EPIC Student Privacy Project

• EPIC Student Privacy Project |
• Resources |
• Related Student Privacy Issues |
• News

Students do not shed their rights at the schoolhouse gate, and the right to privacy is no exception. Federal and state laws establish critical protections for the confidentiality of students' educational records. The most significant federal statute concerning student privacy is the Family Educational Rights and Privacy Act (FERPA). FERPA protects the confidentiality of educational records while also giving students the right to review their own records.

In recent years, the growing use of surveillance technology and digital learning tools in school settings has posed new threats to student privacy. Although FERPA and statutes against unfair trade practices generally prohibit the misuse of students' personal data, enforcement of these laws has often lagged, leaving students vulnerable to invasive data collection, exploitative uses of their personal information, and unfair and discriminatory automated decision-making systems.

Top News

• EPIC Student Privacy Project Featured in Kennedy School Casebook: EPIC's Student Privacy Project has been selected for inclusion in the spring 2021 Tech Spotlight Casebook, a publication of the Harvard Kennedy School's Belfer Center for Science and International Affairs. The casebook "recognizes projects and initiatives that demonstrate a commitment to public purpose in the areas of digital, biotech, and future of work." The book highlights EPIC's recent efforts to halt the use of unfair, unreliable, and invasive remote proctoring tools and the D.C. consumer protection complaint EPIC filed against online proctoring firms. "Through meticulous research, the Student Privacy Project revealed the extent to which these companies collect and process student personal and biometric data," the casebook explains. "The complaint attempts to hold the five companies accountable for their practices by demonstrating how the data collection and processing practices may violate existing law." The casebook also recognizes recent work around census privacy protections, community control over police surveillance, racially biased speech recognition tools, and the use of "garbage" facial recognition to identify criminal suspects. A ceremony will be held Thursday, May 20 at 1 p.m. ET. (May. 19, 2021)
• New York Enacts Law Suspending Use of Facial Recognition in Schools : A bill signed into law yesterday suspends the use of facial recognition and other biometric technology by New York State schools. The ban will last for two years or until a study by the State Education Department is complete and finds that facial recognition technology is appropriate for use in schools, whichever takes longer. EPIC leads a campaign to ban face surveillance through the Public Voice coalition. EPIC recently filed a DC Consumer Protection Complaint alleging that online test proctoring companies have violated students' privacy and engaged in unfair and deceptive practices. (Dec. 23, 2020)

More top news

EPIC, Coalition Urge School Administrators to Reject Face Surveillance + (Feb. 13, 2020)

In a letter to school administrators, EPIC joined Fight for the Future and over 40 organizations opposing the use of facial recognition technology in schools. The coalition stated that facial recognition is an "invasive and biased technology that violates the rights of students and faculty and has no place in educational institutions." EPIC launched a campaign and resource page to ban face surveillance globally. The Public Voice declaration has the support of over 100 organizations and many leading experts across 30 plus countries. EPIC has also called on the Privacy and Civil Liberties Oversight Board to suspend face surveillance systems across the federal government.

Coalition Urges Florida Governor to Cancel School "Safety" Profiling Project + (Jul. 9, 2019)

EPIC and 32 organizations have urged Florida Governor DeSantis to postpone the implementation of a proposed school safety database. The groups warned that the system could label students as threats based on data such as physical disabilities or those seeking mental health care. The signatories asked Governor DeSantis to immediately halt the database project and create a commission to propose measures that effectively identify and mitigate school safety threats. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy.

EPIC Backs Principles for Student Safety, Privacy, and Equity + (Mar. 29, 2019)

EPIC joined forty education, privacy, disability rights, and civil rights organizations to support ten principles for school safety. The principles promote student safety measures that are evidence-based and oppose the surveillance-based measures that have been proposed in many states. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. In 2012, EPIC sued the Department of Education after it weakened a rule to protect the privacy of student records. Last year EPIC filed an amicus brief in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements.

Court Gives School Officials Immunity in Suit Over Search of Student's Cell Phone + (Mar. 13, 2019)

The Eleventh Circuit has issued a decision in Jackson v. McCurry. A student's family filed the case after school officials searched her cell phone without probable cause. The appeals court ruled against the the student because the law limiting searches of student cell phones was not "clearly established." EPIC filed an amicus brief, arguing that searches of student phones should be "limited to those circumstances when it is strictly necessary" after the Supreme Court's decision in Riley v. California. EPIC wrote that "most teenagers today could not survive without a cellphone." The court recognized the need to limit school searches of cell phones, noting that "the reasoning of Riley treats cellphone searches as especially intrusive in comparison to searches incident to arrest of personal property" and that "a search of a student's cellphone might require a more compelling justification than that required to search a student's other personal effects." However, the court refused to hold that this right was "clearly established." EPIC routinely files amicus briefs in cases raising new privacy issues. EPIC has also long advocated for greater student privacy protections, including a Student Privacy Bill of Rights.

EPIC Urges Appeals Court to Uphold Fourth Amendment Protections for Searches of Students' Cell Phones + (Mar. 13, 2018)

EPIC has filed an amicus brief with the Eleventh Circuit Court of Appeals in Jackson v. McCurry, stating that teachers may not search a student's cell phone unless they have followed an explicit school policy that complies with Fourth Amendment requirements. Citing a recent Supreme Court opinion, EPIC explained, "after Riley, searches of students' cell phones require heightened privacy protections." Noting that "most teenagers today could not survive without a cellphone," EPIC wrote that searches of cell phones should be "limited to those circumstances when it is strictly necessary." EPIC previously participated as amicus curiae in Riley v. California, arguing that the search of a cellphone requires a warrant, and Commonwealth v. White, a case before the Massachusetts Supreme Judicial Court, arguing that a warrant is required before a school may turn over a student's cell phone to the police. Both cases produced favorable outcomes.

EPIC Advises Congress to Protect Student Privacy in Evidence-Based Policymaking + (Jan. 30, 2018)

In advance of a hearing on "Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education," EPIC wrote a statement to the House committee, expressing support for both evidence-based policy and student privacy. EPIC explained that privacy enhancing technologies are necessary to protect student data, because even where data has been de-identified it may still possible to extract personal data. In 2014 EPIC urged Congress to adopt the Student Privacy Bill of Rights to safeguard student privacy. EPIC also testified before the Commission on Evidence-Based Policymaking, and recommended innovative privacy techniques to protect personal data that also enable informed public policy decisions.

Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds + (Dec. 6, 2017)

The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights.

European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy + (Nov. 29, 2017)

In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law.

EPIC Backs Privacy Act Protections for "Insider Threat" Database + (Jul. 5, 2017)

EPIC has sent comments to the Department of Justice criticizing a proposed "insider threat" database. This database replaces a similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with recent government data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases.

EPIC Urges DHS To Abandon Privacy Act Exemptions for ICE Database + (Jun. 8, 2017)

In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions. The FALCON database contains detailed personal information on ICE and CBP employees, and individuals associated with ICE investigations including victims and witnesses. For this government database, DHS has proposed to exempt itself from several Privacy Act protections including ensuring that the records are accurate, timely, and complete. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. The FBI recently postponed an "Insider Threat" database that also lacked adequate Privacy Act safeguards.

EPIC to Congress: Protect Student Privacy + (May. 2, 2017)

EPIC has sent a statement to the House Committee on Oversight for the upcoming hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.

Senators Markey and Hatch Propose Student Privacy Act + (Apr. 7, 2017)

Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act." The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, student access to personal information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties.

States Recognize Data Privacy Day + (Feb. 10, 2017)

Several states across the U.S., including Michigan, Montana, North Carolina, and Ohio, recognized international Data Privacy Day, held annually on January 28 to commemorate the first international treaty for privacy and data protection. State efforts to raise awareness about privacy and other consumer protection issues are published monthly in The State Center Consumer Protection Report. The Report also noted that Mississippi is pursuing legal action against Google over student data collected from public schools. The lawsuit accuses Google of collecting students' personal information and search history for its own business interests in violation of the Mississippi Consumer Protection Act.

Government Breaches Continue, Hacker Compromises more than 130,000 Navy Records + (Nov. 29, 2016)

In the latest government data breach, the Navy reported that a hacker gathered the personal data of more than 130,000 current and former sailors from a laptop that belonged to a government contractor. Government security vulnerabilities are on the rise. In 2015, the records of more than 21 million federal workers, friends and family members were breached. In 2016, EPIC urged candidates for office to focus on "data protection." EPIC has warned that inaccurate, insecure, and overbroad government databases pose a risks to the safety of Americans. Earlier this year, EPIC urged the Dept. of Defense and Dept. of Homeland Security to drop proposals to expand government databases that lacked adequate privacy safeguards.

Massachusetts Court Upholds Privacy Rights of Cell Phone Users + (Sep. 28, 2016)

The Massachusetts Supreme Judicial Court ruled today in Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court  that established a warrant requirement for searches of cell phones. The EPIC State Policy Project coordinated the EPIC amicus brief in the case.

EPIC Urges Wisconsin Legislature to Safeguard Student Privacy + (Aug. 17, 2016)

In testimony for the Wisconsin legislature, EPIC urged state lawmakers to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records,  (2) described the privacy risks that students today face,  (3) underscored the need for data security safeguards for student information, and (4) recommended that Wisconsin adopt EPIC's Student Privacy Bill of Rights.  EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy. EPIC's State Policy Project is monitoring privacy bills nationwide.

States Adopt New Student Privacy Safeguards + (Jun. 21, 2016)

Several states have recently enacted new student privacy laws. Colorado and Connecticut’s laws impose strict requirements on those who collect student data. Connecticut also requires that parents are notified each time a school district enters into a contract that involves student data.  North Carolina enacted a student privacy law modeled after California's Student Online Personal Information Protection Act. The National Association of State Boards of Education reported that 38 states considered student privacy legislation in 2016. Ten of those states passed student privacy laws. EPIC has urged the enactment of a comprehensive student privacy bill of rights. EPIC's State Policy Project is monitoring privacy bills nationwide.

EPIC, Coalition Petitions Education Department for Data Security Rules for Student Records + (Jun. 6, 2016)

EPIC, legal scholars, technical experts, and many leading privacy organizations have petitioned the Education Department to establish a data security rule to protect student records. The experts and groups explained that data breaches now plague schools and colleges across the country, following recent changes to the Family Educational Rights and Privacy Act. The petition calls for the establishment of rules for  encryption, privacy enhancing techniques, and breach notification.

Senator Franken Presses Google on Student Privacy + (Jan. 16, 2016)

Senator Al Franken (D-MN) asked Google to explain what the company does with student data, including: what types of data Google collects, to whom Google discloses student information, and whether students and schools “have control over what data is being collected and how the data are being used?” Senator Franken stated, “I believe Americans have a fundamental right to privacy, and that right includes a student or parent’s access to information about what data are being collected about them and how the data are being used.” EPIC has called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework.

EPIC Warns Education Department of Research Database Privacy Risks + (Jan. 6, 2016)

In comments to the Education Department, EPIC objected to the Department's recent proposal to gather detailed student information. The Department plans to collect student data, including discipline records, to assess "data-driven instruction professional development." The Department also proposes to disclose the data to private contractors. EPIC suggested that the agency use aggregate data instead of students' personally identifiable information so as to reduce the risk that might result from a data breach. EPIC noted that the agency's Inspector General recently found that "information systems continue to be vulnerable to serious security threats." EPIC has called for a Student Privacy Bill of Rights, an enforceable privacy and data security framework.

Congress Calls on Education Department to Protect Student Privacy + (Dec. 14, 2015)

Congress has enacted the "Every Child Achieves Act of 2015," a law that provides technology funding for schools but requires extensive student data collection. In recognizing the substantial student privacy risks the law poses, Congress stated that the Education Department "should review all regulations addressing issues of student privacy, including those under this Act, and ensure that students' personally identifiable information is protected." The Act also requires ongoing compliance with L2 and other applicable state privacy law. EPIC previously sued the Education Department for weakening federal student privacy protections. EPIC supports establishment of a Student Privacy Bill of Rights.

Massachusetts Court Hears Arguments in Student Privacy Case + (Dec. 9, 2015)

The Massachusetts Supreme Judicial Court heard arguments yesterday in Commonwealth v. White, a case concerning both student privacy and cell phone privacy. EPIC filed an amicus brief in the case, arguing that the police should obtain a warrant before seizing a student's cell phone. EPIC explained that "digital is different," and therefore the legal standard for school searches of contraband does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court case on cell phone searches that upheld a warrant requirement. The EPIC State Policy Project is based in Cambridge, Massachusetts.

In Court: EPIC Urges Massachusetts to Protect Student Privacy + (Nov. 23, 2015)

EPIC has filed an amicus brief in the Massachusetts Supreme Judicial Court regarding a student privacy case. EPIC said that the police should obtain a warrant before seizing a student's cell phone. Citing a recent Supreme Court case, EPIC explained "Modern cell phones . . . implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. In Riley v. California, a unanimous Supreme Court held that a search of cell phone required a warrant. EPIC previously filed an amicus brief in Commonwealth v. Connolly, a Massachusetts case concerning GPS tracking. The EPIC State Policy Project is based in Cambridge, Massachusetts.

Congress Explores Risk of Student Record Data Breach + (Nov. 19, 2015)

A Congressional Committee held a hearing on the Education Department's information security program. In 2014, the Department's Inspector General found that the "information systems continue to be vulnerable to serious security threats." The hearing revealed that the Education Department maintains at least 139 million Social security numbers in one of its databases. The Department has 184 information systems and 120 of those systems are managed by outside parties. For years, EPIC has warned of growing student privacy and security risks. EPIC has urged congress to enact the Student Privacy Bill of Rights to protect student data.

Tech Funding Bills Could Upgrade Student Privacy + (Nov. 4, 2015)

Congress may soon incorporate student privacy safeguards into legislation for digital learning in the classroom. Congress needs to merge two bills that provide technology funding for schools but require extensive student data collection -- the "Every Child Achieves Act of 2015" (S. 1177) and the "Student Success Act" (H.R. 5). Pending student privacy bills include the "Student Privacy Protection Act of 2015" (H.R. 3157)), the "Student Privacy Protection Act of 2015" (S. 1341), the "Student Digital Privacy and Parental Rights Act of 2015'' (H.R. 2092), and the "Protecting Student Privacy Act of 2015'' (S. 1322). EPIC supports establishment of a Student Privacy Bill of Rights.

Education Department Seeks Public Comment on Student Privacy Guidance + (Aug. 20, 2015)

The Education Department is seeking public comment on new guidance to protect student medical privacy. Currently, college officials may disclose confidential student medical records for purpose unrelated to treatment, including to university attorneys engaged in litigation against students. The Department’s proposal would require colleges to obtain student written consent or a court order prior to disclosure. The Department will accept public comments on the proposed guidance until October 2, 2015. EPIC previously sued the Education Department for weakening federal student privacy rules. EPIC also proposed the Student Privacy Bill of Rights, an enforceable student privacy and data protection framework.

In the States: Delaware Enacts Several Privacy Laws + (Aug. 10, 2015)

Delaware has recently passed four privacy laws. Under the Delaware Online Privacy and Protection Act, websites and apps must disclose the personally identifiable information they collect and how they use this information. The Student Data Privacy Protection Act enhances student privacy protections, banning companies from selling student data or using student data for targeted advertising. The Victim Online Privacy Act protects domestic violence survivors against having certain contact information posted online. The Employee/Applicant Protection for Social Media Act bars employers from demanding access to their employees' or prospective employees' social media accounts. EPIC's State Policy Project is monitoring privacy bills nationwide.

States Adopt Privacy Laws for Student Data, Breach Notification, License Plate Readers, and Drones + (Jul. 2, 2015)

Several states have recently enacted new privacy laws. New Hampshire and Oregon passed student privacy legislation modeled after California's Student Online Personal Information Protection Act. Rhode Island and Connecticut enacted new consumer privacy and data breach notification laws. A new Minnesota law limits the data police may capture using automated license plate readers and requires the deletion of all data not relevant to an investigation. And the Freedom from Unwanted Surveillance Act, a law in Florida regulating the commercial use of drones, went into force this week. EPIC's State Policy Project is monitoring privacy bills nationwide.

Senators Markey and Hatch Propose Student Privacy Act + (May. 13, 2015)

Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act.". The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, students access to their information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties.

EPIC Launches State Policy Project + (May. 5, 2015)

EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.

House Members Introduce Student Privacy Bill + (Apr. 30, 2015)

Congressmen Luke Messer (R-IN) and Jared Polis (D-CO) have introduced the "Student Digital Privacy and Parental Rights Act of 2015." The student privacy bill would prohibit companies from selling student information, using student information for targeted advertising, or otherwise disclosing student information for non-educational purposes. The Student Digital Privacy Act would implement portions of EPIC's Student Privacy Bill of Rights, including granting students access to their personal information collected by companies and requiring companies to provide notice of data security breaches. The bill is modeled on a new student privacy law in California.

Congress Proposes Bipartisan Student Privacy Bill + (Apr. 23, 2015)

The House Education and Workforce Committee has proposed a discussion draft amending the Family Educational Rights and Privacy Act, a federal student privacy law. The draft recommends ways to strengthen the law, including: (1) protecting student data maintained by private companies; (2) shorter wait times for students to access their records; (3) permitting students to opt out of disclosing their data for certain research studies; (4) mandatory data security for schools; (5) written agreements detailing obligations of third parties receiving student data; (6) enhanced enforcement mechanisms; and (7) narrowing exceptions under which schools may disclose student data without consent.

EPIC Urges House to Safeguard Student Privacy + (Feb. 11, 2015)

EPIC has sent a statement to a House Committee in advance of the Committee's hearing on "How Emerging Technology Affects Student Privacy." EPIC urged the Committee to "pursue effective measures that meaningfully safeguard student data," including adoption of the Student Privacy Bill of Rights, privacy enhancing techniques, and a private right of action against companies that unlawfully disclose student data. Last month, President Obama proposed legislation to "ensure that data collected in the educational context is used only for educational purposes." EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.

Congress to Hold Hearing on Student Privacy + (Feb. 5, 2015)

Next week, a House committee will hold a hearing on "How Emerging Technology Affects Student Privacy." Last month, President Obama proposed legislation to safeguard student data. The legislation would "ensure that data collected in the educational context is used only for educational purposes" And prohibit companies from selling data for non-educational purposes and targeting advertising. Last year, EPIC proposed the Student Privacy Bill of Rights following growing concerns about misuse of student data. EPIC has urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.

President Obama Backs Student Privacy Law + (Jan. 12, 2015)

Today the President will propose legislation to safeguard student data, to "ensure that data collected in the educational context is used only for educational purposes." The Student Digital Privacy Act, based on a landmark California statute, will prohibit companies from selling data for non-educational purposes and from using data for targeted advertising. Last year, EPIC called for a Student Privacy Bill of Rights to safeguard student information. EPIC has urged Congress and the Department of Education to strengthen student privacy.

EPIC Uncovers DOD Student Data Collection Procedures + (Nov. 26, 2014)

The Department of Defense has released to EPIC documents on the "Joint Advertising and Market Research Studies" Recruiting Database. The database includes sensitive student information, including home address and grade point average. DOD obtains this information from high schools offering military aptitude tests, state DMVs, and commercial data brokers. The documents sought by EPIC shed light on how DOD collects, retains, uses, and safeguards student information within the database. The documents provided to EPIC also reveal that many parents demanded that DOD remove their children's records from the system. In 2005, EPIC, joined by more than 100 organizations, urged former Secretary of Defense Donald Rumsfeld to end the database because it collected unnecessary information, did not permit individuals to opt-out, and was housed at a private-sector direct marketing company. The agency now permits individuals to opt-out. For more information, see EPIC: Student Privacy and EPIC: DOD Recruiting Database.

EPIC Obtains New Documents About Lack of Student Privacy Enforcement + (Oct. 15, 2014)

EPIC has obtained new documents from the Department of Education detailing parent and student complaints about the misuse of education records. The Department released the documents in response to an EPIC Freedom of Information Act request. EPIC is expecting to receive more documents about the agency's enforcement of the Family Educational Rights and Privacy Act. Other documents that EPIC has uncovered reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the federal student privacy law. The documents also reveal that the Department failed to investigate many FERPA complaints. For more information, see EPIC: Department of Education's FERPA Enforcement, EPIC: Student Privacy, and EPIC: Open Government.

California Enacts Comprehensive Student Privacy Law + (Oct. 2, 2014)

California has passed the "Student Online Personal Information Protection Act," a comprehensive student privacy law. Among other provisions, the new law: (1) prohibits K-12 mobile and online service operators from using student information to target advertisements to students; (2) prohibits online service providers from creating K-12 student profiles for commercial purposes; and (3) forbids companies from selling student information. The law also requires K-12 mobile and online service operators to establish security measures and to delete student information at the request of a school or district. California also passed a law requiring schools that outsource student records to include privacy in contracts, and a law governing school social media monitoring programs. The Student Online Personal Information Protection Act incorporates many proposals EPIC outlined in the Student Privacy Bill of Rights. For more information, see EPIC: Student Privacy, EPIC: EPIC v. Education Dept., and EPIC: Echometrix.

EPIC Urges FTC to Investigate Maricopa Data Breach + (Sep. 29, 2014)

EPIC has filed a complaint with the Federal Trade Commission concerning the loss of personal information of almost 2.5 m current and former students, employees, and vendors in Maricopa County. According to EPIC, the District's failure to maintain a comprehensive information security program led to a "massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information." EPIC further alleges the District violated the Federal Trade Commission's Safeguards Rule by failing to protect students financial information. EPIC's complaint follows a similar complaint by DataBreaches.net. EPIC said that, "many education institutions in the United States are subject to the Safeguards Rule. The District's case is a particularly egregious example of the risk of failing to safeguard sensitive personal information." For more information, see EPIC: Student Privacy.

Education New York Urges Parents to Protect Student Privacy + (Sep. 8, 2014)

Education New York, a leading student privacy rights organization, is urging students and parents to opt-out of the use of educational records for marketing purposes. The data typically includes name, address, telephone number, birth date, and other personal information in student records. Education New York’s founder Sheila Kaplan stated, "I'm thrilled that with greater awareness of the issues, more parents have been joining the fight for students’ privacy rights." EPIC has long supported stronger privacy protections for student records. In 2012, EPIC sued the Education Department concerning changes to the student privacy law. Earlier this year, EPIC a hosted panel in Washington DC with Senator Ed Markey, "Failing Grade: Education Records and Student Privacy." For more information, see EPIC v. the Department of Education and EPIC: Student Privacy.

Senators Markey and Hatch Introduce Student Privacy Legislation + (Jul. 30, 2014)

Today, Senators Edward Markey (D-MA) and Orrin Hatch (R-UT) introduced legislation to require privacy safeguards for education records and prohibit the use of student information for advertising purposes. The "Protecting Student Privacy Act of 2014" would give students the right to access and amend their records that are held by private companies. The bill also requires schools to minimize the amount of personally identifiable information transferred to private companies. The bill requires companies to destroy student information "when the information is no longer needed for the specified purpose." The bill incorporates many of the proposals EPIC set out in the Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy.

EPIC Uncovers Complaints from Education Department about Misuse of Education Records + (Jul. 18, 2014)

EPIC has obtained documents from the Department of Education detailing parent and student complaints about the misuse of educational records. The Department released the documents in response to an EPIC Freedom of Information Act request. The documents reveal that schools and districts have disclosed students' personal records without consent, possibly in violation of the Family Educational Rights and Privacy Act. The documents also reveal that the Department failed to investigate many FERPA complaints. EPIC is expecting to receive more documents about the agency’s enforcement of the federal student privacy law. For more information, see EPIC: Student Privacy and EPIC: Open Government.

Federal Trade Commission Urges Court to Protect Student Privacy + (May. 29, 2014)

The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission.

EPIC Testifies on Student Privacy before California State Assembly + (May. 16, 2014)

EPIC's Student Privacy Project Director Khaliah Barnes testified before the California State Assembly Education Committee and Select Committee on Privacy, on "Ensuring Student Privacy in the Digital Age." EPIC's testimony: (1) explained how the U.S. Education Department’s regulations encourage mass collection of student data; (2) described the privacy risks that students today face; (3) underscored the need for data security safeguards for states, schools, and private companies accessing student information; and (4) recommended that California adopt EPIC's Student Privacy Bill of Rights. Earlier this week, Senators Markey and Hatch proposed bipartisan student privacy legislation. For more information, see EPIC: Student Privacy.

Senators Markey and Hatch Propose Student Privacy Legislation + (May. 15, 2014)

Senator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have proposed a "Protecting Student Privacy Act." The draft bill would "(1) requires that data security safeguards be put in place to protect sensitive student data that is held by private companies; (2) prohibits the use of students' personally identifiable information to advertise or market a product or service; (3) provides parents with the right to access the personal information about their children - and amend that information if it"s incorrect — that is held by private companies just as they would if the data were held by the school itself; (4) makes transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with which the school contracts; (5) minimizes the amount of personally identifiable information that is transferred from schools to private companies; [and] (6) ensures private companies cannot maintain dossiers on students in perpetuity by requiring the companies to later delete personally identifiable information." The legislation highlights many of the protections EPIC endorsed in its Student Privacy Bill of Rights. Senator Markey announced plans to introduce student privacy legislation earlier this year at EPIC's public panel on student privacy. For more information, see EPIC: Student Privacy.

Google Stops Scanning Student Emails, Ends Data Collection for Advertising + (Apr. 30, 2014)

Google has announced it will stop scanning student emails for advertising purposes. Google has also stated that it will no longer display new advertisements in its Apps for Education. Google's announcement follows the demise of inBloom, a private company that acquired student data from school districts across the country. Amid public backlash, inBloom announced it was shutting down. Google and inBloom gained access to student data pursuant to the Education Department's revised regulations that significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. EPIC had previously sued the Education Department for weakening the privacy law that protects student data. Earlier this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy.

Amid Privacy Backlash, Student Data Firm Dissolves + (Apr. 21, 2014)

inBloom, a private company that acquired student information from school districts across the country, has shut down. The company said its work "has been stalled because of generalized public concerns about data misuse..." inBloom and other companies, including Google, acquired student data following revisions to the Family Educational Rights and Privacy Act by the Department of Education that significantly weakened the student privacy law. In 2012, EPIC sued the Education Department for removing student privacy protections. Last year, EPIC testified before the Colorado State Board of Education on student privacy issues concerning inBloom. Early this year, EPIC called for a Student Privacy Bill of Rights, an enforceable student privacy and data security framework. For more information, see EPIC: Student Privacy.

Google Admits to Data-Mining Student Emails + (Mar. 19, 2014)

In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education.

After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data + (Mar. 7, 2014)

The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education.

Senator Markey Outlines New Student Privacy Legislation at EPIC Event + (Jan. 14, 2014)

At a briefing on Capitol Hill hosted by EPIC, Senator Ed Markey announced plans to introduce legislation protecting student data. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Senator Markey made the remarks at EPIC event "Failing Grade: Education Records and Student Privacy," which included leading experts in technology, student privacy, and the Chief Privacy Officer at the Department of Education. Last year, Senator Markey sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on privacy. The Education Department provided a response, suggesting that when schools outsource to private companies, they should ensure that the companies protect student data. For more information, see EPIC: Student Privacy.

Company Adds Encryption to Website After EPIC Files Complaint + (Dec. 19, 2013)

Following EPIC's complaint to the Federal Trade Commission about Scholarships.com, the company has improved security on its website. Scholarships.com encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. In fact, the company transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC's complaint to the FTC alleged that Scholarships.com’s failure to use reasonable security practices is an unfair trade practice. The company has since implemented HTTPS. For more information, see EPIC: Student Privacy.

EPIC Files Privacy Complaint to Protect Student Data + (Dec. 12, 2013)

EPIC has filed an extensive complaint with the Federal Trade Commission concerning the business practices of Scholarships.com. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. Scholarships.com, however, transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. EPIC alleges that this is an unfair and deceptive trade practice. EPIC’s complaint also alleges that Scholarships.com’s failure to use reasonable security practices is an unfair trade practices. EPIC has asked the FTC to require the company to change its business practices. Earlier this year, EPIC urged Congress to restore privacy protections for student data following recent changes to the Family Educational Rights and Privacy Act. For more information, see: EPIC: Student Privacy.

EPIC FOIA - EPIC Uncovers Information About Debt Collector Practices from Education Dept. + (Nov. 1, 2013)

Pursuant to a Freedom of Information Act lawsuit against the Education Department, EPIC has obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents obtained by EPIC in this FOIA lawsuit reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department. EPIC has recently settled the case and obtained attorneys fees for making this information available to the public. For more information, see EPIC v. Education Department - Private Debt Collector Privacy Act Compliance.

Senator Markey Investigates Student Data Disclosures + (Oct. 24, 2013)

Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education.

EPIC Urges Congress to Protect Student Privacy + (Oct. 10, 2013)

In a letter to the Senate and House Committees on Education, EPIC has asked Congress to restore privacy protections for student data. EPIC's letter follows a court opinion concerning recent changes to the Family Educational Rights and Privacy Act. EPIC has warned that the changes in the student privacy law allow the release of student records for non-academic purposes and undercut parental and student consent provisions. EPIC has urged Congress to investigate the impact of the revised regulations. "Students and families are losing control over sensitive information," EPIC wrote, "and private companies are becoming the repositories of student data and even the data maintained by the schools is far more extensive than ever before." For more information, see EPIC: Student Privacy.

Judge Rules that EPIC Lacks Standing to Challenge Education Department's Unlawful Regulations + (Oct. 1, 2013)

A federal court dismissed EPIC's lawsuit against the Education Department. EPIC has challenged the agency's 2011 changes to the Family Educational Rights and Privacy Act (FERPA) which allow the release of student records for non-academic purposes and undercut parental and student consent provisions. The court held that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The judge did not reach EPIC's substantive claims asserted in the complaint. EPIC argued that the Education Department exceeded its authority with the changes and that the revised regulations violate the federal student privacy law. Before initiating the lawsuit, EPIC submitted extensive comments to the Education Department, opposing the unlawful regulations. EPIC intends to take further steps to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy.

EPIC to Defend Student Privacy Rights in Federal Court + (Jul. 23, 2013)

On July 24, EPIC President Marc Rotenberg and EPIC Administrative Law Counsel Khaliah Barnes will present arguments in federal district court in Washington, DC in support of student privacy. In EPIC v. Dept. of Education, No. 12-327, EPIC is challenging recent changes to the Family Educational Rights and Privacy Act (FERPA) that allow the release of student records for non-academic purposes and undercut parental consent provisions. In 2011, EPIC submitted extensive comments to the agency opposing the changes. After the Education Department failed to modify the proposed regulation, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy.

EPIC Testifies Before Colorado Board on Student Privacy + (May. 21, 2013)

EPIC Administrative Law Counsel Khaliah Barnes testified before the Colorado State Board of Education on privacy issues concerning inBloom and other companies that acquire student information. In response to public outcry over a pilot program which grants these companies access to sensitive student data, the Colorado Board of Education hosted a public session. Representatives from inBloom, the Colorado Attorney General's Office, a local school district, and EPIC participated. EPIC recommended that Colorado ensure that students and parents have access to education records maintained by third party providers, and that students and their parents should be able to limit disclosure to third parties. In 2012, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy.

EPIC Sues Education Department, Seeks Documents about Debt Collectors and Student Privacy + (Mar. 18, 2013)

EPIC has filed a Freedom of Information Act lawsuit against the Education Department, following the agency's failure to release documents about private debt collection and compliance with federal privacy law. The Department has contracts with at least twenty-three private debt collectors who obtain sensitive personal information, including contact information, loan status, income, Social Security number, and credit history. The Department is expected to publish a procedures manual that instructs debt collectors on privacy safeguards. The Department is also supposed to require debt collectors to submit compliance reports to the agency. EPIC's sought release of the procedures manual and compliance reports for the last three years. After the Department failed to disclose any records in response to the FOIA request, EPIC sued. For more information, see EPIC: Open Government and EPIC: Student Privacy.

In Federal Court EPIC Defends Student Privacy + (Jan. 22, 2013)

In documents filed with a federal court in Washington, DC, EPIC is challenging changes to the Family Educational Rights and Privacy Act (FERPA). The revised regulations, issued by the Education Department, allow the release of student records for non-academic purposes and undercut parental consent provisions. The rule change also promotes the public use of student IDs that enable access to private educational records. In 2011, EPIC submitted extensive comments to the agency, opposing the changes and arguing for the need to safeguard privacy. After the Education Department failed to make necessary changes, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors and Advisory Board Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy.

EPIC Supports Moratorium on RFID Student Tracking + (Aug. 21, 2012)

EPIC, along with Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and other leading privacy and civil liberties organizations, issued a Position Paper on the Use of RFID in Schools. Radio Frequency Identification is an identification tracking technology "designed to monitor physical objects," such as commercial products, vehicles, and animals. Some school districts are proposing to use RFID ID tags to monitor students, teachers, and staff. The report warns of significant privacy and security risks. If RFID techniques are adopted, the groups urge that schools adopt robust privacy safeguards. In 2006 and 2007, EPIC submitted comments to federal agencies recommending against the use of RFID technology to track air travelers. The State Department subsequently made changes to the "e-Passport," to address privacy and security concerns. For more information, see EPIC: Radio Frequency Identification (RFID) Systems and EPIC: Student Privacy.

EPIC Urges Education Department to Protect Student Privacy + (Jul. 31, 2012)

EPIC has submitted comments to the Education Department, recommending the agency collect only "relevant and necessary" student information when it undertakes educational studies. The agency's Institute of Education Sciences has proposed a "Study of Promising Features of Teacher Preparation Programs" to help assess teacher effectiveness. The new database will contain records on "approximately 5,000 students and 360 teachers." EPIC urged the agency to only collect student data germane to teacher effectiveness, such as test scores, and opposed the agency's collection of detailed student information such as actual name and "disciplinary incidences." Earlier this year, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy.

EPIC Sues to Block Changes to Education Privacy Rules + (Feb. 29, 2012)

EPIC has filed a lawsuit under the Administrative Procedure Act against the Department of Education. EPIC's lawsuit argues that the agency's December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency's statutory authority, and are contrary to law. In 2011, the Education Department requested public comments regarding the proposed changes. In response, EPIC submitted extensive comments, addressing the student privacy risks and the agency's lack of legal authority to make changes to the privacy law without explicit Congressional intent. The agency issued the revised regulations despite the fact that "numerous commenters . . . believe the Department lacks the statutory authority to promulgate the proposed regulations." EPIC is joined in the lawsuit by co-plaintiffs Grayson Barber, Pablo Molina, Peter G. Neumman, and Dr. Deborah Peel. The case is EPIC v. US Department of Education, No. 12-00327. For more information, see EPIC: Student Privacy.

Department of Education Issues Unlawful Regulations that Harm Student Privacy + (Dec. 5, 2011)

The Department of Education has released final regulations concerning the Family Educational Rights and Privacy Act (FERPA). These regulations exceed the agency's legal authority and expose students to new privacy risks. The new rules permit educational institutions to release student records to non-governmental agencies without first obtaining parents' written consent. The new rules also broaden the permissible purposes for which third parties can access students records without first notifying parents. The agency rules also fail to appropriately safeguard students from the risk of re-identification. In response to the Department of Education's request for public comments, EPIC submitted extensive comments to the agency in May 2011, addressing the student privacy risks and the agency's lack of legal authority to make changes to FERPA without explicit Congressional intent. For more information, see EPIC: Student Privacy.

Seventh Circuit Court Hears Oral Argument in Students' Privacy Case + (Sep. 30, 2011)

The US Court of Appeals for the Seventh Circuit heard oral arguments today in Chicago Tribune v. University of Illinois. EPIC filed a "friend of the court" brief in the case, which concerns student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argued that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. In this case, the Tribune requested documents from the University of Illinois, under Illinois' open government law, while investigating alleged corruption in the admissions practices of the University. The University denied the Tribune's request, stating that the requested documents contained the personally identifiable information of students and were thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released. The Depart of Justice also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy.

EPIC Urges Seventh Circuit to Protect Students' Privacy Rights + (Jul. 21, 2011)

EPIC filed a "friend of the court" brief in Chicago Tribune v. University of Illinois, a case involving student privacy rights protected by the Family Educational Rights and Privacy Act ("FERPA"). EPIC's brief argues that Congress intended to protect student records, including admissions files, from unauthorized release and that Illinois' open government law must yield to the federal privacy law. While investigating alleged corruption in the admissions practices of the University of Illinois, the Tribune sought documents from the University under Illinois' open government law. The University denied the Tribune's request, stating that the requested documents contain the personally identifiable information of students and are thereby protected by federal law. A lower federal court found that Illinois law required the documents to be released.The Depart of Justice has also filed a brief in support of student privacy in the case. For more information, see EPIC: Chicago Tribune v. University of Illinois and EPIC: Student Privacy.

EPIC Calls Proposed Student Privacy Exemptions "Unlawful" + (May. 23, 2011)

EPIC submitted a detailed statement to the Department of Education in response to a request for public comment on a proposal to expand exemptions in a law that protects the privacy of student information. The Family Educational Rights and Privacy Act limits the release of students' educational records. However, the Department of Education has proposed to relax privacy safeguards to permit widespread disclosure of student data, including unique students identification numbers, across federal and state agencies. EPIC said that the agency lacks the legal authority to establish the exemptions and that proposal would result in an "Unprecedented and Unlawful Release of Confidential Student Information." Individuals can submit their own comments on the Regulations.gov website. For more information, see EPIC: Student Privacy.

Department of Education Plans to Disclose Confidential Student Data + (Apr. 8, 2011)

The Department of Education has proposed new regulations to transfer student data from schools to state agencies. The regulations will revise key provisions of the Federal Educational Rights and Privacy Act, which was enacted to protect privacy, security, and confidentiality of student data. The proposal is part of a new federal program that requires schools to disclose student data, including enrollment information, degree of success transitioning from secondary to post-secondary institutions, and demographic data, to states to receive federal funding. The student information will be compiled into large databases and used to track and analyze student's progress through the education system. The Department is accepting comments on the proposed regulations. Deadline for comment is May 23, 2011. For More Information, see EPIC: Student Privacy.

Report Says School Officials At Fault in High School Spycam Episode + (May. 14, 2010)

An independent report finds the Lower Merion School District at fault for the remote monitoring of laptop computers that the District issued to high school students. The report followed a complaint filed by Blake J. Robbins, a student at Harriton High School, alleging that school officials used the laptops to spy on students. The report concluded that 30,564 webcam photographs and 27,428 screen shot images were captured because of "the District's failure to implement policies, procedures, and record-keeping requirements and the overzealous and questionable use of technology" by personnel "without any apparent regard for privacy considerations or sufficient consultation with administrators." EPIC has extensively documented students' privacy rights, see EPIC: Student Privacy.

Supreme Court: Strip-Search of Teenager Violated Constitutional Rights + (Jun. 25, 2009)

The Supreme Court delivered a 8-1 opinion ruling that a strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet violated the Fourth Amendment. Justice Souter writing for the Court held that the search was unreasonable and that school searches are permissible when they are "not excessively intrusive in light of the age and sex of the student and the nature of the infraction." But a majority of the Justices also said that the school officials were not liable for damages because it had not been "clearly established" that the search was unlawful. Justices Stevens and Ginsburg disagreed and said that a previous Supreme Court case made clear that the search was "excessively intrusive." Justice Thomas wrote in dissent that the search was permissible. See also EPIC's page on Student Privacy.

Supreme Court Hears Case on Strip-Search of Young Student by Schools Officials Looking for Advil + (Apr. 21, 2009)

The Supreme Court heard a case involving a traumatic strip-search of a thirteen-year-old girl by school officials looking for an ibuprofen tablet. The search was conducted based on allegation by another student, who had been caught with drugs. A federal appelate court held that the search of the student was unreasonable and that a school official could be liable for violating the girl's Fourth Amendment rights. The school appealed to the Supreme Court and argued that the search was reasonable and the school official had qualified immunity. The respondent student replied that the search was highly invasive and the official should be held responsible. See also EPIC's page on Student Privacy.

EPIC and Over 100 Groups Seek End to DOD Recruiting Database + (Oct. 18, 2005)

The Electronic Privacy Information Center (EPIC) and more than 100 local, state, and national organizations today urged Secretary of Defense Donald Rumsfeld to end the "Joint Advertising and Market Research Studies" Recruiting Database. The groups cited the broad exemptions to federal privacy laws that would allow the Defense Department to disclose personal information to others without an individual's consent or knowledge. The database would include name, date of birth, gender, address, telephone, e-mail address, Social Security Number, ethnicity, high school, education level, college, and intended field of study for more than 30 million Americans who are 16-25 years old. For more information, see EPIC's page on the DOD Recruitment Database Page.

Spotlight: Database Tracks Foreign Students, Visitors in United States. + (Sept. 9, 2005)

September's "Spotlight on Surveillance" scrutinizes the Student and Exchange Visitor Information System (SEVIS), a Homeland Security program that monitors and tracks students and exchange visitors at all times. SEVIS is also a part of the controversial US-VISIT program. Through SEVIS, the federal government is accumulating a massive amount of data on foreign students and exchange visitors and their dependents, including biographical, academic, and employment information. The stated goals of SEVIS concern immigration and education, but the database is also available to other federal, local, state, tribal and foreign agencies. For more information, see EPIC's Spotlight on Surveillance and US-VISIT pages.

EPIC Releases Memorandum on DOD Recruiting Database, Privacy Act Violations. + (Jul. 27, 2005)

EPIC has drafted a memorandum (pdf) describing the Department of Defense (DOD) recruiting database. The memorandum discusses the sources of the data and the Privacy Act violations in the creation of the database. Of particular concern is the use of commercial data brokers and Social Security Numbers. EPIC concludes with specific recommendations. Pending resolution of these issues, it is the view of EPIC that the use of the database should be immediately suspended. For more information, see EPIC's page on the DOD Recruiting Database Page.

Recruiting Database Established in Violation of Privacy Act. + (Jun. 27, 2005)

In a media roundtable Department of Defense officials admitted to consolidating a massive database of student information for recruiting in 2003, however the agency did not list this database in the Federal Register until May 2005. The Privacy Act requires that new systems of records be published in the Federal Register before they become operational. Last week, EPIC urged the agency to scrap the database, as it collected unnecessary information, offered no opt-out rights, and was to be housed at a private-sector direct marketing company. For more information, see EPIC's DOD Recruiting Database Page.

Groups: DOD Should Scrap Massive Database. + (Jun. 21, 2005)

In comments to the Department of Defense, EPIC and 8 privacy and consumer groups objected to the creation of a massive database for military recruitment purposes. The database would contain the Social Security Numbers, race, and educational information on up to 25 million people as young as 16 years old. The database would be operated by a commercial data marketing company, and individuals would not be able to opt-out. The groups called upon the Department of Defense to terminate the database program, as the database is fundamentally incompatible with the government's responsibilities under the Privacy Act. For more information, see EPIC's DOD Recruiting Database Page.

EPIC Objects to Student Data Matching. + (Dec. 21, 2004)

A coalition of groups has objected to data sharing between the Selective Service System (SSS) and the Department of Education to determine whether students have registered for the draft. In a letter to the SSS, EPIC argued that a data matching arrangement does not comply with the Privacy Act, and that it should be suspended immediately.

EPIC Student Privacy Project

Currently Featured Topics

• In re Online Test Proctoring Companies
• Student Privacy Bill of Rights
• Family Education Right to Privacy Act (FERPA)
• State Student Privacy Policy

Consumer Protection Complaints

• In re Online Test Proctoring Companies (Dec. 2020)
• Complaint re: Maricopa County data breach (Sept. 2014)
• Complaint re: Scholarships.com (Dec. 2013)

Amicus

• Commonwealth v. Zachery (Massachusetts Supreme Judicial Court, 2020)
• Jackson, et al v. McCurry, et al (U.S. Court of Appeals for the Eleventh Circuit, 2018)
• Commonwealth v. White (Massachusetts Supreme Judicial Court, 2015)
• Chicago Tribune v. Univ. of Illinois (U.S. Court of Appeals for the Seventh Circuit, 2011)

Litigation

• EPIC v. U.S. Department of Education

FOIA

• EPIC v. Education Department - Private Debt Collector Privacy Act Compliance
• Department of Education FERPA Enforcement FOIA Request

Agency Comments

• "In the Matter of Zoom Video Communications, Inc." (Dec. 14, 2020)
• "COPPA Rule Review" (Dec. 11, 2019)
• "Privacy Act of 1974; System of Records—"Impact Evaluation of Data-Driven Instruction Professional Development for Teachers" (January 4, 2016)
• "Study of Promising Features of Teacher Preparation Programs" New System of Records (July 30, 2012)
• Responding to a Notice of Proposed Rulemaking amending the Family Educational Rights and Privacy Act of 1974 ("FERPA") (RIN 1880-AA86) (May 23, 2011)

Testimony

• Statement on "How Emerging Technology Affects Student Privacy" to House Subcommittee on Early Childhood, Elementary, and Secondary Education (February 11, 2015)
• "Ensuring Student Privacy in the Digital Age," to California State Assembly Education Committee and Select Committee on Privacy (May 14, 2014)
• "Study Session regarding inBloom, Inc.," before Colorado State Board of Education (May 16, 2013).

Additional Topics

• Children's Online Privacy Protection Act (COPPA)
• Children and RFID Systems
• DOD Recruiting Database
• No Child Left Behind
• Student Privacy Case Law

Resources

• Department of Education's FERPA Web site.
• Department of Education's Family Educational Rights and Privacy Act Regulations.
• White House, FACT SHEET: Safeguarding American Consumers & Families (January 2015)
• Khaliah Barnes, Amassing Student Data and Dissipating Privacy Rights, EDUCAUSE (January 2013)
• Joel Reidenberg, et al., Privacy and Cloud Computing in Public Schools, Fordham Center on Law and Information Policy (2013).

More resources

Recent Changes Affecting FERPA and PPRA, Department of Education, October 2002.

Department of Education's Model Notification of Rights for Elementary and Secondary Students.

Department of Education's Model Notification of Rights under FERPA for Post-secondary Institutions.

Department of Education's Model Notification of Rights under FERPA for Directory Information.

Department of Education's Model Notice and Consent/Opt-Out for Specific Activities under PPRA.

Joint letter from Departments of Defense and Education Regarding Military Recruiter Access to Secondary Students, July 2003. (PDF file).

Q&A Policy Guidance on Access to High School Student by Military Recruiters, Departments of Education and Defense.

Report to the Nation: State Implementation of the No Child Left Behind Act, Education Commission of the States.

Guidance for School Districts on Student Education Records, Directory Information, Health Information and Other Privacy Provisions, National School Boards Association.

NYCLU Guidance on the Military Recruiter Provision of No Child Left Behind.

Recent Amendments to Family Educational Rights and Privacy Act Relating to Anti-Terrorism Activities, Department of Education, April 2002.

SEVP Student and Exchange Visitor Program, Immigration and Naturalization Service.

Students, American Civil Liberties Union.

GAO Report on Commercial Activities in Schools, September 2000.

Jennifer C. Wasson, FERPA in the Age of Computer Logging: School Discretion at the Cost of Student Privacy?, 81 N.C.L. Rev. 1348 (March 2003).

Rebecca N. Cordero, Comment: No Expectation of Privacy: Should School Officials Be Able to Search Students' Lockers Without Any Suspicion of Wrongdoing? A Study of In Re Patrick Y. and its Effect on Maryland Public School Students, 31 U. Balt. L. Rev. 305, Spring 2002.

Tamu K. Walton, Protecting Student Privacy: Reporting Campus Crimes as an Alternative to Disclosing Student Disciplinary Records, 77 Ind. L.J. 143, Winter 2002.

Lynn M. Daggett, Bucking Up Buckley I: Making the Federal Student Records Statute Work, 46 Cath. U. L. Rev. 617, Spring 1997.

David A. Banisar, Privacy of Education Records, Electronic Privacy Information Center, January 1994.

Related Student Privacy Issues

News

• PSG votes against virtual exam proctoring, J-term, Purdue Exponent, April 7, 2021
• Rise in student cheating during the Covid-19 pandemic, say universities, The Boar, January 2, 2021
• How teachers are sacrificing student privacy to stop cheating, Vox/Recode, December 18, 2020
• Hillicon Valley: Law Students Have Concerns , The Hill, July 16, 2020
• Law school graduates worried about security, privacy of online bar exam, The Hill, July 14, 2020

More news

Privacy Concerns in the Age of Expanding Online Education, Online Education , May 19, 2020

‘Explosion’ in Distance-Learning Tech Use Sparks Privacy Worries, Bloomberg, April 6, 2020

As schooling rapidly moves online across the country, concerns rise about student data privacy, Washington Post, March 20, 2020

Student privacy laws still apply if coronavirus just closed your school, Ars Technica, March 12, 2020

Advocacy Groups Blast Planned Fla. School Safety Database, Law360, July 11, 2019

Civil rights, disabilities groups urge Florida to stop building student database they call 'massive surveillance effort’, Washington Post, July 10, 2019

The Future of Student Data Privacy, POLITICO Morning Education, October 25, 2018

Districts Tap Digital Monitoring Services to Guard Against School Shootings, eLearning Inside News, August 12, 2018

Consumer groups want FTC probe into Facebook, Google privacy settings, POLITICO Pro, June 28, 2018

How Much Does the Government Really Need to Know About College Students in America?, The Atlantic, October 24, 2017

Are you a student? Your personal data is there for the asking, Naked Security, August 24, 2017

House Oversight Urged to Back Student Privacy Rights as It Hears Breach Incident, Communications Daily, May 3, 2017

School district should offer five years' ID protection, Frederick News-Post, December 28, 2016

Maryland Delegate Promises New Legislation in Wake of Student Data Breach, Government Technology, December 23, 2016

Privacy advocates accuse Obama administration of failing to properly protect student data, Washington Post, June 7, 2016

Google's student privacy policies called into question, Mountain View Voice, February 20, 2016

UC-Berkeley students sue Google, alleging their emails were illegally scanned, The Washington Post, February 1, 2016

Schools Turn to Digital Tools for Personalizing Career Searches, Education Week, January 11, 2016

New student database slammed by EPIC, Washington Post, January 7, 2016

Missourian Editorial: Student privacy protocols need an upgrade, Missourian, January 3, 2016

Google, a ‘school official?’ This regulatory quirk can leave parents in the dark., Washington Post, December 30, 2015

Google is tracking students as it sells more products to schools, privacy advocates warn, The Washington Post, December 29, 2015

How one Austrian student took on American tech companies over privacy — and won, The Washington Post, October 19, 2015

Schools, Government Agencies Move to Share Student Data, Education Week, October 19, 2015

Tools for Tailored Learning May Expose Students’ Personal Details, New York Times, August 31, 2015

Are School Districts Equipped to De-Identify Student Data?, Government Technology, August 28, 2015

'De-Identifying' Student Data Is Key for Protecting Privacy, Education Week, August 26, 2015

Surveillance Society: Review shows few safeguards against student privacy leaks, Pittsburgh Post-Gazette, August 24, 2015

Surveillance Society: Students easy targets for data miners, Pittsburgh Post-Gazette, August 20, 2015

CCSD pushes to release deceased student's farewell notes, Las Vegas Review-Journal, July 31, 2015

Protect Students from Corporate Data-Mining in the Classroom, National Review, June 30, 2015

A bill aims to protect students’ digital information, Standard Examiner, June 19, 2015

N.H. Student Data Privacy Law "One Of Most Comprehensive" In Nation, NHPR, June 5, 2015

Student Data Privacy Legislation: What You Need to Know, Education World, June 3, 2015

Their View: Hacking threat to PSU students is real, The Centre Daily, May 21, 2015

The bipartisan bill that puts students back in control of their privacy, Deseret News, May 11, 2015

Congress Schools Education Apps On Student Privacy, Buzzfeed News, May 1, 2015

Activists, Companies Have Mixed Reaction to Proposed Student Privacy Law, Heartland Magazine, April 30, 2015

Congress receives bill to protect student privacy, Pittsburgh Post-Gazette, April 30, 2015

Major FERPA Overhaul Under Consideration in U.S. House, Education Week, April 7, 2015

"Privacy Bill May Fail Student Data Protection", U.S. News & World Report, March 24, 2015

Bipartisan student data privacy bill hits House, The Hill, March 23, 2015

Bill Would Limit Use of Student Data, New York Times, March 23, 2015

"Optimism Returns to Student Data Privacy Debate", EdSurge, March 10, 2015

Educators Welcome Proposal to Protect Students' Digital Privacy, The Chicago Tribune, January 19, 2015

Obama Proposes New Protections for Student Data, Slate, January 12, 2015

Privacy Experts Laud Obama's Bid to Safeguard Student Data, FedScoop, January 12, 2015

Obama Proposes Legislation on Data Breaches, Student Privacy, Washington Post, January 12, 2015

ClassDojo Adopts Deletion Policy for Student Data, New York Times, November 18, 2014

Benjamin Herold, Google Under Fire for Data-Mining Student Email Messages, Education Week, Mar. 13, 2014

Khaliah Barnes, Why a 'Student Privacy Bill of Rights' is Desperately Needed, Washington Post, Mar. 6, 2014

Stacy Khadaroo, Data Breach at Indiana University: Are Colleges Being Targeted, Christian Science Monitor, Feb. 26, 2014

Benjamin Herold, Education Leaders Tackle Student Data Privacy Issues at Summit, Education Week, Feb. 24, 2014

Barbara Liston, Florida Lawmakers Push Bills Banning Biometric Scans of School Children, Chicago Tribune, Feb. 4, 2014

David Nagel, Student Data Not a ‘Product’ To Be ‘Sold to the Highest Bidder’, The Journal, Jan. 14, 2014

Ann Dornfeld, State Deal to Give Media Organizations Student Data Alarms Privacy Experts, KUOW.ORG, Dec. 19, 2013

Ariel Bogle, Study: Student Data Not Safe in the Cloud, Slate, Dec. 16, 2013

Molly Hensley-Clancy, U.S. Schools'; Approach to Student Data Threatens Privacy: Study, Reuters, Dec. 13, 2013

Natasha Singer, Senator Raises Questions About Protecting Student Data, New York Times, Oct. 22, 2013

Natasha Singer, Group Presses for Safeguards on the Personal Data of Schoolchildren, New York Times, Oct. 13, 2013

Natasha Singer, Deciding Who Sees Students'; Data, New York Times, Oct. 5, 2013

Sam Sanders, Students Find Ways to Hack School-Issued iPads Within a Week, Northwest Public Radio, Sept. 27, 2013

Diane Ravitch, 3 Dubious Uses of Tech in Schools, Salon, Sept. 25, 2013

David Kravets, Student Suspended for Refusing to Wear RFID Chip Returns to School, Wired, Aug. 22, 2013

Todd Engdahl, Data Fears Aired Before State Board, ChalkBeat Colorado, May 16, 2013

Valerie Strauss, Lawsuit Charges Ed Department with Violating Student Privacy Rights, The Washington Post, Mar. 13, 2013

Chacour Koop, E-number Spreadsheet Leaked, Daily Eastern News, Jan. 23, 2013

Margo Pierce, The Price of Free Cloud Resources, The Journal, Dec. 4, 2012

Heather Sells, Big Brother? School District Tracks Kids with RFID, CBN News, October 9, 2012.

Gazzang, Gazzang Recommends Five Tips to Protect Student Data in the Cloud, September 25, 2012.

Bailey McGowan, Florida Colleges Ask Court to Revisit FERPA Case Involving Student Who Complained About Professor, Student Press Law Center, September 11, 2012.

Student Data Will be Given to Military Recruiters, Morning Sentinel, August 22, 2012.

Mark Boxley, University of Kentucky, Louisville Monitor Athletes' Tweets, USA Today, August 20, 2012.

Francisco Vara-Orta, Students Will be Tracked via Chips in IDs, San Antonio Express-News, May 26, 2012.

Lynn Stratton, Erosion of Privacy Reaches Schoolhouse St. Petersburg Times, July 25, 2004, at 7P.

Recruiting Student Privacy, Los Angeles Times, April 18, 2004, at Part B, 1.

Privacy Worries Dog Bill Designed to Track Students, The Union Leader (NH), March 24, 2004, at C10.

Student IDs to Ease Transfers, But Privacy Fears Raised, Milwaukee Journal Sentinel, January 24, 2004, at 1A.

Union Likely to Test Student ID Program, Tulsa World, December 14, 2003, at A30.

Erica Hill, Cyber rights... and wrongs, CNN, May 7, 2003.

Fred Lohmann, New music rules are needed, Daily Princetonian, April 14, 2003.

Julie Hilden, Should Universities Crack Down on File Swapping?, Findlaw.com, March 4, 2003.

John Borland, Fingerprinting P2P pirates, CNET, February 20, 2003.

Leonie Lamont, Recording Firms Ask To Scan University Computers, Sydney Morning Herald, February 19, 2003.

Erika Hayasaki, Districts Taking on Recruiters, The Los Angeles Times, February 13, 2003.

Tamar Lewin, Uncle Sam Wants Student Lists, and Schools Fret, The New York Times, January 29, 2003.

Long Island "Educational Survey" Firm Agrees to Halt Deceptive Practices, New York Attorney General, January 29, 2003.

Student Survey Companies Settle FTC Charges, FTC Press Release, January 29, 2003.

Kendra Mayfield, FTC Eyes 'Educational' Marketers, Wired, January 3, 2003.

S. David Brazer, They Have Brad's Name, Class and Phone Number, The Washington Post, December 22, 2002, at B2.

Amy Harmon, Students Learning to Evade Moves to Protect Media Files, New York Times, November 27, 2002.

Mary Shanklin, School Board votes 6-1 to share student names, Orlando Sentinel, October 9, 2002.

High School Student Survey Companies Settle FTC Charges, FTC Press Release, October 2, 2002.

With Court Nod, Parents Debate School Drug Tests, New York Times, September 29, 2002.

Jayson Blair, Students' Privacy Records Found Outside City School, N.Y. Times, June 30, 2002.

Mary Shanklin, District Handed Out Kids' Names, Orlando Sentinel, September 28, 2002, at A1.

Robert Lemos, Secret Service Probes School Hackings, CNET News.com, June 20, 2002.

Tracking Foreign Students, Editorial, N.Y. Times, June 17, 2002.

Taming 'Animal House' students, Philadelphia Inquirer, May 31, 2002.

Ohio Student Database Sparks Privacy Questions, Newsbytes, April 24, 2002.

Taylor Loyal, Don't Leave College Without It Universities are cutting big-dollar deals with credit card companies, and students are paying the price, Mother Jones Magazine, March/April 2002.

Reginald Fields, Students' personal data to go to state, Ohio Beacon Journal, April 19, 2002.

State Supreme Court sides in favor of police roadblocks; it also allows schools to randomly test students for drugs, Indianapolis Star, March 6, 2002.

Robert Gellman, Education statistics agency plays loose with privacy, Government Computer News, March 4, 2002.

Daniel Golden, College-Survey Firm Quietly Peddles Student Information to Big Marketer, Wall Street Journal, December 3, 2001.

Eric Hoover, The Lure of Easy Credit Leaves More Students Struggling With Debt, Chronicle of Higher Education, June 15, 2001.

FERPA Fundamentalism: How a federal law designed to protect student privacy is being misinterpreted to injure press freedom, Student Press L. Center Rep., Vol. 22, No. 2, p. 35, Spring 2001.

Education Department issues guidelines for release of campus court information, Student Press L. Center Rep., Vol. 21, No. 3, p. 4, Fall 2000.

Credit Card Debt Imposes Huge Costs on Many College Students, Consumer Federation of America, June 8, 1999.