So much is happening in the world of student data privacy right now. Between FERPA (Family Educational Rights and Privacy Act), COPPA (Children's Online Privacy Protection Act), and individual state laws, it can be hard to know where your school stands and how to meet the legal requirements in place today.
And since schools like yours are probably using education tools like ours, you may be wondering how these third-party tools are keeping student information safe. To address these questions, we sat down with Apptegy’s Chief Legal Officer, Jamie Fugitt to discuss what these laws are and how ed-tech companies like Apptegy are taking proactive measures to keep student information private.
Heather Palacios: I really appreciate you sitting down to talk with me about student data privacy and all of the nuance surrounding this complex topic.
Jamie Fugitt: Of course, happy to be here.
FERPA
Heather Palacios: So, I want to kick off the conversation by talking about FERPA. Can you explain what FERPA is and how schools can comply with FERPA?
Jamie Fugitt: The spirit and purpose of FERPA is to give parents or guardians and their children (once they turn 18) rights related to the personal information collected about them during their education process. There are a handful of bullet point rights that are included in FERPA.
To summarize, it’s the right of access:
- The parent, guardian, or an 18-year-old student can request access to see the information that has been collected and is being stored by the educational institution.
- They have certain rights once they see this information about how to manage it. It gives parents or guardians control over some of those records.
- They can request to correct these records if something is incorrect.
- They have certain rights about disclosures and certain types of uses they can opt out of.
So, the school can use personal student information and collect it for their education purposes. But if the school also wants to send information to a commercial partner, like for a class ring or something like that, most of the time, the parent or guardian can say, “Take my kid off those lists,” if they want to.
The spirit of FERPA is to make sure parents and guardians know they have access, transparency, and some level of control and decision-making with respect to the information collected about their kids. And it generally applies to all schools that receive federal funding from the Department of Education. So, there's nuance around it.
Heather Palacios: So essentially FERPA gives families some peace of mind about how sensitive information is being collected. And they still have some control over how that information is shared and stored. Does that include charter schools?
Jamie Fugitt: That would include charter schools that receive federal funding. It does not include most private schools. Private schools and religious schools don't typically take public funding. And they often do that with a very particular purpose—because of the strings that come with it. If they don't take public funding then they have a lot more choices over what they do and don't have to do. So, private schools are not generally subject to FERPA.
The interesting thing about this world of privacy, security, and personal data of children is that we're in a space now where the expectations of what is “normal” or should be done at the individual parent or guardian level, are sometimes outpacing what the law requires. I'm guessing there are a lot of parents who have a kid in a private school that are not technically subject to FERPA, as far as a lawsuit or regulatory enforcement is considered. But they still believe: I should have transparency over my child’s sensitive information. I should know what's being collected and I should be able to correct it if it's wrong.
So, some of that FERPA technicality has crept over into just general expectations about information rights. That's the case in a lot of these worlds about student data privacy—what is technically required, what is generally expected, where those two overlap, and how decisions are made.
“I'm guessing there are a lot of parents who have a kid in a private school that are not technically subject to FERPA, as far as a lawsuit or regulatory enforcement is considered. But they still believe: I should have transparency over my child’s sensitive information.”
Heather Palacios: What kind of records are covered by FERPA? Can you give me some examples?
Jamie Fugitt: They're called education records. That’s the terminology used in FERPA. Education records are information collected in the process of a child attending a school and the services provided by the school that are personal to that child. So it’s an identifier, like grades, birth date, social security number, transcript, etc.
At Apptegy, we are real black and white about this information. We only have student data under the umbrella of our schools. So if we get information about a child, it's under the school's control. It's an education record for all of our intentions and purposes, and it's under the direct control of the school.
So we treat all student data as though it is covered by FERPA—that is, all student data is considered to be an education record and is handled accordingly. If it's personal to a child—whether it's created as an output of their education or it identifies them in some way—it's counted under FERPA.
Read more resources about FERPA
Cybersecurity best practices for schools
Heather Palacios: As a parent, I’m curious about your answer to this question. Say a parent or guardian is enrolling their student into a new school—what kind of research should they do on the front end to learn about student data privacy for that school or district? Also, should schools make their student data privacy policy accessible to read on places like their website?
Jamie Fugitt: So this space is moving rapidly. Every single year another state has passed some form of next-generation student data privacy law. Next year there'll be another handful and the year after that there'll be even more.
Schools have to understand that their state may require them to proactively take some student privacy measures in the near future. And these measures could include having a privacy statement posted publicly online or creating internal safeguarding systems, such as training their people on how to keep data both secure and private. That means caring about what vendors they use and researching how those vendors protect student information.
The school itself may have the best system in the world, but if they use third-party ed-tech tools, those outside groups have access to sensitive information. And they might not have the same level of care as the school.
On the flip side, more and more families are going to be asking questions like, “What are your policies? What do you do both internally to protect my students' information and externally to keep it private?”
I'm guessing a lot of schools are already facing this challenge. But it's only going to increase just because that's where the national conversation is going. That’s a long way of saying, if schools aren't caring about student data privacy and taking more proactive steps now, they're going to be forced to in the future.
From the parent side, different individuals set different priorities and have different values because we're talking at the individual level. I know people who are very concerned about every piece of information. They want the utmost privacy, especially for their kids. Like, don't put my kids on the internet and don't take their picture.
Heather Palacios: I can definitely relate to that.
Jamie Fugitt: Right? I know those types of people. I know other people who don't care and that's not a bad thing. They just don't worry about it. And then there's a whole spectrum in between.
I think parents have to take a self-assessment about where it fits in their value list. It's a completely reasonable road to go down to ask the school, “What are your student data practices?” Because that information is starting to be required in many cases or generally expected.
“Schools have to understand that their state may require them to proactively take some student privacy measures in the near future. And these measures could include: Having a privacy statement posted publicly online or creating internal safeguarding systems, like training their people on how to keep data both secure and private. That means caring about what vendors they use.”
Heather Palacios: It makes sense that there’s complexity around this topic because it’s still so new, and every state operates a little differently around these laws. But in general, schools should expect more and more parents and guardians to be inquiring about their student data privacy measures.
Read more cybersecurity best practices
COPPA
Heather Palacios: So, let’s switch gears and talk about COPPA. What is COPPA and how is it different from FERPA?
Jamie Fugitt: FERPA is a law that applies to every school that receives public funding and collects education records. COPPA, on the other hand, is not tied to schools or public funding. COPPA is aimed at any online organization, like software, websites, apps, games, etc., that are used by children under the age of 13.
The spirit behind COPPA is, if you're going to enter the commercial space and you’re going to make money through either selling directly to kids or having kids use your product—then you're opting in. COPPA forces organizations to have more data protection measures because child data is so sensitive.
So there are some similar themes between FERPA and COPPA, like children can't reasonably be asked to protect themselves. With FERPA, they're forced to go to school, so you have to protect them. With COPPA, a child may just think they're playing a game. They're not really comprehending that, in order to play the game, they have to create a profile with their name and email address. They also have an IP address and their information is being collected and they’re being cookied.
So the purpose of COPPA was to push the burden to the providers. I think there's been mixed success on how it's being enforced, but it's out there and it requires taking similar steps as you would with FERPA.
Organizations are required to put privacy and sometimes consent notices upfront before any data collection happens. And when consent is required, it must be verified in reasonable ways. The providers—in turn—may have to build and design barriers or gates into their products and services to promote better protection for children. For example, that might be a pop-up screen that forces certain actions, like age or consent verification, before a game can be played.
“COPPA is aimed at any online organization, like software, websites, apps, games, etc., that are directed to children under the age of 13. The spirit behind COPPA is, if you're going to enter the commercial space and you’re going to make money through either selling directly to kids or having kids use your product—then you're opting in.”
Heather Palacios: I see. Can you share a specific example of how COPPA is enforced?
Jamie Fugitt: Yeah, here’s a good example. This past year there was government action against Fortnite. Two of my kids love gaming and one of my kids was a heavy player of Fortnite. So the makers of Fortnite essentially said, We make games for teenagers ages 13 years or older. If a parent lets a younger child play Fortnite, it's on the parent and not us. The gray area under COPPA is that if Fortnite’s explanation was accepted, it would mean they weren’t subject to the strict COPPA requirements.
But Fortnite learned a hard lesson. The government said that it was obvious that kids 12 years old and under love Fortnite and that Fortnite obviously knew that to be true. So even if Fortnite wasn't intended for younger kids at the beginning, once it was clear that younger kids were playing in huge numbers, Fortnite had to start considering what protections they were building into their systems.
Some of the things the government focused on were notices and age verification stuff that happened at the creation of an account, as well as in-game payment verifications that happened during play. Now, Fortnite has created a more complex system to verify users’ birthdays, verify user purchase authority, and different things like that. There’s also a notice listed upfront. Features like Live Chat are turned off by default, so parents have to actively take steps to turn those features on. These are clear signals from government enforcers about what they expect under COPPA.
Read more resources about COPPA
Ed-tech companies complying with COPPA
Heather Palacios: Let's bring this conversation closer to home. What steps has Apptegy taken to comply with COPPA and what should third-party operators like Apptegy do to comply with COPPA?
Jamie Fugitt: At Apptegy we take it very seriously. Awareness and seriousness is just the beginning. That means making sure that not just a few people in our organization know about COPPA—it's not just a legal department or a compliance officer thing. It is across our organization.
If COPPA regulators are very clearly signaling that they care about student privacy, then designers, developers, and software engineers need to know that. When they're making their designs, they should be thinking, How should this work? Is this toggle on or off? Is the default on or off? We want to be making choices that promote good protections—not just the required, minimum protections—but good protections.
Sales, marketing, and customer service all have customer-facing discussions, so they need to be reasonably informed. When the implementation and onboarding team gets product questions like, Can you help me do this? Why is this set this way? I wanna turn this off.
They are able to say, The reason why this default is on is because this has a student privacy relationship. The best providers should be designing products and building customer relationships that promote the spirit of these laws, which is protecting children.
Heather Palacios: That makes sense. And of course, we need to have a detailed privacy policy page.
Jamie Fugitt: Yeah, so we do have that. It’s kind of my baby.
Heather Palacios: That’s what I’ve heard.
Jamie Fugitt: We update it continuously. So every time there's a change—whether it's a new law that applies or guidance from a government agency that is relevant, or if we need to make something more transparent—we make sure to give clear notice and add it to our privacy policy page.
One of the challenges with privacy policies is that there's so much information to give. There's tension between full disclosure—to share all of the things that may be collected and how it’s being used, which ends up being a lot of quantity information—and also keeping it readable and understandable.
It can get long and sometimes the quantity is overwhelming. But we are trying to present very itemized, detailed information for parents and guardians so they know if their school has chosen to use Thrillshare, they can go to apptegy.com/privacy-policy and read more about how we’re protecting student data.
Heather Palacios: So, what's at stake here? If schools and vendors don't follow FERPA, COPPA, or particular state and regional laws, what's at stake for the future?
Jamie Fugitt: The most important thing is that both schools and vendors in the ed-tech space are custodians of personal information about children, and children can't protect themselves. So what's at stake is their information possibly being shared before they're ready to make their own fully informed decision.
This is something Apptegy takes seriously, and I think it’s something that schools take seriously. Just being a partner with those kids and doing the right thing is the highest stake, regardless of what the legal risk is.
“The most important thing is that both schools and vendors in the ed-tech space are custodians of personal information about children, and children can't protect themselves…Just being a partner with those kids and doing the right thing is the highest stake, regardless of what the legal risk is.”
Heather Palacios: I really appreciate you saying that. I think, oftentimes in the ed-tech space, it’s easy to focus on the legal consequences and forget about who we’re trying to protect in the first place.
Jamie Fugitt: Oh absolutely. Protecting children is of the highest level of importance for us.
Underneath that—on the ed-tech vendor side—it's clear that there are enforcement consequences if you don't abide by COPPA or FERPA. The FTC has publicly stated this is a new, increased priority and they've taken action this year with some big-ticket penalties. If organizations don’t change their behavior, they go out of business. This isn’t optional anymore.
From the school level, I prefer to think about it as families having more information and expectations on their side. That's going to inform school choice decision-making.
Say you really care about student data privacy, and you have two schools to choose from and you’re trying to decide on which one to choose. One school may provide good information; they’re responsive, and you trust their systems. The other school, on the flip side, may be doing good things but they haven't made their student data privacy information available, and they're not responsive to those questions. Which school are you going to choose as a parent? It may not be what tilts the balance, but it's for sure going to be increasingly important in the decision-making process.
Then there are consequences, like penalty fines. But at the end of the day, you want to educate students, you want families to come to your school, and you want to provide your teachers a great place to work. In the future, student data privacy is going to have a ripple effect on all of these things.
Heather Palacios: It’s crazy. I’m sure, even five years ago, schools weren’t thinking of student data privacy as a school choice factor but now it is.
Thank you again for chatting with me, Jamie. I’ve learned so much from this conversation and I really appreciate you taking the time to meet with me today.
Jamie Fugitt: Of course, thanks for having me.
Reflections and actionable takeaways
In regards to school marketing, it seems like the conversation always circles back to trust: When your audience trusts you, they’ll do business with you. More than that, they’ll advocate for you. That means schools have to take proactive measures to establish trust with their community, which includes taking a second look at their student data privacy strategy.
One thing that stood out from our conversation with Jamie was how student data privacy is a critical decision-making factor in school choice:
“Say you really care about student data privacy, and you have two schools to choose from and you’re trying to decide on which one to choose. One school may provide good information; they’re responsive, and you trust their systems. The other school, on the flip side, may be doing good things but they haven't made their student data privacy information available, and they're not responsive to those questions. Which school are you going to choose as a parent? It may not be what tilts the balance, but it's for sure going to be increasingly important in the decision-making process.”
So how do you become the first school in this scenario?
First, be transparent about your school or district’s student data privacy measures. Make this information readily available on your school website. That means having a dedicated student data privacy page that’s easy to find and point people to from your homepage. Try to include information about all of your third-party vendors. And give parents and guardians easy access to your vendors’ privacy policy pages by adding these links to your student data privacy page. When it comes to student data privacy, more is more. The more information you can provide about your systems, processes, and training, the more trust you’ll establish with parents and guardians on the front end.
Second, as Jamie said, student data privacy isn’t just a legal department or administrative department problem—it’s cross-organizational. And this doesn’t just apply to private-sector businesses. This mindset can be applied to your schools as well:
“Awareness and seriousness is just the beginning. That means making sure that not just a few people in our organization know about COPPA—it's not just a legal department or a compliance officer thing. It is across our organization….The best providers should be designing products and building customer relationships that promote the spirit of these laws, which is protecting student data.”
Everyone—from your superintendent to your teachers—needs to understand how your district’s student data privacy strategy works. They need to understand the spirit of these laws and how their work coincides with protecting student information. From a practical perspective, that means investing in training seminars and getting your staff familiar with privacy best practices. Teachers and principals in particular may get asked these questions by parents and guardians. It’s important that they know where to direct families to find more information about their school’s privacy policy.
Complying with COPPA and FERPA is much more complex than taking these simple measures but if you’re wanting to take some proactive steps, start here. And if you’re interested in learning more about Apptegy’s privacy policy, check out our Privacy Policy page here. You can also email us at privacy@apptegy.com or call us at 1-888-501-0024.