Tooling

Privacy & FERPA / GDPR / COPPA Compliance

Student-data privacy frameworks, evaluation tools, and DPA templates.

Education has the strictest data-privacy regime of any sector — student records are protected by FERPA (US), COPPA (US, kids under 13), GDPR (EU), and a patchwork of state laws (NY Ed Law 2-d, Illinois SOPPA, California SOPIPA, etc.). Pair this page with AI tutors — every district piloting LLMs needs a DPA — and SOC 2 / compliance.

US frameworks (you must know)

  • FERPA (Family Educational Rights and Privacy Act, 1974) — federal; controls access to education records; requires parental consent for non-directory disclosure for minors; rights transfer to student at 18 / college enrolment.
  • COPPA (Children's Online Privacy Protection Act) — federal; applies to commercial services knowingly directed at or used by children under 13; verifiable parental consent + minimal-data.
  • CIPA (Children's Internet Protection Act) — federal; ties E-Rate funding to internet filtering and education on appropriate use.
  • PPRA (Protection of Pupil Rights Amendment) — federal; surveys + protected information.
  • State laws — NY Ed Law §2-d, Illinois SOPPA, California SOPIPA, Colorado HB 16-1423, etc. Each requires DPA-shape contracts with vendors. Student Data Privacy Consortium (SDPC) has a national DPA template that 30+ states use.

EU / international

  • GDPR — broadly the world's strictest framework; school-data-specific guidance from each national DPA.
  • UK Data Protection Act 2018 — GDPR-aligned post-Brexit; ICO has school-specific guidance.
  • Privacy Act (Australia), PIPEDA (Canada), APPI (Japan), PIPL (China) — regional.

Evaluation / scorecard tools

  • Common Sense Privacy Program — free; non-profit; evaluates 1,000+ ed-tech apps with privacy ratings; the de-facto US K-12 reference.
  • Internet Safety Labs (ISL) — non-profit; school-app privacy reports.
  • Student Data Privacy Consortium (SDPC) National DPA — free template + registry; check whether a vendor has signed.
  • Privacy Evaluation Initiative (PEI) — older but archived.
  • iKeepSafe Privacy Badges — paid; vendor self-certification.

DPA / contract templates

  • SDPC National DPA — free; the template used by most US states.
  • CoSN Trusted Learning Environment — paid + free resources; district self-assessment.
  • CASB (Cloud Access Security Broker) — Netskope, Cisco Cloudlock, Microsoft Defender for Cloud Apps — paid tools to monitor what data flows to cloud apps.

Authentication / access control

  • Clever / ClassLink — see SIS; the rostering
    • SSO layer that limits how much data each app gets.
  • OneRoster API — open; minimal-data rostering.
  • Google Workspace for Education + Microsoft 365 Education — both have admin tools for consent / data-residency / age-appropriate-design controls.

Web filtering / safety (paid)

  • Lightspeed Systems — paid; filtering + monitoring; controversial for surveillance scope.
  • GoGuardian — paid; same shape; criticised for behavioural-monitoring scope.
  • Securly — paid; alternative.
  • Bark for Schools — paid; alerts for self-harm / threats.
  • ⚠ Honest caveat: monitoring tools have flagged LGBTQ+ keywords, mental-health language, and political speech in ways that may harm rather than help students. Configure carefully and involve students.

OSS / privacy-respecting

Accessibility (linked but distinct)

  • WCAG 2.2 — accessibility standard.
  • Section 508 (US federal), EN 301 549 (EU), AODA (Ontario).
  • VPAT (Voluntary Product Accessibility Template) — vendor self-disclosure; ask for it.

Patterns to adopt

  • Sign DPAs before deploying — use SDPC if your state allows it.
  • Minimise data shared — rostering layers (Clever / ClassLink) limit per-app exposure.
  • Annual privacy audit — what apps are in use, what data flows out, who has DPAs.
  • Train teachers — the largest data-leak source is well-meaning teachers signing up for free apps without district approval.
  • Publish a vendor list — parents have a right to know.
  • Plan for AI — every LLM-tool deployment needs a DPA, opt-out, and student-prompt-data retention policy.

Pick this if…

  • Quick app-evaluation: Common Sense Privacy.
  • DPA template: SDPC National DPA.
  • District infra audit: CoSN TLE.
  • Privacy-respecting Workspace alternative: Nextcloud + OnlyOffice / Collabora.
  • Privacy-respecting AI tutor: self-host Ollama + Open WebUI; document the DPA.

On this page