There are several laws that dictate how schools and teachers handle student data.
Federal
FERPA :: The Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g; 34 C.F.R. Part 99) is a Federal law that protects the privacy of student education records. The law applies to all entities that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Parents or eligible students also have the right to request that a school correct records which they believe to be inaccurate or misleading.
COPPA :: The Children's Online Privacy Protection Act
The Children’s Online Privacy Protection Act (“COPPA”) is a federal law governed by the Federal Trade Commission (“FTC”) that controls what information may be collected from children under the age of 13 by companies operating websites and mobile applications. (15 U.S.C. § 6501, et seq.) COPPA requires companies to post a clear privacy policy on their website or mobile application, provide notice to parents, and obtain parental consent before collecting personal information from children under the age of 13. Under COPPA, school districts1 are authorized to provide consent on behalf of parents and may approve a student’s use of an educational program. An LEA’s ability to consent on a parent’s behalf is strictly limited to the educational context. That is, an LEA may only consent on the parent’s behalf if the personal information collected is used strictly for educational purposes and not for any commercial purpose. Additionally, the FTC recommends that an LEA provide notice on its website identifying all of the websites and applications for which the LEA has provided consent on a student’s behalf.
CIPA :: The Children's Internet Protection Act
The Children’s Internet Protection Act (“CIPA”) is a federal law enacted to address concerns regarding children’s access to obscene or harmful content over the Internet. CIPA imposes requirements on LEAs that receive discounts for Internet access or internal connections through the federal E-rate program. In order to receive E-rate funding, LEAs must certify that they have in place an Internet safety policy that includes certain technology protection measures.
California
SOPIPA :: Student Online Personal Information Protection Act (SB 1177)
Student Online Personal Information Protection Act (“SOPIPA”) (California Business & Professions Code § 22584) California Business and Professions Code section 22584, also known as the Student Online Personal Information Protection Act (“SOPIPA”), takes effect on January 1, 2016 and sets forth privacy laws for operators of websites, online services, and applications that are marketed and used for K-12 school purposes, even if those operators do not contract with educational agencies. While primary responsibility for compliance with SOPIPA lies with website operators, LEAs should proceed with reasonable due diligence when evaluating technology service providers, especially providers based outside of California, to ensure their policies and procedures comply with SOPIPA.
AB 1584 :: California Student Privacy Protection
Technology services agreements entered into, amended, or renewed by a California LEA on or after January 1, 2015 must follow specific requirements. These requirements apply to contracts for services that utilize electronic technology, including cloud-based services, for the digital storage, management and retrieval of pupil records, as well as educational software that authorizes a third-party provider to access, store and use pupil records.
Collection of Student Information from Social Media :: California Education Code § 49073.6
California Education Code section 49073.6 requires that LEAs considering “a program to gather or maintain in its records any pupil information obtained from social media” first notify pupils and their parents or guardians about the proposed program, and then provide an opportunity for public comment at a regularly scheduled public meeting before adopting the program. “Social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant messages, email, text messages, online services or accounts, or Internet website profiles or locations. For purposes of this law, “social media” does not mean an electronic service or account used exclusively for educational purposes or primarily to facilitate creation of school-sponsored publications, such as a yearbook or pupil newspaper, under the direction or control of a school, teacher, or yearbook adviser.