FERPA, COPPA and the myths we tell each other

This Sunday is Data Privacy Day., so I thought I would list some of the more “interesting” interpretations I have heard (and read) about COPPA, FERPA and how schools approve educational services.

I eventually plan to write up an annotated version of this list, so if you have additions, please tweet them to me @jsiegl

Laws and Consent: COPPA, FERPA et al.

  1. If a vendor says they are “FERPA compliant”, that means something,
  2. A vendor can designate themselves as a “school official” by saying so in their terms.
  3. If an online services requests “only” directory information to sign up, it is OK for schools to sign students up, or have them sign up.
  4. If it involves student health information, you have to comply with HIPAA,
  5. COPPA covers information collected about children under 13,
  6. If the student is 13 or over, as a teacher, I don’t need to get parental consent,
  7. “COPPA compliant” means the information is kept private,
  8. As a vendor of a mixed age or child directed site or service, you can comply with COPPA if you just say “this site is not for children, if you are under 13 you may not access this site” , regardless of anything else,
  9. It is a valid COPPA workaround for a vendor, in their terms, to tell a teacher that to comply with COPPA, for them to sign up the student, or create an account using their email address,
  10. It is a valid COPPA workaround for a vendor to say in their Terms of Service that schools are responsible for complying with COPPA. This includes shifting the responsibility of collecting, storing and producing signed parental consent on demand from the vendor,
  11. “In Loco Parentis” means schools/teachers can consent to students use of any online services on parent’s behalf,
  12. I only have to get permission if I am creating student accounts/the student is logging in,
  13. Vendors can delegate collecting and managing parental permission to schools even if the school is not “contracting with the vendor to perform an educational purpose”,
  14. FERPA allows vendors to sell student data,
  15. Research (e.g. Teachers Action Research, or a University or vendor’s study) always falls under the audit/evaluation exception.

Privacy Policies

  1. A privacy policy means the site protects your privacy,
  2. If it is in the vendor’s policy/terms, then it must be true,
  3. Not private by default is fine, because students and teachers can just change it to be private,
  4. A tool that only offers the option of public posting is OK as long as you get permission, (“privacy as a premium”)
  5. Related-A tool that only offers the option of public posting is OK as long as long as students are over 13…., (“privacy as a premium”)

Security and Confidentiality

  1. It does not matter if a password protected site is secure if it does not collect any sensitive data.
  2. If the site uses https, it means the product is secure,
  3. “Security by obscurity” is security,
  4. Student IDs are not confidential, so are a good choice for student usernames/email addresses,
  5. Student IDs are not confidential, and can be used to pay for lunches or to post grades,
  6. Anonymized and Aggregated data are the same thing,
  7. Anonymous and Pseudonymous are the same thing,
  8. Related-Creating Pseudonymous accounts (e.g. usernames that do not have the student’s full name or ID) is a valid “workaround” to avoid the challenges of complying with FERPA or COPPA,

3rd Party Data Collection and Signon

  1. Ad networks and data brokers are same thing,
  2. Related-Ad networks sell or trade user data
  3. Ad networks and analytics are same thing,
  4. Social Login, (that “Login with X” button e.g. twitter, O365, Google Facebook etc.) means you are just logging in and not really creating an account on the site,
  5. Related-“Login with X” means that you are “just” creating an account,

Happy Data Privacy Day