The private testing has started!

Blog Student privacy laws for US schools

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

The notion of what counts as "student data" has changed drastically in the last few years. While before student data referred mostly to the student's name, address, age, demographics, what course they've taken and their final grades, with the spread of inf...

The notion of what counts as "student data" has changed drastically in the last few years.

While before student data referred mostly to the student's name, address, age, demographics, what course they've taken and their final grades, with the spread of information technology, including computers and mobile devices and the students themselves generating huge amounts of data, school officials now must pay more attention to protecting student privacy.

What is Student Data?

What constitutes student data?

Student data is any Personally Identifiable Information (PII), such as name, age, address, email address, phone number, health records, etc. of the student or student's parents or guardians that is gathered and stored for the purpose of educational institution they attend.

For example, according to this infographic by Data Quality Campaign, we can group student data into 6 types:

  1. Student's demographics:
  2. Age
  3. Race
  4. Gender
  5. Economic Status
  6. Special Education Needs
  7. Student Actions:
  8. Class Attendance
  9. Program Participation
  10. Extracurricular Activities
  11. Behavior
  12. Testing Data:
  13. Quizzes
  14. Tests
  15. Interim Assessments
  16. Annual Assessments
  17. Academic Information:
  18. Growth
  19. Courses
  20. Enrollment
  21. Grades
  22. Completion
  23. Graduation
  24. By Teachers:
  25. Observation
  26. Engagement
  27. By Students:
  28. Homework
  29. Learning Apps

As you can see student data includes a plethora of personal information about the student and therefore, educators must know how to protect it.

This is why we've created this educator's guide to student privacy.

How Does the Federal Law Protect Student Data Privacy?

With schools increasingly adopting information technologies, lawmakers today have much more responsibility than ever before to safeguard student privacy.

This is accomplished through three federal laws: FERPA, COPPA and CIPA. You can learn more about FERPA at Protecting Student Privacy, which is a website maintained by the U.S. Department of Education.

Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act or FERPA is a federal law that grants parents certain rights to student records. Once the student reaches the eligible age (18) or they attend a school above high school level, those rights pass on to them.

What records fall under FERPA?

Student education records are all records that pertain to the student directly and are maintained and collected by the school or educational agency.

Who can access student education records?

Apart from the school itself, student data can be disclosed without acquiring the written consent from either the eligible student or their parents or guardians in the following cases:

  • A court order or subpoena
  • When requested by accrediting organizations
  • When it is requested for evaluation purposes, audit or financial aid
  • When requested by another school that the student wishes to transfer to
  • When requested by school officials with educational interest
  • In case of safety and health emergencies

Responsibilities of schools under FERPA

  • An eligible student or their parents must be informed by the school of their rights under FERPA each year (until the student attends that school, that is)
  • Eligible students or parents must also be informed by the school of any directory information and be given enough time to request that their directory information is not disclosed

Children's Online Privacy Protection Act (COPPA)

What is COPPA?

The Children's Online Privacy Protection Act or COPPA does not directly deal with student privacy rights, but instead regulates how companies operating websites can collect personal information from children under 13 years of age

What are the school's responsibilities under COPPA?

  • The school must carefully examine and vet any online services, including mobile applications and websites, with which they intend to share student data and share this information with the parents, including the website name, address, privacy practices, etc.
  • In addition, if the website or app is solely used for educational and not commercial purpose, the school can stand in the parent's stead for consent

Children's Internet Protection Act (CIPA)

What is CIPA?

The Children's Internet Protection Act or CIPA is a federal law that requires K-12 schools to use web filters and other measures to protect students from harmful content on the Internet.

What are the responsibilities of the school under CIPA?

  • Under CIPA, an educational institution must have a plan to monitor student online activities according to the Federal Trade Commission's (FTC) Protection Children in the 21st Century Act
  • The school must also educate students on how to act online and
  • Provide evidence that they have an Internet safety policy

Here is what you can (reasonably) expect from email privacy laws in general.

Best Practices to Protect Student's Personal Information

An educational institution, such as a school, must follow certain rules and laws in order to process student data and protect student privacy.

These must be observed by everyone in the school system and include:

How is student data lawfully processed?

Schools must define the legal ground on which they can process individual students data. There are six such lawful bases:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Protection of vital interest
  5. Public task
  6. Legitimate interest

if the school looks to use student data for anything beyond a task in the public interest, or a specified educational purpose they need to obtain parental consent


School or school districts are required to notify parents in advance when disclosing the student's personal information to anyone outside that school or district, including persons, companies or organizations.

Parent and student rights

Vendors or other third-parties cannot re-disclose student data without parental notification and consent or from students above 18 years of age

Student data privacy and security protections

Student private data must be encrypted at rest and in transit with encryption, including any passwords. All appropriate parties that have access and deal with student records must also go through appropriate training regarding this

Student data cannot be used for commercial purposes

Finally, student data cannot be used, shared or sold in any way for commercial purposes and the school must not allow advertising on the instructional software that it assigned to its students


As you can see, as the notion of data privacy has evolved in the last few years, educational institutions have a much bigger responsibility today to protect student privacy rights than ever before.

We hope this short guide will help schools and educators safeguard their student data privacy a little better.

Ready to join Liverado? Start your free 14-day trial today.