New US Dept of Ed Finding: Schools Cannot Require Parents or Students to Waive Their FERPA Rights Through Ed Tech Company’s Terms of Service

By Lindsey Barrett and Amelia Vance

Policymakers, parents, and privacy advocates have long asked whether FERPA is up to the task of protecting student privacy in the 21^st century. A just-released letter regarding the Agora Cyber Charter School might signal that a FERPA compliance crack-down – frequently mentioned as their next step after providing extensive guidance by the U.S. Department of Education (USED) employees at conferences throughout 2017 – has begun. The Agora letter provides crucial guidance to schools – both K-12 and Higher Ed – and ed tech companies about how USED interprets FERPA’s requirements regarding parental consent and ed tech products’ terms of service, and it may predict USED’s enforcement priorities going forward.

FERPA compliance can be complicated; the statute was first passed in 1974 and has been occasionally updated to add additional protections and exceptions, some of which include ambiguous language. USED’s Privacy Technical Assistance Center (PTAC) – a program that has received  nearly universal praise from state and local officials over the past four years – has spent significant time and effort providing practical guidance, training, and resources for state and local education agencies to clarify FERPA’s requirements for the use of ed tech products.

The Agora letter, issued by the FERPA family policy compliance office in USED, clarifies the Department’s position regarding several key issues. It is sure to attract the attention of schools and ed tech providers seeking to better understand the interaction of FERPA, school requirements regarding technology in the classroom, and the data use policies and practices of ed tech providers. Moreover, this finding letter may signal increased interest by USED in investigating and sanctioning practices that are inconsistent with FERPA.

“A parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.”

USED investigated two allegations made by a parent of a student in Agora Cyber Charter School, an online public charter K-12 school based in Pennsylvania.  The first allegation is based on a long-established FERPA principle that “a parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.”

In 2012, an Agora parent complained that the school forced her to accept the terms and conditions of its third-party online learning platforms in order to enroll her child at Agora.  Agora’s learning platform, K12 Inc., had a “Terms of Use” policy that stated:

by posting or submitting Member Content to this Site, you grant K12 and its affiliates and licensees the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the content in any form, anywhere and for any purpose.

“Member content” was defined as information the child posted on certain areas of the site, registration data, and other forms of student personally identifiable information (PII).

According to USED, the Terms of Use allowed “near universal use and distribution by K12 and various third party affiliates and licensees of information that could have constituted her child’s PII from education records,” an outcome that constituted an unlawful “forfeiture of [the parent’s] rights under FERPA to protect against the unauthorized disclosure of PII from her child’s education records.” Because the Terms of Use would have allowed K12 to freely re-disclose FERPA-protected information without consent (including, as stated in the letter, to “future employers of the student”), the Terms of Use constituted a waiver of FERPA rights. And because the child could not enroll at Agora without the parent agreeing to the Terms of Use, USED found that Agora violated FERPA.

Requiring the parent to accept the K12 Inc. Terms of Use when she signed up her child for the school constituted a forced waiver of parental rights under FERPA.

Agora noted that, as a charter school, parents were free to enroll their children elsewhere.  Further, Agora argued that parents’ choice to enroll their children at Agora meant that acceptance of the K12 Terms of Use was not truly “forced.” USED rejected this logic, concluding that requiring the parent to accept the K12 Inc. Terms of Use when she signed up her child for the school constituted a forced waiver of parental rights under FERPA.

USED also investigated a parental allegation that Agora violated the requirements of FERPA’s school official exception. This exception allows schools to disclose PII from students’ educational records without parental consent subject to certain requirements: among others, the school must:

• maintain “direct control” over third parties with respect to the use and maintenance of the child’s PII; and
• ensure that the third party only uses that PII for the purposes for which the school made the disclosure.

The parent alleged that, since K12’s Terms of Use allowed such liberal sharing of student personal information, the school was not in compliance with FERPA.

USED found that the school had not violated FERPA’s school official requirements in 2012, but indicated that schools and ed tech providers must proceed with greater caution in 2018. USED stated that when the complaint was filed, USED had not yet released guidance regarding how schools should establish direct control over third parties and ensure the limited use of personal information under FERPA’s school official exception. Such guidance was issued in 2014 and 2015; USED is likely to hold schools to a higher standard today, in light of its conclusion that the guidance documents:

provide substantial clarity to the education community on best practices for effectively establishing direct control over the use and maintenance of education records and the PII from such education records by third parties acting as school officials with legitimate educational interests in the online educational service context.

The Agora letter has a number of implications for stakeholders.  While USED exerts meaningful influence over schools and industry through advisory letters, policy guidance, and other “soft law” measures that shape behavior, this is the first time that the agency has issued a finding letter that directly finds fault with the policies and practices of an ed tech company.

When a school requires that an ed tech service be used as a condition of enrollment, that service must either comply with FERPA’s school official exception requirements or parents must be given the right to opt out of its use.

In the wake of the Agora letter, schools should carefully review their parental consent policies, and more importantly, the content of the privacy policies and terms of service of their ed tech partners. When a school requires that an ed tech service be used as a condition of enrollment, that service must either comply with FERPA’s school official exception requirements or parents must be given the right to opt out of its use. Previous guidance from USED has also noted that schools disclosing student data to ed tech companies or other third parties “considered to have a legitimate educational interest, [the school] must include in the annual notification of FERPA rights the criteria for determining who constitutes a ‘school official’ and the criteria for what constitutes a ‘legitimate educational interest.’”

Ed tech companies should review their privacy policies and terms of service (pro tip: we’ll help you do that for free if you apply to join the Student Privacy Pledge!) and ensure that terms governing school-required services do not contain language similar to the broad language in the K12 Terms of Use.

Both schools and companies should thoughtfully review and adhere to the USED guidance referred to in the Agora letter, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, and Protecting Student Privacy While Using Online Educational Services: Model Terms of Service.

Most importantly, the key stakeholders protected here are the parents and student themselves. FERPA was written to provide express controls for parents over their child’s educational record, and this letter shows that while the technology may change, the underlying right is sound and strong.

Certain issues raised by the Agora letter may have murkier implications. This letter makes it clear that, when schools require students to use ed tech services, those services can only be used under FERPA’s school official exception. How this may play out in schools is difficult to predict: there are some ed tech services, required by schools, which are offered directly to students, and so it is common practice for parents or eligible students to be directed to sign up for an account that requires them to agree to a Terms of Service that may not align with FERPA’s requirements. This finding letter may encourage more ed tech companies to allow schools to sign students up for the product directly, or schools may even begin to require independent contracts or clauses in company Terms of Service that align with FERPA’s school official requirements.

A parent cannot be directed to consent to an account for their child with insufficient privacy or TOS terms as a workaround to the standards required if the school was directly contracting with the provider.

The underlying issue of the letter – that schools retain the responsibility to ensure any mandatory ed tech product is used only in compliance with FERPA protections – extends beyond the particular example of Agora. In many cases, schools may direct parents to directly download, sign up for, or otherwise enroll their child in a particular platform, educational product, or online service, without the school operating as an intermediary. As this letter makes clear, however, even when the school doesn’t directly own or manage the student account, any ed tech use mandated as part of the student’s educational process must comply with FERPA under the school official exception. A parent cannot be directed to consent to an account for their child with insufficient privacy or TOS terms as a workaround to the standards required if the school was directly contracting with the provider.

This letter may also encourage more enforcement actions from states. While 124 new student privacy laws have passed in 40 states since 2013, no enforcement actions have been brought yet under any of those laws. Now that states have this findings letter from USED, they might look for similar Terms of Service language in ed tech products used in their states to bring an enforcement action.

The USED letter to Agora makes clear that the stakes are high.  While financial penalties against schools are rare – USED is required to attempt to bring schools into compliance with FERPA before withholding federal funding – the Department has other enforcement options, including the imposition of a five-year ban on data transfers from an offending school to the ed tech provider.