Sharing: Share PII only when educationally necessary and permitted under school policy and FERPA guidelines.

For Parents and Eligible Students

Know Your Rights: Familiarize yourself with FERPA rights – inspection, amendment, consent, and complaints. Use the parent and eligible student guides from the Department of Education.

Review School Communications: Read the school’s annual FERPA notification and communications about online platforms and data policies.

Ask Questions: Inquire about specific online tools being used, what data they collect, how it’s protected, and whether the school has written vendor agreements.

Consider Directory Information Opt-Out: Understand what your school designates as directory information. If concerned about its release, exercise your opt-out right. Pay attention if photos or videos are included.

Periodically Review Records: Request access to your or your child’s education records, including online platform data, to check accuracy and understand what’s maintained.

Practice Secure Habits: Use strong passwords for school accounts, secure home networks, and discuss online safety with children.

Report Concerns: If you believe FERPA has been violated, raise concerns with school administration first. If unresolved, file a complaint with the SPPO.

Protecting student privacy requires shared responsibility—schools implementing strong policies and vetting technologies, educators following guidelines, parents and students staying informed and engaged, and vendors honoring contractual obligations.

Department of Education Guidance on FERPA and Virtual Learning

The U.S. Department of Education’s Student Privacy Policy Office provides authoritative guidance on FERPA. In response to increased online learning, SPPO has issued specific resources:

Additional foundational guidance includes:

Despite these resources, technological innovation often outpaces formal guidance. Newer technologies like AI-powered educational tools or invasive proctoring software present complex FERPA questions not explicitly addressed in current guidance. There’s a need for more proactive, timely updates from the Department of Education to keep pace with educational technology developments.

FERPA’s Intersection with Other Privacy Laws

FERPA doesn’t operate in isolation. Several other laws intersect with it, creating a complex regulatory landscape for schools using online learning technologies.

Children’s Online Privacy Protection Act (COPPA)

Scope: COPPA is enforced by the Federal Trade Commission and targets online collection of personal information from children under 13. It applies to commercial websites, online services, games, and apps directed toward children under 13 or that knowingly collect their information.

Core Requirement: Operators must provide notice to parents about data practices and obtain verifiable parental consent before collecting, using, or disclosing a child’s personal information.

School Consent Exception: COPPA allows schools to act as intermediaries and provide consent on parents’ behalf, but only if:

  • The operator collects information solely for educational purposes, not commercial purposes
  • The vendor provides the school with a COPPA-compliant privacy notice
  • Schools should review vendor privacy policies carefully and notify parents about services for which they’ve provided consent

The FERPA-COPPA interplay can be confusing. Data collected by an app might initially fall under COPPA, but if integrated into school-maintained student records, it could also become protected by FERPA.

Protection of Pupil Rights Amendment (PPRA)

Scope: Also administered by the Department of Education, PPRA applies to programs receiving DOE funding.

Focus: PPRA addresses student participation in surveys, analyses, or evaluations that reveal sensitive information (political affiliations, mental problems, sexual behavior, family relationships, religious practices, income, etc.).

Requirements: Schools must obtain prior written consent before minor students participate in such DOE-funded surveys, and must provide parents access to inspection of materials. PPRA also requires policies regarding collection and use of student information for marketing purposes.

Health Insurance Portability and Accountability Act (HIPAA)

General Rule: Student health records maintained by educational institutions subject to FERPA are typically considered “education records” governed by FERPA, not Protected Health Information under HIPAA.

Exceptions: HIPAA might apply in limited circumstances, such as university hospitals serving the general public that also maintain student treatment records.

Guidance: Joint guidance from the Departments of Education and Health and Human Services clarifies the FERPA-HIPAA intersection, particularly regarding sharing health information in emergencies.

Individuals with Disabilities Education Act (IDEA)

Scope: IDEA governs provision of special education and related services to eligible students with disabilities.

Confidentiality Provisions: IDEA includes requirements for protecting records of students receiving services, generally aligning with FERPA but with some additional specifics related to disability records.

State Student Privacy Laws

Recognizing FERPA’s limitations, many states have enacted their own student privacy laws, often with more specific protections for online learning and third-party vendors. By 2018, at least 40 states had passed such laws.

Common elements in state laws include:

  • Direct regulation of edtech vendors
  • Prohibition of commercial use of student data
  • Data security mandates
  • Data deletion requirements
  • Transparency measures
  • Data governance policies
  • Enhanced parental/student rights
  • Restrictions on data sharing

Notable state laws include California’s Student Online Personal Information Protection Act (SOPIPA), Illinois’ Student Online Personal Privacy Act (SOPPA), and New York Education Law § 2-d.

The strength and scope of these state laws vary significantly, creating a patchwork of regulations. While state laws fill perceived gaps in FERPA, this fragmentation presents challenges for nationwide compliance and means student privacy protection can differ substantially based on location.

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.

Author

  • Author:

    We appreciate feedback from readers like you. If you want to suggest new topics or if you spot something that needs fixing, please contact us.

Understand the news in depth

GovFacts is an independent website dedicated to covering government in plain English. You'll receive explainers and analysis for how government, politics, and policy work.

Close the CTA

Join our free newsletter

GovFacts is an independent website dedicated to covering government in plain English. You'll receive explainers for how government works, summaries of what government has done, and insights into the trending topics of the week.

Close the CTA