The Case for Making EdTech Companies Liable Under FERPA

Schools now depend on an average of 2,591 edtech tools in a single school year, according to one estimate. These tools can track private conversations between teachers and families and store comprehensive academic and personal records. Yet many companies do not clearly disclose how they collect and use student information. According to one nonprofit, 96% of apps used in schools share student data, such as email addresses and birth dates, with third parties, such as advertising entities. This often occurs without parental or student consent and, therefore, is likely in violation of the Family Educational Rights and Privacy Act (FERPA).

FERPA is a federal law that requires educational institutions that receive federal funding, as well as third parties with whom they share student data, to protect the privacy of student educational records. Institutions must obtain consent from either the parent or student, if the student is 18 or older, prior to releasing these records and maintain reasonable measures to keep education records secure, such as by utilizing password-protected portals and overseeing third parties’ use of data.

The Department of Education is solely responsible for enforcing various federal education regulations, including FERPA. Given the Department of Education’s impending closure and the increasing use of student data by educational technology vendors, Congress should amend FERPA to hold these vendors, rather than the schools, directly responsible for vendor compliance.

On March 20, President Donald Trump issued an executive order directing the secretary of education to “take all necessary steps to facilitate the closure of the Department of Education.” Normally, students and parents can file FERPA complaints with the department, which will investigate and discipline the educational institution if necessary, including by withdrawing federal funding. This is the only recourse for FERPA violations. In Gonzaga University v. Doe, the Supreme Court held that a student may not directly sue a school to enforce FERPA.

The closure of the Department of Education would effectively terminate FERPA enforcement, which could be exploited by third parties that use student data.

For example, educational technology (EdTech) vendors, which provide services such as grade tracking and online homework, collect and process a wide variety of student data, from test scores to disciplinary records. Under FERPA, educational institutions are fully responsible for ensuring that third party vendors follow the law. Therefore, schools often include FERPA compliance requirements in their contracts with EdTech vendors, although this provision is not systematic across all institutions. If FERPA is no longer enforced by the Department of Education, schools do not have to mandate compliance from these companies.

Although schools may require that EdTech companies obtain parental or student consent before disclosing student data and pursue private enforcement for breach of contract, they often do not. Fewer than 25% of agreements between schools and vendors specify the purpose of data disclosures. Without Department of Education enforcement, vendors can potentially freely buy, sell, share and otherwise process the data of millions of students. Because FERPA was passed 50 years ago, decades before the invention of Google or artificial intelligence, the regulation did not account for how the use of technology poses a threat to student privacy.

EdTech vendors often fit within the “school official” exception in FERPA, which allows schools to disclose student data to “school officials … who have been determined by such [an] agency or institution to have legitimate educational interests.” In 1974, when FERPA was passed, this exception was used to share student data internally with teachers and school staff. However, in 2008, the Department of Education amended FERPA to extend the term “school official” to all third parties that meet the following criteria: 1) performs an institutional service or function for which the school would otherwise use its own employees; 2) is under the “direct control” of the school; 3) uses the student’s personally identifiable information for only educational purposes; and 4) provides the annual notice to parents of this sharing.

However, schools cannot exercise “direct control” over educational technology vendors. For one, remote data collection is multifaceted and, therefore, difficult to monitor. Not only do these companies collect data directly from students, such as names and contact information, but some platforms also track eye movements to measure student attentiveness. Eye movements are a form of biometric data, which identifies individuals based on physical characteristics. Biometric data is a subset of personally identifiable information, protected under FERPA.

Also, these vendors generally present schools with non-negotiable contracts that enable them to freely use and disclose student data to third parties. Smaller, under-resourced schools often do not know the security measures that vendors must employ to comply with FERPA. For example, the platform Summit Learning reportedly disclosed student data, such as race and disability information, to 19 other corporations without informing the students or parents at its partner schools, demonstrating the fallacy of “direct control.” Yet the company shielded itself from legal action through its terms of service.

The lack of school oversight over vendors is even more concerning, considering that EdTech’s use of student data disproportionately harms students of color.

For example, schools have increasingly used technology to monitor campus safety in response to the rise in gun violence. Ellucian, an educational technology vendor, offers facial recognition technology to track attendance and ensure campus safety. Cameras are installed in the classroom to capture images of the students entering the room, and the technology then uses facial recognition algorithms to fixate on unique facial features and compare these features with a pre-existing database that lists all students. If the system is able to match the face with a student in the database, the student is marked present. If there is no match for the face, the system alerts school personnel to potentially dangerous intruders.

However, facial recognition technology is more likely to misidentify students of color. For example, the ACLU of Northern California loaded Amazon’s Rekognition facial recognition system with photos of members of Congress and ran comparisons to images from a mugshot database. The system produced a whopping 28 false matches. Moreover, 40% of the false matches were of people of color, who only made up 20% of Congress at the time.

The use of facial surveillance in schools could exacerbate racial inequities in school discipline. More than 40% of students in schools that employ this technology have been contacted by law enforcement due to behaviors flagged by the system. This exacerbates existing racial inequities, as Black students are already 2.2 times more likely to receive a referral to law enforcement than White students. In June, the National Institute of Standards and Technology, part of the Department of Commerce, issued a report finding that facial recognition systems are still more likely to misidentify people of color.

Because of this racialized impact, some states like New York have passed laws banning schools from using biometric surveillance. Yet the New York Civil Liberties Union found that many school districts, such as Lockport City School District, were still using facial recognition technology seemingly in violation of the law. The SN Technologies system used by the Lockport City School District misidentified Black men four times more often than White men, and Black women 16 times more often. In June 2020, the Civil Liberties Union sued the New York State Education Department for its approval of Lockport’s technology usage. One month later, the lawsuit was dismissed, because the New York state legislature passed a bill banning the use of biometric identification in schools until 2022. However, that ban is no longer in place and the threat of technology misuse still remains.

Because it is unreasonable for schools to exercise direct control over EdTech vendors, Congress should modify FERPA to require that it is the responsibility of the vendors, rather than the schools, to ensure vendor compliance under the law.

For example, the regulations specify that students’ personally identifiable information cannot be disclosed without consent. Vendors should face sanctions for requiring that students waive this right to nondisclosure to use their platforms, including fines and injunctions prohibiting them from serving schools. The learning platform K12, which had partnered with many schools, reportedly had the following mandatory terms of use policy in 2012: “by posting or submitting Member Content to this Site, you grant K12 and its affiliates and licensees the right to use, reproduce, display, perform, adapt, modify, distribute, and promote the content in any form, anywhere and for any purpose.”

Member content was defined broadly as any information children posted on certain areas of the site, including personally identifiable information. Parents and students had to agree to these terms, authorizing disclosure of personally identifiable information, in order to enroll at schools that employ this platform. The schools are requiring students to use this service and not negotiating the terms of service to comply with FERPA. This broad contractual provision should be a clear violation of FERPA, which requires that consent must be signed and dated, specify the records that may be disclosed, state the purpose of the disclosure and identify the party or class of parties to whom the disclosure may be made. FERPA’s lack of applicability to vendors has left a glaring enforcement gap.

An amendment to FERPA, which shifts responsibility for vendor compliance from schools to the vendors themselves, is necessary to prevent EdTech vendors from bypassing the regulation, exploiting student data and exacerbating the disproportionate harms faced by students of color.