The Children's Online Privacy and Protection Act (COPPA) was passed by Congress in 1998 to help protect children's privacy online. Among other things, it requires that websites receive parental consent before collecting personal information (including name, picture, audio recordings) about children younger than 13. School districts are allowed to provide consent for collection of information if it is only being used for educational purposes (e.g. it is not also being sold to other companies). The FTC recommends that schools/school districts, rather than individual teachers, decide whether to allow use of a site and recommends that schools let students know what sites they have consented to on behalf of the parent.

For more information, read the FTC Complying with COPPA: Frequently Asked Questions

Children's Online Privacy and Protection Act (full text)

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students' educational information. It requires that schools have permission from a parent or eligible students (one who is 18 or attending college) before releasing information from a student's educational record. In 2002, the Supreme Court ruling in Owasso Independent School District v. Falvo clarified that while a teacher's grade book may be considered part of students' educational record and protected by FERPA, an individual assignment or grade before being entered is not covered under the act.

Many websites and apps collect information about users. Metadata a site collects about a student does not violate FERPA as long as it does not include personal information (e.g. using a site that keeps track of how many users click each button on a page does not risk violating FERPA because there is no personally identifiable information collected). Personally identifiable information from student records may be released to online service providers if they meet certain criteria, including that they use the records only for authorized purposes and have a legitimate and educational interest in the records. While schools may share "directory information" about students without written consent from parents, they must respect parent requests to opt out of the sharing of this information.

As opposed to COPPA, which places responsibility for protecting student privacy on tech companies, FERPA requires schools to ensure students' educational record is protected. The US Department of Education recommends that schools and districts evaluate the use of online services on a case-by-case basis to determine if FERPA requirements are met.

For additional guidance on FERPA and online services, check out the US Department of Education's document "Protecting Student Privacy While Using Online Educational Services."

Family Educational Rights And Privacy Act (full text)

State and local laws may have additional requirements for protecting your students' privacy and educational information. Your school may also have its own policies for determining what apps and web services are allowed.

Written agreements and Terms of Service provide important information about how services collect and use student data. It is best practice to read all terms and policies before creating accounts for students or having students create accounts on an app or website.

Remind students to be careful about what personal information they post online. Whenever possible, students should keep their addresses, phone numbers, and full names off the internet.

The US Department of Education also recommends that schools provide transparency about how student data is being used and provide families with the school's educational technology policy. It suggests that schools may consider obtaining parental consent even in cases where it is not required by law.

"Protecting Student Privacy While Using Online Educational Services" video