A 1974 law designed for paper records in filing cabinets does not protect children whose behavioral data is collected in real time by cloud-based analytics platforms. The gap is structural.
The Family Educational Rights and Privacy Act was enacted in 1974, sponsored by Senator James Buckley of New York. The law addressed a specific problem: educational institutions maintained files on students — transcripts, disciplinary records, teacher evaluations, psychological assessments — and parents had no legal right to inspect those files or control who accessed them. Reports of schools sharing student records with law enforcement, military recruiters, and credit agencies without parental knowledge had generated sufficient political pressure to produce a legislative response. FERPA gave parents two rights: the right to inspect their child's educational records and the right to consent before those records were disclosed to third parties.
The law's design reflects the material reality of 1974. Records were physical objects. A transcript was a piece of paper stored in a filing cabinet in a registrar's office. A disciplinary file was a folder in the principal's desk drawer. The act of disclosing a record meant physically copying a document and delivering it to a third party, or allowing the third party to enter the institution and read the file. The consent framework assumed this material infrastructure: a parent signs a form, the institution releases a specific document to a specific recipient for a specific purpose. The universe of "educational records" was defined by what institutions actually maintained in their filing systems — the data that existed was the data that had been deliberately recorded by institutional actors on physical media.
FERPA's definition of "educational records" reflects this assumption. The statute covers records that are "directly related to a student" and "maintained by an educational agency or institution or by a party acting for the agency or institution." The definition was adequate for its era. In 1974, the only parties maintaining student records were the educational institutions themselves and, occasionally, state education departments that aggregated institutional data for administrative purposes. The idea that hundreds of commercial vendors would simultaneously maintain continuous behavioral records on millions of students through cloud-based platforms was not contemplated because the technological infrastructure for such collection did not exist. Personal computers would not become commercially available for another three years. The internet would not become publicly accessible for another two decades. Cloud computing would not emerge as a commercial service model until 2006.
FERPA was a reasonable law for the problem it was designed to solve. The problem it was designed to solve no longer describes the data environment in which American students exist.
FERPA's consent requirement — the core of the statute's protective function — contains exceptions. The most consequential is the "school official" exception. Under FERPA, an educational institution may disclose student records without parental consent to "school officials" who have a "legitimate educational interest" in the records. The exception was designed for obvious operational necessities: a teacher needs access to a student's transcript; a guidance counselor needs to review a student's disciplinary history; a school psychologist needs to read a prior assessment. The exception allowed the routine functioning of educational institutions without requiring a parental consent form for every internal records access.
The school official exception has become the primary mechanism through which EdTech companies access student data without parental consent. The mechanism is contractual. When a school district enters into a contract with an EdTech vendor, the contract typically designates the vendor as a "school official" under FERPA. The designation is not a legal determination made by a regulatory body. It is a contractual provision written by the vendor's lawyers, agreed to by the school district's procurement office, and executed without individual parental knowledge or consent. Once the vendor is designated as a school official, FERPA's consent requirement does not apply to the vendor's access to student records. The vendor receives the same exemption from parental consent that was designed for teachers and counselors.
The scale of this contractual bypass is documented. Analysis of EdTech contracts across major school districts reveals that approximately 89 percent of EdTech vendor agreements designate the vendor as a school official under FERPA. The designation has become a standard contractual provision — a boilerplate clause that appears in virtually every EdTech procurement agreement. School districts sign these agreements because the alternative — obtaining individual parental consent for every student whose data the platform will access — would be operationally prohibitive. The school official designation is not a deviation from standard practice. It is standard practice. The exception has consumed the rule.
The structural effect is precise. FERPA was designed to ensure that parents consent before their child's educational records are shared with third parties. The school official exception, as applied to EdTech vendors, ensures that parental consent is not required. The protective mechanism that FERPA was designed to provide — parental control over the disclosure of student records — is systematically eliminated through contractual agreements that parents do not see, do not sign, and in most cases do not know exist. The consent that FERPA requires is the consent that the school official exception removes.
The school official exception addresses the question of who can access student records without consent. A separate and equally consequential gap concerns what qualifies as a student record at all. FERPA protects "educational records" — records directly related to a student and maintained by an educational institution or a party acting for it. The definition was written for a world in which the data that existed about students was the data that institutional actors had deliberately recorded: grades, test scores, attendance, disciplinary actions, teacher comments. The definition does not clearly encompass the categories of data that EdTech platforms routinely collect.
Consider the data generated by a student using an adaptive learning platform for forty-five minutes. The platform records every click, every pause, every answer and every revision of that answer. It records the time elapsed between question presentation and response, measured to the millisecond. It records the sequence in which the student navigates through content. It records which elements the student dwells on and which elements the student skips. It records mouse movement patterns, scroll behavior, and device interaction data. If the platform runs on a device with a camera — as many do during proctored assessments — it may capture facial expression data, eye tracking data, and ambient environmental data. If the platform runs on a school-issued device, it may access browsing history, application usage data, and device telemetry that extends beyond the platform itself.
Much of this data occupies an uncertain legal position under FERPA. A student's grade on an assignment is clearly an educational record. A student's millisecond-level response latency to individual questions is less clearly so. A student's mouse movement patterns are less clearly so. A student's facial expression data captured during an assessment is less clearly so. The Department of Education has issued guidance suggesting that data collected by EdTech platforms may qualify as educational records, but guidance is not statute, and the boundaries of the definition remain legally untested at scale. Data that falls outside FERPA's definition of educational records receives no FERPA protection at all — no consent requirement, no access rights, no disclosure limitations. It is simply data, subject to whatever the vendor's terms of service and privacy policy permit.
The practical consequence is that the most granular and behaviorally revealing data that EdTech platforms collect — the data that most precisely profiles a student's cognitive patterns, attention characteristics, emotional responses, and behavioral tendencies — is the data least likely to be covered by FERPA's protections. The traditional educational record (the transcript, the report card) is protected. The behavioral analytics record (the click stream, the engagement pattern, the attention map) may not be. The gap between what FERPA covers and what EdTech collects is not an oversight in enforcement. It is a structural feature of a statute whose definition of protected information was written for a fundamentally different data environment.
FERPA's enforcement mechanism compounds the definitional gap with a structural incapacity to act. The statute assigns enforcement authority to the Family Policy Compliance Office within the U.S. Department of Education. The FPCO's enforcement tool is the compliance review: when a complaint is filed or a potential violation is identified, the FPCO investigates and determines whether the institution has complied with FERPA's requirements. If a violation is found, the FPCO works with the institution to achieve compliance. The statute's ultimate sanction is the withdrawal of federal education funding from the noncompliant institution.
This enforcement architecture has three structural defects that render it functionally inoperative for EdTech data violations.
The FPCO cannot impose fines. Unlike the Federal Trade Commission, which can impose civil penalties for privacy violations under COPPA, the FPCO has no authority to levy financial penalties. A finding of noncompliance carries no immediate financial consequence for the violating institution — and no consequence at all for the EdTech vendor, which is not the regulated entity under FERPA. FERPA regulates educational institutions, not the vendors those institutions contract with. An EdTech company that misuses student data is not in violation of FERPA. The school district that shared the data with the company might be in violation, but the company itself is beyond FERPA's regulatory reach. The entity that commits the harm and the entity that FERPA can reach are different entities.
The ultimate sanction is unusable. The withdrawal of federal education funding from a school district is a sanction so disproportionate to the violation it would address that it has never been applied in an EdTech data case. Federal education funding supports Title I services for disadvantaged students, special education programs under IDEA, school nutrition programs, and teacher training grants. Withdrawing this funding to punish a data privacy violation would harm the students the law is designed to protect. The sanction is a nuclear option in a context that requires a scalpel. Because the FPCO has no intermediate enforcement tools — no fines, no injunctions, no cease-and-desist authority — it faces a binary choice between doing nothing and doing something catastrophic. It consistently chooses to do nothing.
Individuals have no private right of action. Parents who believe their child's FERPA rights have been violated cannot sue the institution or the EdTech vendor under FERPA. The Supreme Court confirmed this in Gonzaga University v. Doe (2002), holding that FERPA does not create individually enforceable rights under 42 U.S.C. section 1983. A parent whose child's behavioral data has been collected, shared, and monetized by an EdTech vendor through the school official exception has no cause of action under the statute that is supposed to protect that data. The only available enforcement mechanism is a complaint to the FPCO, which cannot fine anyone, cannot sue anyone, and cannot withdraw funding without destroying the institution. The enforcement mechanism is structurally toothless.
FERPA has been updated multiple times since 1974 and the Department of Education has issued guidance on digital education records. The characterization of FERPA as a paper-era statute is outdated.
FERPA has been amended, and the Department of Education has issued guidance. None of the amendments have addressed the school official exception that EdTech companies exploit for consent bypass. None have created a private right of action. None have expanded the definition of educational records to encompass the full scope of behavioral data that EdTech platforms collect. Guidance is not statute, and compliance reviews with no sanction authority are not enforcement. The amendments have updated FERPA's language without closing the structural gap. The 2008 amendments broadened the definition of authorized representatives who can access student data and expanded the audit and evaluation exception — changes that, if anything, widened the gap rather than narrowing it. The 2011 regulations clarified the directory information exception and modified notification requirements, but did not address the school official exception, did not create enforcement mechanisms with intermediate sanctions, and did not establish a private right of action. Each amendment has modernized FERPA's procedural language while leaving its structural deficiencies intact.
The Children's Online Privacy Protection Act, enacted in 1998 and enforced by the Federal Trade Commission, provides a separate legal framework for children's data privacy. COPPA requires operators of websites and online services directed at children under 13, or that have actual knowledge that they are collecting data from children under 13, to obtain verifiable parental consent before collecting personal information. COPPA is enforced by the FTC, which can impose civil penalties — a significant structural advantage over FERPA's toothless compliance review. The FTC has brought enforcement actions against companies for COPPA violations and has imposed fines in the tens of millions of dollars.
COPPA's protective architecture, however, contains a school exception that replicates the structural gap identified in FERPA. Under COPPA, schools can provide consent on behalf of parents for the collection of student data by EdTech platforms, provided the data is used for educational purposes. The school acts as the parent's agent for consent purposes. The exception exists because requiring individual parental consent for every EdTech platform a school uses would be operationally unworkable — the same operational argument that sustains FERPA's school official exception.
The school exception creates the same structural bypass documented throughout this series. The institution that selects and deploys the EdTech platform — the school — also provides the consent that would otherwise need to come from parents. The Trust Arbitrage documented in ET-001 operates here with particular force: parents trust schools to act in their children's interest, and that trust is leveraged to bypass the consent mechanism that COPPA was designed to guarantee. The school provides consent for data collection practices that parents have not evaluated, may not understand, and in many cases do not know are occurring. The consent is institutionally legitimate — COPPA permits it — but functionally hollow. The parent's right to evaluate and consent to data collection about their child has been transferred to an institution that lacks the technical capacity to evaluate what it is consenting to and the institutional incentive to withhold consent from products it has already decided to deploy.
The FTC's enforcement capacity does not solve this problem. The FTC can fine companies that collect children's data without consent, but when consent has been provided by the school under the school exception, there is no violation to enforce against. The consent mechanism has been satisfied. The question of whether the consent was meaningfully informed, whether the school understood the scope of data collection it was authorizing, and whether the school's consent accurately represented the preferences of the parents whose authority it exercised — these questions fall outside COPPA's enforcement framework. The law asks whether consent was obtained. It does not ask whether consent was meaningful.
COPPA and FERPA, taken together, constitute the federal legal framework for student data privacy. Both contain structural exceptions that allow EdTech companies to collect student data without individual parental consent. Both delegate the consent function to educational institutions that lack the technical capacity to evaluate the data practices they are authorizing. Both fail to provide parents with individual enforcement mechanisms proportional to the data collection they are supposed to control. The two statutes are complementary failures — different laws, different enforcement mechanisms, the same structural gap.
The structural inadequacy of FERPA and COPPA becomes visible when compared to regulatory frameworks that protect other fiduciary relationships involving vulnerable populations.
HIPAA and healthcare data. The Health Insurance Portability and Accountability Act establishes a regulatory framework for healthcare data that treats the patient-provider relationship as requiring specific data protections proportional to the patient's vulnerability. HIPAA imposes data minimization requirements: covered entities may use and disclose protected health information only for treatment, payment, and healthcare operations, and must apply the "minimum necessary" standard — using only the minimum amount of information needed for the purpose. HIPAA establishes individual rights: patients have the right to access their records, request corrections, and receive an accounting of disclosures. HIPAA provides enforcement with intermediate sanctions: the Office for Civil Rights can impose civil monetary penalties ranging from $100 to $50,000 per violation, with annual caps adjusted for willfulness. And HIPAA designates a specific regulatory body — the HHS Office for Civil Rights — with the authority, staffing, and mandate to investigate and enforce. The contrast with FERPA is structural. HIPAA treats healthcare data as requiring protection at a level proportional to the patient's vulnerability. FERPA treats educational data as requiring protection at a level proportional to the filing cabinet.
Financial fiduciary duty under GLBA. The Gramm-Leach-Bliley Act establishes privacy requirements for financial institutions that reflect the fiduciary nature of the financial services relationship. GLBA requires financial institutions to provide clear privacy notices describing their data sharing practices. It gives consumers the right to opt out of certain data sharing with nonaffiliated third parties. The Safeguards Rule requires financial institutions to implement comprehensive information security programs. Enforcement is distributed across multiple federal agencies — the FTC, the SEC, the banking regulators — each with the authority to impose penalties and require remediation. The framework is imperfect, but it treats the financial services relationship as requiring specific data protections because of the asymmetry between the institution and the consumer. The school-student relationship involves a comparable asymmetry — and a more vulnerable population — but receives structurally weaker protection.
Attorney-client privilege. The legal system treats the attorney-client relationship as requiring the strongest possible data protection because the relationship depends on the client's willingness to disclose sensitive information, and that willingness depends on the assurance that the information will be protected. Breach of attorney-client privilege can result in professional sanctions, malpractice liability, and criminal prosecution. The protection is enforced through multiple mechanisms simultaneously: professional ethics rules, civil liability, and criminal law. The school-student relationship involves a comparable dynamic — students are compelled by law to attend school, compelled to use the technologies the school deploys, and unable to withhold their data from those technologies — but the data generated in that relationship receives protection that is structurally inferior to the protection afforded to a corporate client's communications with outside counsel.
Student data protection at the level that the developmental obligation requires would need four elements that neither FERPA nor COPPA provides. First, data minimization standards that limit collection to what is required for the educational purpose, with an affirmative obligation on the vendor to demonstrate that each category of collected data serves a specific educational function. Second, purpose limitation that prohibits the use of student data for any purpose other than the educational purpose for which it was collected — no secondary monetization, no data brokerage, no behavioral advertising, no AI training on student behavioral data. Third, individual enforcement rights that allow parents to bring private actions against institutions and vendors that violate the data protection framework, with statutory damages sufficient to incentivize compliance. Fourth, a regulatory body with meaningful sanction authority — the power to impose fines, issue injunctions, and require remediation, exercised by an agency with the staffing, expertise, and mandate to investigate and enforce at the scale of the EdTech industry's data practices.
These are not aspirational requirements. They are the requirements that existing law already imposes on healthcare data, financial data, and attorney-client communications. They are the minimum conditions for a data protection framework proportional to the vulnerability of the population it is supposed to protect. The question is not whether such a framework is possible. It is why the population least capable of protecting itself — children, compelled by law to attend the institutions that deploy these technologies — receives the weakest protection that the American legal system provides for any fiduciary relationship.
Internal: This paper is part of The EdTech Capture (ET series), Saga IX. It draws on and contributes to the argument documented across 22 papers in 5 series.