In the 2015 State of the Union Address, President Barack Obama pledged to better protect student privacy.¹ There is widespread consensus that the primary federal statute addressing student privacy, the Family Educational Rights and Privacy Act (FERPA), is insufficient in light of new technological capabilities. In response, industry representatives, privacy advocates, and policymakers scrambled to put appropriate measures in place.² State legislators proposed over 180 state laws about student information in 2015.³ On the national level, reforms include three proposed FERPA amendments, two bills directly regulating service providers receiving student information, and a voluntary Student Privacy Pledge for industry promulgated by the Future of Privacy Forum and Software & Information Industry Association (SIIA).⁴ FERPA sets the terms around which student privacy issues have been debated for decades. Accordingly, many of the proposed reforms work within the statute’s existing regulatory framework. This Article takes a broader perspective and contributes to the debate by demonstrating how FERPA and Fair Information Practice Principle (FIPPs)-based standards cannot provide the control, meaningful oversight, or sufficiently concrete standards sought by stakeholders.

Despite having default provisions based on FIPPs and the primary purpose of providing individuals with individual control over their own data, FERPA actually delegates most decision-making regarding student privacy to educational institutions due to broad exceptions, unspecific requirements, and the U.S. Department of Education’s deference to schools’ contextualized decision-making. It provides minimal transparency, oversight, or direct accountability, which creates a regulatory regime based primarily on institutional, not individual, privacy management. This deference is particularly evident in the school official exception that governs the bulk of information flow from schools to outside service providers.

Stakeholders tolerated FERPA’s regime for almost forty years based on the security, confidentiality, and the limited commercial utility of paper records. Their trust in FERPA’s regulatory mechanisms depended on assumptions that no longer hold true in an era of ubiquitous data collection, permeable networks, frictionless transfer, and big data analytics. In theory, schools must approve disclosure to outside parties and, in doing so, ensure information is only shared with outside parties to serve legitimate educational interests. In practice, the automatic collection of information by digital platforms means that student data disclosures routinely occur without thoughtful oversight.

Currently-proposed FERPA amendments may improve the statute’s efficacy by providing more transparency, data governance, and security requirements, but they do not fully address critical student privacy issues. Without taking FERPA’s delegation-based model and contextual considerations into account, these reforms will not adequately address stakeholders’ concerns or achieve policymakers’ aims. In addition, laws based on FIPPs are particularly problematic in education, where compulsory attendance and institutional decision-making makes reliance upon notice and consent neither meaningful nor effective. Even in a world with perfectly-informed voluntary consent, privacy self-management models may be impractical and undermine the pedagogical goals, decentralized political authority, and broader philosophical goals of the education context. Attempting to regulate third parties through FERPA’s disclosure requirements is an exercise in futility that will impose untenable burdens on schools. Policymakers should stop trying to use a spending clause statute designed to govern educational actors as a means to regulate outside data recipients indirectly.

FERPA responded to fears that ad hoc and thoughtless disclosure of education records would unfairly foreclose future opportunities. The same concerns are at the core of today’s public debate, but we must move beyond privacy self-management and theoretical institutional oversight to adequately protect student information in an age of big data.

1. See President Barack Obama, Address Before a Joint Session of Congress on the State of the Union (Jan. 20, 2015) (transcript available at http://www.nytimes.com/2015/01/21/us/politics/​obamas-state-of-the-union-2015-address.html?_r=0) (“I urge this Congress to finally pass the legislation we need to . . . protect our children’s information.”); see also President Barack Obama, Address at the Federal Trade Commission (Jan. 12, 2015) (transcript available at http://www.whitehouse.gov/the-press-office/2015/01/12/remarks-president-federal-trade-commission); Alyson Klein, White House: Student Privacy Laws Need an Update, Educ. Week (May 1, 2014, 5:57 PM), http://blogs.edweek.org/edweek/campaign-k-12/2014/05/white_house.html?cmp=SOC-SHR-FB.

2. See Press Release, Sen. Ed Markey, Markey, Hatch Release Discussion Draft of Legislation Addressing Student Privacy (May 14, 2014), available at http://www.markey.senate.gov/news​/press-releases/markey-hatch-release-discussion-draft-of-legislation-addressing-student-privacy; Michele Molnar, Student-Data Privacy Guidelines: An Overview, Educ. Week (Apr. 14, 2014), http://www.edweek.org/ew/articles/2014/04/14/28privacypractices-side.​h33.html (collecting student privacy guidelines from the Department of Education (DOE), National School Boards Association (NSBA), and Consortium for School Networking); Student Privacy & Data Security Toolkit for School Service Providers, Software & Information Industry Association (SIIA), http://www.siia.net/Divisions/ETIN-Education-Technology-Industry-Network/Resources/Student-Privacy-Data-Security-Toolkit-for-School-Service-Providers (last visited Apr. 19, 2016); Internet Keep Safe Coal. (iKeepSafe), Digital Compliance and Student Privacy: A Roadmap for Schools 1 (2014), available at http://storage.googleapis.com/digital_compliance/DigitalCompliance​StudentPrivacy.pdf (“To protect privacy adequately, all schools should develop a comprehensive privacy program.”); see also Khaliah Barnes & Valerie Strauss, Why a “Student Privacy Bill of Rights” is Desperately Needed, Wash. Post (Mar. 6, 2014), http://www.washingtonpost.com/blogs/answer-sheet/wp/2014/03/06/why-a-student-privacy-bill-of-rights-is-desperately-needed.

3. See Data Quality Campaign, State Student Data Privacy Legislation: What Happened in 2014, and What Is Next? 1 (2014) [hereinafter State Student Data Privacy Legislation], available at http://dataqualitycampaign.org/wp-content/uploads/files/State%20Student%20Data%20Privacy%20Legislation%20Resource.pdf; see also Barnes & Strauss, supra note 2.

4. Molnar, supra note 2. Issues involving the appropriate regulatory body to impose constraints on student information flow must be addressed, but are beyond the scope of this Article.