You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

Student Privacy Bill of Rights

In a March 2014 Washington Post article, EPIC unveiled the Student Privacy Bill of Rights, an enforceable student privacy and data security framework.

In line with the President's Consumer Privacy Bill of Rights, which is based largely based on the well-established Fair Information Practices (FIPs), schools, districts, and EdTech and other cloud-based service providers should adhere to the following practices when collecting student data. These rights should transfer from parents or legal guardians to students once the student is eighteen or attending college.

  1. Access and Amendment: Students have the right to access and amend their erroneous, misleading, or otherwise inappropriate records, regardless of who collects or maintains the information.
    • There are gaps in current laws and proposed frameworks concerning students' access and amendment to their data. Schools, companies, government agencies, and other entities that collect any student information should provide student access to this information. This includes access to any automated decision-making rule-based systems (i.e, personalized learning algorithms) and behavioral information.
  2. Focused collection: Students have the right to reasonably limit student data that companies and schools collect and retain.
    • EdTech companies should collect only as much student data as they need to complete specified purposes. "Educational purposes" and "educational quality" are frequent examples of broad and fluid purposes that grant EdTech carte blanche to collect troves of student data. A more focused collection would, for example, specify that the collection is necessary to "improve fifth grade reading skills" or "enhance college-level physics courses." In focusing student data collection for specific purposes, schools and companies should consider the sensitivity of the data and the associated privacy risks.
  3. Respect for Context: Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data.
    • Schools and companies should never repurpose student data without express written student consent. This includes using student data to serve generalized or targeted advertisements. The Education Department's guidance states that federal student privacy laws do no prohibit schools or districts "from allowing a provider acting as a school official from serving ads to all students in email or other online services." This allows service providers to repurpose the information. Schools provide private companies access to student data to help enhance education quality. When companies use this access for general marketing purposes, they have repurposed the student data and turned the classroom into a marketplace.
  4. Security: Students have the right to secure and responsible data practices.
    • Amid recent, large-scale student data breaches, schools and companies must increase their data safeguards to ward against "unauthorized access, use, destruction, or modification; and improper disclosure" as described in the CPBR. Companies should immediately notify schools, students, and appropriate law enforcement of any breach. And schools should immediately notify students when there is a breach. Schools should refrain from collecting information if they cannot adequately protect it. Securing student information also entails deleting and de-identifying information after it has been used for its initial and primary purposes (no secondary uses allowed!).
  5. Transparency: Students have the right to clear and accessible information privacy and security practices.
    • Schools and companies should publish the types of information they collect, the purposes for which the information will be used, and the security practices in place. Schools and companies should also publish algorithms behind their decision-making.
  6. Accountability: Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights.
    • Schools and companies should be accountable to enforcement authorities and students for violating these practices.


Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security