Ariel Fox Johnson
Senior Advisor, Data Privacy
50 Years after FERPA’s Passage, Ed Privacy Law Needs an Update for the AI Era
FERPA was enacted a half century ago in response to rising concerns about new technology. Technology has continued to evolve; so must FERPA.
August 21 marks 50 years since the Family Educational Rights and Privacy Act (FERPA) was passed into law. Back then, student privacy looked a lot different than it does today: The classrooms and textbooks of yesteryear presented much less risk than Google or artificial intelligence do, but education officials still had growing concerns over databases and record systems.
FERPA permits parents and eligible students (typically over age 18) to inspect and correct their education records. It also requires consent before disclosure of personally identifiable information (PII) from those records, though there are numerous exceptions. In addition, schools must notify parents and eligible students annually of their FERPA rights.
With the advent of education technology, FERPA is really showing its age. Though it has changed slightly since its enactment, the last congressional update was over a decade ago, and regulations from the Department of Education are also woefully outdated. (Updates to the regulations from the department are frequently said to be imminent, but as of this writing, none are public.)
Privacy concerns have steadily increased over the last few decades, as technology continues to develop and make increasingly intrusive incursions into every aspect of life. While FERPA does provide at least some protections for students — unlike, say, for consumers in general — the fact is, it does not mandate adequate safeguards.
Students and families in today's digital world deserve modern protections that accurately reflect contemporary society and their learning experiences. Here are a few suggestions for bringing FERPA into its next half century.
First, it should reflect that the information contained in student records is much broader than documents in files or scanned into computers. FERPA needs to protect students' online information; protected "education records" should explicitly and unambiguously include online data created by students, including web browsing and search histories, interactions with tech tools and artificial intelligence chatbots, and other digital activity.
Second, the concept of directory information — things like a student's name, address, telephone listing, email address, photograph, date and place of birth, height and weight (for athletic team members), and student ID numbers — needs an overhaul for the digital age. Under FERPA, schools can share this information with a third party or the public generally, unless a parent has opted out.
Directory information is supposed to be data that is not considered harmful or invasive if disclosed. But given rapid advances in technology, much of it could lead to commercial profiling, identity theft, and other harms. The definition should be narrowed, and parents should be allowed to choose what specific information schools can share. And that sharing should be opt-in, item by item, not the current blanket opt-out.
Third, the FERPA statute did not contemplate the extent to which edtech and third-party companies would be integrated into students' daily lives. The Department of Education has since interpreted "school officials" — to whom information can be shared without consent — to include edtech vendors when they have a legitimate educational interest, perform a function the school would otherwise do, are under the school's direct control with respect to use of student records, and comply with other FERPA requirements. It would be helpful for Congress to very clearly indicate when FERPA-covered information may be shared with edtech vendors and other third parties that students encounter on a daily basis.
FERPA should specify that students' information — including and especially when shared with "school officials" — should be used for educational purposes only and not be offered for sale or used for targeted advertising.
Lastly, it is critical that schools safeguard student information. FERPA does not require specific security controls. It should mandate administrative, physical, and technical safeguards, including training for individuals handling student information and prompt responses to data breaches. Schools need funding to better understand cybersecurity issues, as well as to build out necessary infrastructure to collaborate and coordinate cybersecurity efforts. Ideally, Congress would add new cybersecurity funding for schools, because many lack the financial means to implement adequate safeguards.
FERPA was passed 50 years ago in response to rising concerns about new technology. Technology has continued to evolve, and so must FERPA.
This story first appeared at The 74, a nonprofit news site covering education. Sign up for free newsletters from The 74 to get more like this in your inbox.
August 21 marks 50 years since the Family Educational Rights and Privacy Act (FERPA) was passed into law. Back then, student privacy looked a lot different than it does today: The classrooms and textbooks of yesteryear presented much less risk than Google or artificial intelligence do, but education officials still had growing concerns over databases and record systems.
FERPA permits parents and eligible students (typically over age 18) to inspect and correct their education records. It also requires consent before disclosure of personally identifiable information (PII) from those records, though there are numerous exceptions. In addition, schools must notify parents and eligible students annually of their FERPA rights.
With the advent of education technology, FERPA is really showing its age. Though it has changed slightly since its enactment, the last congressional update was over a decade ago, and regulations from the Department of Education are also woefully outdated. (Updates to the regulations from the department are frequently said to be imminent, but as of this writing, none are public.)
Privacy concerns have steadily increased over the last few decades, as technology continues to develop and make increasingly intrusive incursions into every aspect of life. While FERPA does provide at least some protections for students — unlike, say, for consumers in general — the fact is, it does not mandate adequate safeguards.
Students and families in today's digital world deserve modern protections that accurately reflect contemporary society and their learning experiences. Here are a few suggestions for bringing FERPA into its next half century.
First, it should reflect that the information contained in student records is much broader than documents in files or scanned into computers. FERPA needs to protect students' online information; protected "education records" should explicitly and unambiguously include online data created by students, including web browsing and search histories, interactions with tech tools and artificial intelligence chatbots, and other digital activity.
Second, the concept of directory information — things like a student's name, address, telephone listing, email address, photograph, date and place of birth, height and weight (for athletic team members), and student ID numbers — needs an overhaul for the digital age. Under FERPA, schools can share this information with a third party or the public generally, unless a parent has opted out.
Directory information is supposed to be data that is not considered harmful or invasive if disclosed. But given rapid advances in technology, much of it could lead to commercial profiling, identity theft, and other harms. The definition should be narrowed, and parents should be allowed to choose what specific information schools can share. And that sharing should be opt-in, item by item, not the current blanket opt-out.
Third, the FERPA statute did not contemplate the extent to which edtech and third-party companies would be integrated into students' daily lives. The Department of Education has since interpreted "school officials" — to whom information can be shared without consent — to include edtech vendors when they have a legitimate educational interest, perform a function the school would otherwise do, are under the school's direct control with respect to use of student records, and comply with other FERPA requirements. It would be helpful for Congress to very clearly indicate when FERPA-covered information may be shared with edtech vendors and other third parties that students encounter on a daily basis.
FERPA should specify that students' information — including and especially when shared with "school officials" — should be used for educational purposes only and not be offered for sale or used for targeted advertising.
Lastly, it is critical that schools safeguard student information. FERPA does not require specific security controls. It should mandate administrative, physical, and technical safeguards, including training for individuals handling student information and prompt responses to data breaches. Schools need funding to better understand cybersecurity issues, as well as to build out necessary infrastructure to collaborate and coordinate cybersecurity efforts. Ideally, Congress would add new cybersecurity funding for schools, because many lack the financial means to implement adequate safeguards.
FERPA was passed 50 years ago in response to rising concerns about new technology. Technology has continued to evolve, and so must FERPA.
This story first appeared at The 74, a nonprofit news site covering education. Sign up for free newsletters from The 74 to get more like this in your inbox.
Ariel Fox Johnson is a senior advisor for data privacy to Common Sense Media. Ariel was formerly senior counsel for global policy at Common Sense, and has extensive experience in educational and children's privacy and emerging U.S. consumer laws. She has helped shape policy and legislative debates around privacy and children's digital well-being, briefing policymakers, industry, and community leaders on data privacy and platform questions. She has testified before the U.S. Senate, the U.S. House of Representatives, and state legislatures across the country on how technology can be designed to better protect individuals.
Ariel is the founder of Digital Smarts Law & Policy LLC and an adjunct professor of privacy law at Cleveland State University's College of Law. She has also worked in-house for Zoom and at multinational law firms, advising on global privacy and online safety laws. Ariel is a graduate of Harvard College and Harvard Law School.