FERPA, COPPA, PPRA: The Privacy Laws Stuck in a Pre-Internet World

    In Part 1, we looked at what’s happening on the ground: kids sitting behind school-issued laptops while a quiet army of vendors watches what they click, type, and search. Parents are told not to worry because “we follow all privacy laws” and “we’re fully compliant.”

That line is doing a lot of work.

    This section is about the fine print. Not the marketing copy, not the “we care about student safety” press release—the actual laws that are supposed to protect kids’ data in and around school, and the loopholes big enough to drive a bus through.

   We’ll walk through the three big federal acronyms—FERPA, COPPA, and PPRA—and then look at how states tried to plug the gaps, how vendors adapted, and why “we’re compliant” does not mean what most families think it does. By the end of this part, you should be able to translate that sentence into what it really means:

“We follow the minimum rules we have to, and we’ve

learned how to bend the rest.”

     On paper, American kids are not supposed to be exposed and analyzed in data economy. There are three main federal laws that are supposed to protect children’s information in and around school:

• FERPA (Family Educational Rights and Privacy Act)
• COPPA (Children’s Online Privacy Protection Act)
• PPRA (Protection of Pupil Rights Amendment)

If you only read the statute summaries, you’d think: “Okay, this is fine. We’ve got this covered.”  Once you look at how the laws are interpreted in real classrooms, with real apps and vendors, the story changes fast.

FERPA: The Privacy Law Stuck in 1974.  This is the big one. Passed in 1974, it governs student education records for any school that receives federal funds—which is essentially all public schools and most private K–12 schools.  On its face, FERPA gives parents (and later, students) the right to:

•  See their education records
• Ask to correct inaccurate information
• Block disclosure of personally identifiable information (PII) without consent, with a list of exceptions
   
  So far so good.
   

The problem is a single magic phrase built into the law:
  “School officials with a legitimate educational interest.”

    Schools are allowed to share student information without parental consent with “school officials” who supposedly need it to do their jobs. Fifty years ago, that meant: principals, teachers, counselors, maybe a bus contractor.
 
Today, districts routinely classify private companies as “school officials”:

• The LMS (learning management system) provider
• The “student safety” monitoring platform
• The vendor running behavior dashboards
• Any ed-tech tool that got rubber-stamped onto the district’s “approved apps” list

Once a company is blessed as a “school official,” it can receive:
 

• Student names and internal IDs
• Contact information
• Class schedules and enrollment
• Grades and assignments
• Sometimes disciplinary records or counseling-related note

All under the umbrella of “legitimate educational interest,” with no direct parental consent.
 
FERPA was written for filing cabinets and registrar’s offices. It’s now being stretched over full-blown data pipelines. The law hasn’t changed much; the definition of “school official” quietly has.