The Continuous Evolution of Student Privacy Laws

Learn how the work of third-party vendors who farm student data affected student privacy protection laws, and why EdTech should always be privacy-first.

September 6, 2018

In the United States, laws like the Family Educational Rights and Privacy Act seek to protect a student's privacy against third-party entities that look to farm, and profit from them. Even if these regulations exist, and continue to evolve, software vendors need to take their role as a protector.

Table of Contents

FERPA, the core national legislation

The Family Educational Rights and Privacy Act (FERPA) provides a national policy for protecting the privacy of students’ educational records. Enacted in 1974, FERPA applies to all schools – including K-12, colleges, and universities – if they receive funding from the U.S. Department of Education.


FERPA grants parents access to their children’s school records, the right to have that data changed, and some control over the sharing of their children’s data. Once a student turns 18, FERPA transfers these privacy rights to the student.

However, FERPA reach isn't vast and updated. Plus, controversies like InBloom's case back in 2012 and Google's non-disclosed data mining continue to appear. Thus, states and concerned organizations turned their efforts to local laws further regulate and patch FERPA's flaws.

inBloom, the last straw for parents

While FERPA is America’s blanket student privacy law, almost every state has also enacted laws of their own. Most of these laws started appearing since 2012, in response to the Gates Foundation-sponsored initiative InBloom. This was a large student database designed to share student data in nine states with data-mining operations and third-party vendors without parental notification or consent.

By April 2014, all nine of the states that had agreed to partner with InBloom had publicly opted out of the program, and InBloom officially closed its doors.  Realizing that the current law did little to protect their children’s data privacy, the advocacy group Parent Coalition for Student Privacy was formed in July of that year. It continues to fight to defend the rights of parents to protect their children’s data.

[caption id="attachment_9503" align="aligncenter" width="940"]

Privacy laws by state

After inBloom's scandal, most states started to continuously update their local privacy laws (Source:[/caption]

Since 2014, this fight has intensified as the EdTech industry has crept deeper and deeper into the country’s educational systems. The public watchdog organization FERPA/Sherpa maintains an online map and accompanying grid of state-by-state student privacy laws. A visit can help zero-in on the key issues surrounding student data privacy.

California and Connecticut's student  privacy laws

Let’s take a look at Connecticut and California to better understand how student data protection laws work.

Connecticut recently enacted Public Act 18-125: An Act Concerning Revisions to the Student Privacy Act, which updates a 2016 student privacy law. This edition provided student data protection policies for websites, online services, and mobile apps as well as educational consultants dealing with school districts.

As of July 1, 2018, Boards of education must have written contracts with their contractors that include very explicit rules governing the sharing of student data. Among other provisions, the law also stipulates that boards of education maintain public websites that describe all of their student data privacy contracts.

Another state with a strict student privacy law is California. Passed in 2014 and in effect since January 2016, California's Student Online Personal Information Protection Act (SOPIPA) recognizes the increasing role of technology in education and seeks to protect students from being exploited by “operators”.

This range from educational websites, online services, online applications to mobile applications, thus the California law protects K-12 student information from any business that collects, stores or uses student data.

Prey's experience embracing these legislations

Businesses that do side deals with student data are probably going to see these regulations as a barrier, but they are to be taken as an opportunity to improve their services.

Transparency and flexibility are two key concepts software vendors must embrace to ensure the peace of mind of both schools and parents regarding their student’s privacy.

As the law requires, vendors have to offer business models that specify the end game for all data collected. It's an understandable step that, in the demise of privacy era, is much needed to rebuild trust and ensure people execute their rights over their personal data properly.

At Prey, we have strong ties with schools who we help secure their device fleets, and we have learned several lessons along the way. Here are a few tips on how to provide peace of mind to both parents and IT managers at schools with your software.

• Opt-out Features: Our software allows school districts and parents to manage their student's data privacy.  Depending upon state and local rules, IT staff can disable features like the Location History and pictures on Missing Device Evidence Reports to prioritize the endpoint's user privacy. What's more, if required, personal accesses can be provided for parents to administer the platform.

• Embracing Personal Rights: We stay abreast of regulatory changes and adapt and update our privacy policy to ensure that the privacy of all our customers is protected. In May 2018, the European Union enacted its General Data Protection Regulation (GDPR), which gives individuals power over their own data. As an international company with a large European customer base, Prey adopted GDPR and is fully compliant. Even if optional for US establishments, it's a comprehensive way of solving most concerns since it covers personal rights over data, transparency in data handling, storage, and delivery.

• Transparency in Code -- As an open-source company, Prey publicly publishes its code for review. The repository displays our software's clients code and both parents, schools, and third-parties can rest assured that the solution does not contain any hidden capabilities that might infringe on student privacy.


Working with and for schools, aside from being an endeavor, is a matter of responsibility and respect. Nurture this partnership with trust and work together to build a safe tool for their educational environment.

Due to the nature and sensibility of our product, we have always had a great focus on solving privacy concerns immediately. However, as inBloom's case proved, any third-party vendor can be the subject of privacy violations if not properly regulated. It's a matter that any software that interacts with a user's information in any way has to have in mind, and prioritize. The urgency to address and prevent incidents of school data breaches like the ones seen in 2023, emphasizes the immediate need for heightened vigilance and proactive measures to safeguard student information.

On the same issue

Three crucial online student privacy laws

Get a deep understanding of the main student privacy laws that keep data safe in the digital classroom. Learn how these regulations work and what they mean.

September 28, 2023
keep reading
Simplify SOC 2 Compliance: A Comprehensive Guide for IT & MSP teams

In a world where "the cloud" isn't just a reference to where Simba's dad lives in "The Lion King", but a critical infrastructure for many organizations, SOC 2 compliance is vital

May 24, 2023
keep reading
Securing Student Data: Your Complete Guide to FERPA Compliance

FERPA is a bit like the 'Marauder's Map' from Harry Potter - in the wrong hands, student information could cause havoc, but in the right hands, it can guide.

May 17, 2023
keep reading
Navigating IT governance: a comprehensive guide to frameworks and benefits

IT governance: frameworks, benefits, and choosing the right one. Learn more for effective IT management.

May 9, 2023
keep reading