Privacy & FERPA / GDPR / COPPA Compliance
Student-data privacy frameworks, evaluation tools, and DPA templates.
Education has the strictest data-privacy regime of any sector — student records are protected by FERPA (US), COPPA (US, kids under 13), GDPR (EU), and a patchwork of state laws (NY Ed Law 2-d, Illinois SOPPA, California SOPIPA, etc.). Pair this page with AI tutors — every district piloting LLMs needs a DPA — and SOC 2 / compliance.
US frameworks (you must know)
- FERPA (Family Educational Rights and Privacy Act, 1974) — federal; controls access to education records; requires parental consent for non-directory disclosure for minors; rights transfer to student at 18 / college enrolment.
- COPPA (Children's Online Privacy Protection Act) — federal; applies to commercial services knowingly directed at or used by children under 13; verifiable parental consent + minimal-data.
- CIPA (Children's Internet Protection Act) — federal; ties E-Rate funding to internet filtering and education on appropriate use.
- PPRA (Protection of Pupil Rights Amendment) — federal; surveys + protected information.
- State laws — NY Ed Law §2-d, Illinois SOPPA, California SOPIPA, Colorado HB 16-1423, etc. Each requires DPA-shape contracts with vendors. Student Data Privacy Consortium (SDPC) has a national DPA template that 30+ states use.
EU / international
- GDPR — broadly the world's strictest framework; school-data-specific guidance from each national DPA.
- UK Data Protection Act 2018 — GDPR-aligned post-Brexit; ICO has school-specific guidance.
- Privacy Act (Australia), PIPEDA (Canada), APPI (Japan), PIPL (China) — regional.
Evaluation / scorecard tools
- ★ Common Sense Privacy Program — free; non-profit; evaluates 1,000+ ed-tech apps with privacy ratings; the de-facto US K-12 reference.
- Internet Safety Labs (ISL) — non-profit; school-app privacy reports.
- Student Data Privacy Consortium (SDPC) National DPA — free template + registry; check whether a vendor has signed.
- Privacy Evaluation Initiative (PEI) — older but archived.
- iKeepSafe Privacy Badges — paid; vendor self-certification.
DPA / contract templates
- SDPC National DPA — free; the template used by most US states.
- CoSN Trusted Learning Environment — paid + free resources; district self-assessment.
- CASB (Cloud Access Security Broker) — Netskope, Cisco Cloudlock, Microsoft Defender for Cloud Apps — paid tools to monitor what data flows to cloud apps.
Authentication / access control
- ★ Clever / ClassLink — see SIS; the rostering
- SSO layer that limits how much data each app gets.
- OneRoster API — open; minimal-data rostering.
- Google Workspace for Education + Microsoft 365 Education — both have admin tools for consent / data-residency / age-appropriate-design controls.
Web filtering / safety (paid)
- Lightspeed Systems — paid; filtering + monitoring; controversial for surveillance scope.
- GoGuardian — paid; same shape; criticised for behavioural-monitoring scope.
- Securly — paid; alternative.
- Bark for Schools — paid; alerts for self-harm / threats.
- ⚠ Honest caveat: monitoring tools have flagged LGBTQ+ keywords, mental-health language, and political speech in ways that may harm rather than help students. Configure carefully and involve students.
OSS / privacy-respecting
- Pi-hole / NextDNS — see DNS infrastructure; free network-level filtering.
- Nextcloud / OnlyOffice / Collabora — see self-host document management; EU-hostable Workspace alternative.
- Self-host LMS — see LMS platforms (self-host) — the strongest privacy posture is owning your stack.
- Self-host AI — see Self-hosted AI / LLM — districts worried about LLM data-flow can self-host Ollama / Open WebUI.
Accessibility (linked but distinct)
- WCAG 2.2 — accessibility standard.
- Section 508 (US federal), EN 301 549 (EU), AODA (Ontario).
- VPAT (Voluntary Product Accessibility Template) — vendor self-disclosure; ask for it.
Patterns to adopt
- ★ Sign DPAs before deploying — use SDPC if your state allows it.
- Minimise data shared — rostering layers (Clever / ClassLink) limit per-app exposure.
- Annual privacy audit — what apps are in use, what data flows out, who has DPAs.
- Train teachers — the largest data-leak source is well-meaning teachers signing up for free apps without district approval.
- Publish a vendor list — parents have a right to know.
- Plan for AI — every LLM-tool deployment needs a DPA, opt-out, and student-prompt-data retention policy.
Pick this if…
- Quick app-evaluation: Common Sense Privacy.
- DPA template: SDPC National DPA.
- District infra audit: CoSN TLE.
- Privacy-respecting Workspace alternative: Nextcloud + OnlyOffice / Collabora.
- Privacy-respecting AI tutor: self-host Ollama + Open WebUI; document the DPA.