Student Information Exposed by Legal Loophole, Study Says
The World Privacy Forum explains how photos, birth dates, and other sensitive data becomes public
A loophole in a federal student privacy law gives outsiders access to the personal information of K-12 students that is listed in school directories, yearbooks, and other publications, according to a new report.
The information—available to data brokers and other private companies—can include student names, birthdates, photos, and home addresses.
The Family Educational Rights and Privacy Act (FERPA)—designed to give parents and students the right to access and amend educational records—allows schools to designate certain student data as “directory information,” according to the 181-page report compiled by the World Privacy Forum.
The provision permits the creation of publications such as PTA directories, yearbooks, and programs for graduations, theater productions, and sporting events. But it also allows the information to be provided to outsiders, who can use it in ways few parents would anticipate.
Data brokers can simply request the information from schools, which are required to provide it, according to WPF executive director Pam Dixon. That allows these companies to build profiles of children that could end up informing marketing campaigns or being used for other purposes.
The Backpack Opt-Out
Parents can opt out of the collection and distribution of directory data, but that’s not always easy, the report says.
Most K-12 schools send home a paper form in a student’s backpack at the beginning of the school year, along with emergency contact forms and other paperwork. The average deadline to sign and return the opt-out form is 45 days, but in some districts the window is as short as 10 days. And many parents may be reluctant to opt out if it means their children won’t be included in classroom directories or yearbooks.
According to the report, only 39 percent of K-12 schools allow parents to opt out online. And in rural school districts, that figure dips to 13 percent. (By comparison, 60 percent of colleges and universities let people go online to opt out of data sharing.)
That’s a particular problem with so many schools closed during the coronavirus pandemic, Dixon says. “As COVID-19 is exacerbating existing school privacy problems, students and parents need to be able to exercise their rights to place a restriction on disclosure of student information,” she adds. “But schools that don’t have their privacy opt-out systems online are making it nearly impossible.”
The organization is calling for a variety of corrective steps, beginning with a requirement for schools to post FERPA notices and opt-outs online.
“We’re asking the U.S. Department of Education to update their FERPA guidance, to bring it into the modern era,” Dixon says.
