With each year, technology plays a more significant role in schools and classrooms.  For example, most school districts use a web-based student information system to manage student data and share that data with parents and school staff.   In addition, if a school district provides a 1:1 device to students, such as an iPad or Chromebook, the school district will often preinstall certain apps on the device that have been approved and purchased by the school district.  Many teachers are also encouraging students to download free apps on their district-issued or personal device for use in the classroom, without first seeking approval from the school district or reviewing the Terms of Use Agreements.

Incorporating the use of apps or other technology in the classroom may trigger a number of legal issues and requirements under various state and federal laws, such as Wisconsin’s Pupil Records Law and the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA).

1. Wisconsin’s Pupil Records Law and FERPA both prohibit the disclosure of personally identifiable information from student records without the consent of a parent or adult student, with certain limited exceptions.
2. The PPRA is a federal law that applies in a certain situations, including when a student’s personal information (e.g., name or address) is collected or used for marketing purposes. With certain limited exceptions, the PPRA requires notice and an opportunity to opt students out of activities involving the collection, disclosure, or use of personal information that has been collected from students for the purposes of marketing or selling that information (or otherwise providing that information to others for that purpose).
3. COPPA is a federal law which imposes parental notice and consent requirements regarding what information may be collected, used, or disclosed by commercial “operators” of websites, apps, and other online services that are directed to children (defined as individuals under the age of 13) or any “operator” that has actual knowledge that it is collecting or maintaining personal information from a child under the age of 13.

School Found in Violation of FERPA for Conditioning Educational Services on Agreeing to Online Tech Provider’s Terms of Use Agreement

The Department of Education’s Family Policy Compliance Office (FPCO), the agency responsible for enforcing FERPA, recently issued a complaint decision which reinforces the importance of ensuring that a vendor’s Terms of Use Agreement is consistent with FERPA.

The complaint involved a virtual charter school and alleged that as a condition of enrolling children in the school and receiving educational services (e.g., access to live classes and other resources), parents were required to agree to an online tech provider’s Terms of Use Agreement which violated FERPA.  The Terms of Use Agreement at issue allowed the contractor and its affiliates to disclose personally identifiable student records to any third party, to be used for any purpose and re-disclosed without limitation.

The FPCO found that requiring parents to agree to such terms and conditions was tantamount to requiring parents to waive their rights under FERPA.  The FPCO further found that by requiring parents to waive their rights under FERPA as a condition of enrollment and receipt of services, the school violated FERPA.

Recommendations

To help prevent violations of FERPA, COPPA, and the PPRA, we recommend that:

1. Board Policies or Administrative Guidelines be adopted which prohibit staff members from installing apps on student devices or using a web-based student information system without the advance approval of the district. The Policies or Guidelines should also include procedures for requesting and granting district approval.
2. The Terms of Use Agreements and/or Privacy Policies be reviewed as part of the review/approval process above. The Agreements should, at a minimum, be reviewed for the following items:
   1. The type of information collected by the service provider and whether it includes any personally identifiable information;
   2. How the service provider uses, or is permitted to use, the information it collects;
   3. To whom the service provider may disclose personal information and under what circumstances it will potentially disclose personal information;
   4. Whether the service provider will give the District or the person whose information is being disclosed any advanced notice prior to disclosure; and
   5. The District’s obligations regarding parental consent.
3. Notice and an opportunity to opt out be provided to parents, as required by law.

If you have any questions about this Legal Update or your school’s compliance with the above laws, please contact Alana Leffler at 262-364-0267 or aleffler@buelowvetter.com, or your Buelow Vetter attorney.