The Continuous Evolution of Student Privacy Laws

Learn how the work of third-party vendors who farm student data affected student privacy protection laws, and why EdTech should always be privacy-first.

September 6, 2018

In the United States, laws like the Family Educational Rights and Privacy Act seek to protect a student's privacy against third-party entities that look to farm, and profit from them. Even if these regulations exist, and continue to evolve, software vendors need to take their role as a protector.

Table of Contents

FERPA, the core national legislation

The Family Educational Rights and Privacy Act (FERPA) provides a national policy for protecting the privacy of students’ educational records. Enacted in 1974, FERPA applies to all schools – including K-12, colleges, and universities – if they receive funding from the U.S. Department of Education.


FERPA grants parents access to their children’s school records, the right to have that data changed, and some control over the sharing of their children’s data. Once a student turns 18, FERPA transfers these privacy rights to the student.

However, FERPA reach isn't vast and updated. Plus, controversies like InBloom's case back in 2012 and Google's non-disclosed data mining continue to appear. Thus, states and concerned organizations turned their efforts to local laws further regulate and patch FERPA's flaws.

inBloom, the last straw for parents

While FERPA is America’s blanket student privacy law, almost every state has also enacted laws of their own. Most of these laws started appearing since 2012, in response to the Gates Foundation-sponsored initiative InBloom. This was a large student database designed to share student data in nine states with data-mining operations and third-party vendors without parental notification or consent.

By April 2014, all nine of the states that had agreed to partner with InBloom had publicly opted out of the program, and InBloom officially closed its doors.  Realizing that the current law did little to protect their children’s data privacy, the advocacy group Parent Coalition for Student Privacy was formed in July of that year. It continues to fight to defend the rights of parents to protect their children’s data.

[caption id="attachment_9503" align="aligncenter" width="940"]

Privacy laws by state

After inBloom's scandal, most states started to continuously update their local privacy laws (Source:[/caption]

Since 2014, this fight has intensified as the EdTech industry has crept deeper and deeper into the country’s educational systems. The public watchdog organization FERPA/Sherpa maintains an online map and accompanying grid of state-by-state student privacy laws. A visit can help zero-in on the key issues surrounding student data privacy.

California and Connecticut's student  privacy laws

Let’s take a look at Connecticut and California to better understand how student data protection laws work.

Connecticut recently enacted Public Act 18-125: An Act Concerning Revisions to the Student Privacy Act, which updates a 2016 student privacy law. This edition provided student data protection policies for websites, online services, and mobile apps as well as educational consultants dealing with school districts.

As of July 1, 2018, Boards of education must have written contracts with their contractors that include very explicit rules governing the sharing of student data. Among other provisions, the law also stipulates that boards of education maintain public websites that describe all of their student data privacy contracts.

Another state with a strict student privacy law is California. Passed in 2014 and in effect since January 2016, California's Student Online Personal Information Protection Act (SOPIPA) recognizes the increasing role of technology in education and seeks to protect students from being exploited by “operators”.

This range from educational websites, online services, online applications to mobile applications, thus the California law protects K-12 student information from any business that collects, stores or uses student data.

Prey's experience embracing these legislations

Businesses that do side deals with student data are probably going to see these regulations as a barrier, but they are to be taken as an opportunity to improve their services.

Transparency and flexibility are two key concepts software vendors must embrace to ensure the peace of mind of both schools and parents regarding their student’s privacy.

As the law requires, vendors have to offer business models that specify the end game for all data collected. It's an understandable step that, in the demise of privacy era, is much needed to rebuild trust and ensure people execute their rights over their personal data properly.

At Prey, we have strong ties with schools who we help secure their device fleets, and we have learned several lessons along the way. Here are a few tips on how to provide peace of mind to both parents and IT managers at schools with your software.

• Opt-out Features: Our software allows school districts and parents to manage their student's data privacy.  Depending upon state and local rules, IT staff can disable features like the Location History and pictures on Missing Device Evidence Reports to prioritize the endpoint's user privacy. What's more, if required, personal accesses can be provided for parents to administer the platform.

• Embracing Personal Rights: We stay abreast of regulatory changes and adapt and update our privacy policy to ensure that the privacy of all our customers is protected. In May 2018, the European Union enacted its General Data Protection Regulation (GDPR), which gives individuals power over their own data. As an international company with a large European customer base, Prey adopted GDPR and is fully compliant. Even if optional for US establishments, it's a comprehensive way of solving most concerns since it covers personal rights over data, transparency in data handling, storage, and delivery.

• Transparency in Code -- As an open-source company, Prey publicly publishes its code for review. The repository displays our software's clients code and both parents, schools, and third-parties can rest assured that the solution does not contain any hidden capabilities that might infringe on student privacy.


Working with and for schools, aside from being an endeavor, is a matter of responsibility and respect. Nurture this partnership with trust and work together to build a safe tool for their educational environment.

Due to the nature and sensibility of our product, we have always had a great focus on solving privacy concerns immediately. However, as inBloom's case proved, any third-party vendor can be the subject of privacy violations if not properly regulated. It's a matter that any software that interacts with a user's information in any way has to have in mind, and prioritize.

On the same Issue

GDPR checklist: 5 requirements you must cct on for compliance

Learn which of GDPR's requirement demand urgent action, how you should act on them to avoid common fines, and how to continue your compliance process.

February 28, 2023
keep reading
HIPAA checklist: Compliance and patient data security

We’ve created a HIPAA checklist to help businesses in the healthcare industry navigate compliance and patient data security. Take a look!

February 3, 2023
keep reading
Top 6 frequently asked questions about GDPR

The European Union’s General Data Protection Regulation (GDPR) is practically here –it comes into force on May 25–, and there is no going back. As an IT manager, can you say your company is ready?

June 30, 2022
keep reading
Expert Guide to Online Student Data Protection

The breach of a student's data privacy is not a recent concern, but one that is only now starting to gain attention due to the consequences of a public lack of concern. It is time to understand this issue, and treat it

November 2, 2021
keep reading