In one of the first decisions of its kind, the Family Policy Compliance Office (FPCO), which enforces FERPA, published a decision in January 2018 that addressed schools’ obligations under FERPA when contracting with third-party vendors for online educational services or apps. The decision involved the Agora Cyber Charter School in Pennsylvania and was prompted by the complaint of a parent back in 2012. As part of the enrollment process, the school required parents to agree to the Terms of Use and Privacy Policy of certain online educational technology (“edtech”) providers so the students could participate in online classes. However, at least one of the providers’ Terms of Use essentially allowed the provider to use any student data shared with it however and with whomever it so chose (i.e., “to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the [student data] in any form, anywhere and for any purpose…”).
The FPCO decided two issues, finding against the school on one and for the school on the other. First, the FPCO reiterated its long-held position that a school cannot require a parent (or student) to waive his/her FERPA rights and protections as a condition of receiving educational services. Not surprisingly, given the contract language quoted above, the FPCO found the edtech provider’s Terms of Use were not FERPA-compliant, in that they allowed for the unauthorized disclosure of personal student data to other third parties. That alone was not enough to rule against the school, however, as the school could have allowed parents to affirmatively consent to such a waiver of FERPA rights. In defending the complaint, the school tried to make this argument. But the FPCO concluded that, by requiring this parental waiver as a pre-requisite to enroll in the school, the school effectively forced parents to waive their rights. Therefore, the waiver was invalid and the school in violation of FERPA.
The second issue was whether the school was permitted to share student data with the edtech provider under the “school official” exception of FERPA. This approach avoids the necessity of parents having to affirmatively consent to a schools use of edtech apps and services and therefore has been the approach that is used in most edtech provider contracts. For the edtech provider to qualify as a school official with a legitimate educational interest in the student data, specific criteria must be met. The FPCO sided with the Agora School that this approach is permissible under FERPA, but it cautioned that schools should carefully review the contractual terms with those providers before doing so. The FPCO recommended that schools use its Model Terms of Service document as a guide for vetting edtech contracts.