Student data privacy is both a legal requirement and an ethical obligation. Schools collect sensitive information about minors — information that can affect their futures if mishandled, and that families trust institutions to protect. Understanding the basic framework is essential for anyone involved in education technology decisions.

The Regulatory Foundation

FERPA (the Family Educational Rights and Privacy Act) is the primary federal law governing student education records in the United States. It gives parents — and students over 18 — the right to access and correct their education records, and generally prohibits schools from disclosing personally identifiable information from those records without consent.

FERPA has exceptions. It permits disclosure to school officials with legitimate educational interests, to other schools when a student transfers, to state and federal authorities for auditing, and under several other defined circumstances. Understanding what constitutes a legitimate exception is important when evaluating vendor data practices.

COPPA (the Children's Online Privacy Protection Act) applies specifically to the online collection of personal information from children under 13. It requires parental consent before collecting such information and imposes requirements on how that information may be used and shared. Education technology vendors who serve K-12 audiences must comply with COPPA.

Vendor Contracts and Data Agreements

When schools and districts contract with technology vendors, data privacy terms belong in those contracts. Specifically: what data can the vendor collect, how may the vendor use it, can the vendor use student data for commercial purposes (advertising, product development, profile building), and what happens to student data at contract termination.

Many states have enacted additional student data privacy laws beyond federal requirements. Understanding your state's specific requirements and ensuring vendor contracts reflect them is a governance responsibility.

Practical Privacy Principles

Privacy by design means building privacy protections into systems from the beginning rather than bolting them on afterward. For education technology, this means collecting only the data that is genuinely needed for the educational purpose (data minimization), retaining it only as long as it is needed, and ensuring access is limited to those with legitimate need.

See the data privacy checklist and vendor data privacy questions guide for practical implementation guidance.