The U.S. Department of Education is urging institutions to include privacy protections that reach beyond the Family Educational Rights and Privacy Act (FERPA) in contracts with app and other online educational service providers. New guidance from the Department’s Privacy Technical Assistance Center (including and a basic employee training video) provides insight on Department expectations when third parties have access to student data online.

Though directed at K-12 schools, the guidance—particularly the model contract terms—can be readily translated to the college and university setting. The model contract terms address issues including data collection, use, redisclosure and destruction; the Department provides explanations for the recommended terms. The guidance also acknowledges that such terms may not be required by FERPA or other privacy laws, but indicates institutions should consider them as best practices.

In suggesting these model terms, the guidance calls on schools to consider the privacy challenges posed by “click wrap” terms of service agreements—contracts that get created when a user (usually thoughtlessly) clicks on an “I accept” or similar button. These challenges can include express waivers of privacy law protections as well as terms allowing the provider to share data indiscriminately or change terms unilaterally. Institutions may be able to override these pre-set terms through negotiation.

What this means for you

FERPA has not been updated since 1974. State and federal legislatures, with the encouragement of the White House, are considering a bevy of new student privacy laws (and some states have already passed them). As FERPA updates and other legislation brew, institutions can prepare to face the changing regulatory landscape.

Consider the following steps:

  • Inventory. Create an inventory of agreements between your institution and third parties that may lead to online disclosure of student data.
    • Review both formal, negotiated institutional contracts and click-wrap agreements into which your employees (and possibly students) have entered.
    • Determine whether the Department’s suggested terms are already covered, or should be inserted, in those agreements.
  • Systematize. Develop a process and appoint responsible offices for reviewing agreements and approving procurement of apps, online educational services, and other contracted items tied to online student data access.
    • Create standard terms for contracts with providers going forward that incorporate appropriate student data restrictions.
    • Consider re-negotiating existing agreements.
  • Train. Teach employees about the privacy implications of contracts with app providers, online educational service providers and others who may access student data online.