I’ve been debating for a few months on how to tackle this topic in a way that is both informative and engaging while providing firmly grounded sources that back up my analysis. I’ve finally decided that might be too ambitious, and certainly a lot to tackle in a single piece Rather than let anymore grass grow underneath my feet on this issue I decided to jump right in and I’ll be amending and updating my work on this topic much as Congress and US ED as amended FERPA continuously throughout the years. FERPA laws, interpretations and guidance are dense and jargon filled. I will refer to some specific passages, but I will leave it to you delve into those documents directly if you are so inclined. I’ve been asked to synthesize and summarize what I know and have read. If you feel more informed and more concerned after reading this piece I will see my work as successful.

FERPA is old and outdated

FERPA was created in 1974, before much of the current technology, we take for granted today, was even imagined by most legislators (except maybe the creator of the Internet, Al Gore.) As such, the framework is suspect and a patchwork of fixes and amendments that really fails to do what many people think it does. FERPA does not protect student privacy to any real degree, not to the extent we would expect a modern law to do. FERPA was written when many computers were housed in underground facilities on universities campuses (to make cooling them easier) and were the size of houses. Here is a state of the art computer from 1973, a GEC 4000.

And a close up of its fanciest part.

You couldn’t exactly hack into one of these and the data they stored was on tapes that had to be manually mounted. A modern thumb drive probably contains more data that the entire wall of tape cartridges shown in the picture, and most had no external connections. There was no Internet and top transmission speeds through dedicated phone lines with connected modems were about 300bps or about 37 characters per second (on a good day.) Todays transmission speeds can top 100Mbps or more which is the equivalent of 13 million characters per second if my rough estimates are correct. The computers millions of folks carry around in their pockets dwarf the processing speeds of even the fastest computers of 40 years ago, that were usually relegated to musty university and government warehouses and not the least bit portable.

So when FERPA was conceived computers and computerized records were not prevalent, data was not very portable, and usage and applicability of any data was almost non-existent. Fast forward 40 years and now computers are the size of wallets and watches. Millions of bits of data, or names and SSNs, can be stored on hard drives the size of a thumbnail that cost a few dollars and can be purchased at convenience stores. If you drive down almost any city block you can pick up dozens to hundreds of WiFi connections that access computers or computer networks, and the internet allows access to almost any computer anywhere on the planet. Messages and data can be transmitted virtually instantaneously to anyone anywhere via radio or satellite transmissions for little to no cost. Credit agencies, insurance agencies, employment agencies, advertising agencies, and government agencies use data collected and aggregated on everyone to sell, hire, investigate, issue or deny credit, fire, provide or deny benefits etc. We now have cyber bullies, phishers, hackers, identity thieves, and online predators to worry about in addition to all the physical threats of yesteryear to worry about as parents and consumers. When FERPA was created none of these threats were known and FERPA does next to nothing to protect against these threats.

For the dry specifics and dates you can refer to this passage, but I will be going into more detail about specific shortcomings and necessities.

FERPA History

Let’s start at the beginning with a brief history of how FERPA came to be.

The Family Educational Rights and Privacy Act of 1974 (“FERPA”), § 513 of P.L. 93-380 (The Education Amendments of 1974), was signed into law by President Ford on August 21, 1974, with an effective date of November 19, 1974, 90 days after enactment. FERPA was enacted as a new § 438 of the General Education Provisions Act (GEPA) called “Protection of the Rights and Privacy of Parents and Students,” and codified at 20 U.S.C. § 1232g. It was also commonly referred to as the “Buckley Amendment” after its principal sponsor, Senator James Buckley of New York. FERPA was offered as an amendment on the Senate floor and was not the subject of Committee consideration. Accordingly, traditional legislative history for FERPA as first enacted is unavailable.

Senators Buckley and Pell sponsored major FERPA amendments that were enacted on December 31, 1974, just four months later, and made retroactive to its effective date of November 19, 1974. These amendments were intended to address a number of ambiguities and concerns identified by the educational community, including parents, students, and institutions. On December 13, 1974, these sponsors introduced the major source of legislative history for the amendment, which is known as the “Joint Statement in Explanation of Buckley/Pell Amendment” (“Joint Statement”). See Volume 120 of the Congressional Record, pages 39862-39866.

Congress has amended FERPA a total of nine times in the nearly28 years since its enactment, as follows:

P.L. 93-568, Dec. 31, 1974, effective Nov. 19, 1974 (Buckley/Pell Amendment)
P.L. 96-46, Aug. 6, 1979 (Amendments to Education Amendments of 1978)
P.L. 96-88, Oct. 17, 1979 (Establishment of Department of Education)
P.L. 101-542, Nov. 8, 1990 (Campus Security Act)
P.L. 102-325, July 23, 1992 (Higher Education Amendments of 1992)
P.L. 103-382, Oct. 20, 1994 (Improving America’s Schools Act)
P.L. 105-244, Oct. 7, 1998 (Higher Education Amendments of 1998)
P.L. 106-386, Oct. 28, 2000 (Campus Sex Crime Prevention Act)
P.L. 107-56, Oct. 26, 2001 (USA PATRIOT Act of 2001)

Unapproved Changes to FERPA

What you don’t see in this bit of US ED lore is that the changes enacted by the US Department of Education over the last decade (plus) were not approved by Congress. The most recent and significant one I would like to direct you too occurred in 2011 and can viewed here along with a discussion of objections raised and DOEs responses to the objections.


These are very telling indications of how DOE intends to enforce (or not enforce FERPA) but it is 58 pages so I will excerpt a few of the more concerning sections to direct your attention to throughout my examination.

Before we go there though, let me summarize by saying FERPA was theoretically enacted in 1974 to protect the rights of parents and students under very specific situations that were known or understood at that time. (I would assert it actually defines the rights and preeminence of Federal agencies to oversee education matters and data with a small set of rights for parents under a few limited circumstances.) FERPA has been amended 9 times by Congress, and the primary enforcement mechanism is reduction or disqualification for funding directed at schools and states that fail to comply with FERPA regulations.

Applicability and Scope

This leads directly to the next point I would like to discuss; something many people may not be fully aware of or understand about FERPA. Namely the scope and applicability or in other words what it applies to and how it works and can be enforced.

Scope and Applicability

FERPA is a “Spending Clause” statute enacted under the authority of Congress in Art. I, § 8 of the U.S. Constitution to spend funds to provide for the general welfare. (“No funds shall be made available under any applicable program…” unless statutory requirements are met.)

Let me translate this a bit. FERPA has no defined penalties for folks who willfully and/or negligently and repetitively violate it. I can take your children’s personal data and wallpaper my house with it, use it to wrap all my presents, post it in the newspaper, print it on souvenir toilet paper and make paper airplanes out of it and launch them from atop the State Capital during Mardi Gras (something I’ve always wanted to do, sans the personal data) and FERPA and the US Department of Ed cannot prosecute you and the only sanction available to them is to withhold federal funding, if they so choose. This means any vendor that obtains personally identifiable data is largely immune to any repercussions or restrictions on its use or misuse. This is a matter of settled law and an opinion issued by US ED in the afore-linked 2011 document.

. . .Thus, if an authorized representative receives funds under a program administered by the Secretary, the Department has the authority to enforce failures to comply with FERPA under any of GEPA’s enforcement methods. If an authorized representative does not receive funds under a program administered by the Secretary and improperly rediscloses PII from education records, then the only remedy available under FERPA against the authorized representative would be for the Department to prohibit the disclosing educational agency or institution from permitting the authorized representative from accessing PII from education records for a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These are the only remedies available to the Department to enforce FERPA. Remedies, such as assessing fines against any entity that violates FERPA, are not within the Department’s statutory authority. Under the FERPA regulations, and in accordance with its longstanding practice, the Department only will take an enforcement action if voluntary compliance and corrective actions cannot first be obtained. If the violating entity refuses to come into voluntary compliance, the Department can take the above listed enforcement actions. However, in addition to these statutorily authorized remedies, we encourage FERPA-permitted entities to consider specifying additional remedies or sanctions as part of the written agreements with their authorized representatives under § 99.35 in order to protect PII from education records. Written agreements can be used to permit increased flexibility in sanctions, to the extent that the desired sanction is permitted under law.

All vendors are free to use and misuse as much data however they choose without real restrictions or penalties

This means US ED has no authority over vendors or use or misuse data, that it must first try and convince abusers to stop abusing and disclosing the data they have received, and that their only recourse is to forbid school districts from providing data to them directly for 5 years or more. However if they obtain the data from another source, say another vendor, agencies can bypass even this very minor censure. Additionally, since DOE has no enforcement mechanism provided by FERPA, agencies can ignore this decision with impunity. This is why inBloom is not going out of business with no one officially committing to provide data to them. They intend to get this data secretly other ways and through other avenues. FERPA does allow schools, school districts and states to state their own civil penalties in their contracts, but most, if not all, fail to do so. What this means is any vendor for any data system in any school district that has access to data can currently use that data however they want if their only restriction written into their contract is that they will comply with FERPA. FERPA does not restrict or target vendors, only schools and school districts. State agencies are also largely excluded from many of the provisions of FERPA although references to them have been sprinkled in throughout the years. Most of the sanctions and wording it directed at local school districts, not state agencies who subsequently acquire the data.

Additionally, parents do not have the right to sue or take actions against vendors, state agencies, local school districts, or individuals who use, misuse or abuse their children’s data, or their own data under FERPA. All enforcement actions are handled through FPCO (the Family Policy Compliance Office), if they so choose. Parents may make a formal complaint, but those complaints can be ignored and parents have no further recourse.

The Kickboard and inBloom connection

A couple of months ago I was contacted by a parent and technology insider about a new company operating in New Orleans in coordination with Leslie Jacobs, a chief reform figure in Louisiana and one of the principal people responsible for creating RSD an creating the deforms striking across Louisiana and particularly New Orleans. This company is called KickBoard, and run by a former Teach for America alum named Jennifer “Jen” Medbery. Kickboard is an inBloom ally and dashboard provider that goes into schools and school districts to obtain all of their student and teacher data and provide tools and metrics for the teachers. What I have been told is that inBloom is now working with groups like Kickboard to obtain student data indirectly, bypassing contracts and oversight with school districts and state agencies. Please refer to this comment provided below.

I have to commend you and brilliant citizens like yourself for standing up and fighting against the partnership between LDOE and inBloom. As a parent and an EdTech critic, I’m so proud to see that partnership dissolving even if only for now. However, I’ve been alarmed for quite some time at the fact that no one has ever called out or investigated the more direct link between our state’s children’s data and inBloom than through Kickboard for Teachers. A search of your blog and even your readers’ comments pulled up zero hits on Kickboard. Jen Medbery and her self-proclaimed mentor and investor Leslie Jacobs more than likely played huge roles in the backroom deals between White and inBloom. As the poster child for New Orleans Edtech specifically and New Orleans entrepreneurship in general, Kickboard cannot be allowed to falter or worse die. Several prominent groups including Idea Village and the New Orleans Startup Fund have too much riding on Kickboard’s success in spite of the fact that Kickboard remains nearly two years behind on its own growth projections. Why else is there such a huge media blitz for Kickboard originating from Idea Village for each of the past two autumns despite that Idea Village has incubated probably five dozen other start-ups since Kickboard graduated from its program four years ago?

The hidden revenue stream was and probably continues to be to Kickboard from other inBloom members at the expense of our state’s children and their parents. Kickboard is listed alphabetically as the 15th of 21 inBloom partners. Leslie Jacobs took over the New Orleans Startup Fund precisely when the Fund was faltering and had really only one major investment consuming the bulk of its pledges, Kickboard. John White’s severing of his contract with inBloom has only served now to push the Kickboard and inBloom partnership deeper and further underground. And, contracts between Kickboard and the schools and districts it services permit the same data exchange through Kickboard to inBloom that White was permitting from the LDOE directly.

We can only hope that Medbery and Kickboard put our children before profits. Yet, I don’t see them justifying a recent unjustifiable valuation in the millions of dollars which subsequently resulted in them securing a sizable out-of-state venture capital investment without extracurricular income from inBloom partnerships.

I do not have detailed financials disclosing how these partnerships work, but I have been wondering how inBloom could continue to function without student data commitments. To be quite frank, there is no way they could operate as they’ve defined themselves (a centralized student data repository and intermediary) without obtaining data from someone. Initially inBloom was going to provide data to their partners like Kickboard. Now that virtually every state and large school district has pulled out of inBloom, thanks to the efforts of Leonie Haimson, Rachel Strickland, Debbie Sachs and others, the only available path I see to them is obtaining this data through vendors that already have access to it. Their most likely place for inBloom to acquire this data will be via and through their existing partners. There are currently not Federal laws to safeguard or prevent this, which is why State laws must be enacted in every state if you wish to prevent personal, student, teacher and parent data from falling into the hand of anyone and everyone who wants it.

For a current list of partnering companies with inBloom you can go here. If your parish does business with any of these vendors there is a decent chance inBloom and other data aggregators will be able to obtain your children’s data through them.

Please note: I do not have concrete proof Kickboard or any of these partners are actively sharing data with inBloom although I have had reports from sources that they are and have included one of those reports provided to me in this article. I have shown that there FERPA has no teeth to prohibit this, and US ED has no inclination or authority to address this issue. As every state and partner that I am aware of has pulled out of inBloom (or allowed parent opt outs or opt ins) and inBloom has not closed up shop it stands to reason they have plans to get this data another way. Bill Gates has 150 million reasons to see this venture succeed.

Future posts will include an outline on how to craft State legislation to address these issues but suffice it to say specific monetary and criminal penalties will need to be enacted.

Additional Note: If the only protections your vendor agreement defines is that it complies with FERPA, then essentially you have no real protections to safeguard or define ownership of your data or penalties for its misuse.  However, many vendors like JPAMS/EdGear (the largest SIS vendor in Louisiana whom contacted as part of my research for this story) have privacy agreements that go far beyond the use, ownership, storage, sharing and destruction restrictions defined by FERPA.  As a local superintendent or school board I believe it would be a good idea to review my contracts with my vendors and tighten up those that lack appropriate safeguards.  I do not attribute this lack to subterfuge on most of your vendors’ parts.  Many vendors may not even be aware of how poorly FERPA defines safeguards for data, as this lack is not something US ED or the Family Compliance Office actively advertises.

34 thoughts on “FERPA does not protect student privacy, and never did

  1. It’s ironic that the Louisiana Department of Education uses FERPA as an excuse to not release useful data (even anonymous data), but doesn’t seem to care about actually protecting the privacy of educational records.

    1. Its what FERPA has be redesigned to do. . .protect states and their lies about reforms from the public. The only privacy FERPA now protects is that of states and school districts from proper oversight or review.

  2. Can’t you or someone else FOIL the contracts between Kickboard and the districts to see what data-sharing is allowed, and more specifically, to see if Kickboard is funneling data to inBloom?

    1. Not as easy as you might think. Kickboard is a private company and not FOIA-able. Many of their clients im told are charters. I need a confirmed public entity that admits to using them that generally complies with the law or it will require a lawsuit. Evenso without an insider leaking an agreement it would be hard to prove a relationship exists or to convince an entity to comply with the law without a lawsuit. Anyone wanna clue me in???

      1. You cannot FOIA Kickboard, but you can FOIA the written agreement that Kickboard might have with your state DOE or even your local school district. That is how FERPA was changed to allow written agreements with outside contractors. 99.31 of FERPA regs.
        Under FERPA, please note that a “contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph….”.(99.30 B)

        Any disclosure is allowed to organizations conducting studies for, or on behalf of, educational agencies or institutions to:
        (A) Develop, validate, or administer predictive tests;
        (B) Administer student aid programs; or
        (C) Improve instruction. 91.31 (6)(i)

        1. I cannot FOIA private charters unless they choose to comply. The state does not have a contract I am aware of. I might be able to FOIA the New Orleans public school district, but without a leak I won’t know if they hold back. However they don’t even have to volunteer they are sharing that data with inBloom. That could be just a miscellaneous vendor/relationship they contract with as a matter of course without any formalized sharing agreement, and all would be FERPA-cetic.

          1. I would FOIA the LADOE’s written agreement with Kickboard (or whatever vendor.) Bottom line, in order to release re-disclosed PII, they must have a written agreement according to FERPA. In the state longitudinal data base, all students, including charters, would have to send their data to the state. I believe it is the state that is redisclosing the personal data.

  3. Dear Crazy, a friend sent along your blog post. I would like to add some details. I filed a federal complaint against the Pennsylvania DOE and my local school district for violating the PPRA in the FERPA regs for testing attitudes and values in our state assessment, EQA. It was resolved in 1991. I forced the DOE to remove the test, issued new guidelines across the state that was sent to every 501 school districts, and many people were fired for not cooperating with the federal investigation. Yes, federal funds were not withdrawn, however, the collection of personal data embedded within the EQA test was now forbidden.

    As far as how FERPA has changed in 2012, Obama issued an executive order that
    “unlocked” the data with the definition of school official being extended to any contractor or vendor through a written agreement. So now, in Bloom, or Kickboard would have this written agreement with the state DOE to access re-disclosed PII. Here is the EO:

    Here are the directions that the US DOE put out for accessing PII through written agreements:
    FERPA Written Agreements-or How to give your child’s data for free to outside contractors.




    Training Videos on FERPA



    Data Privacy ToolKit

    We must request a federal investigation into FERPA and why the Hanson Memorandum was changed that now allows PII to be accessed by non-school officials. I’ve been following this agenda for a long time. The agenda has moved toward a standards based system, so, all data on testing, curriculum, software must be created for individuals. Data collection and data re-disclosure for teaching and interventions are the most important aspect of how the data is transferred and what is being developed for each Individual in an individual career plan.

    I have submitted this article and letter across the country. I believe, that if we stop the data collection, we stop Common Core and all ithe crony dealings with curriculum, testing, and teacher evaluations. It they don’t have the data, they can not make these decisions. Here it is.
    Hope this helps.
    Anita B Hoge

    1. That was a political payoff. FERPA does not allow violated parties to sue or recover. It was a settlement to get out of news. A normal parent would get nothing. Just because they quoted a law does not mean it was enforced or enforceable.

  4. You would think if parents provide something IN WRITING to their schools and district heads stating they do not want any personally identifiable student data shared with any party without prior notification and parental consent, that would be enough to secure the data. After all, we do have a fundamental constitutional right to privacy. We seriously need a constitutional law attorney to consult on this and many other Common Core issues. Great article BTW!!

    1. Thanks! I’m not clear on the constitutional right to privacy though? (but I’m not a constitutional lawyer either. )

      FERPA provides no real protections or recourse for parents (parenrs can only beg US DOE to halfheartedly admonish state and local school boards to be more careful, if they wouldn’t mind. . .) Privacy needs to be thoughtfully addressed for this new technological age we live in, not just for students but all Americans as the NSA scandals clearly illuminate. Students are a good start though.

    2. Fyi, I thought so too until I did substantial research. The protections are all imaginary, part of a veil of confusion US DOE cultivated to pretend it had more power than it did. Vendors and their lawyers pierced that veil and so the curtain must now be lifted and real protections put in their place.

      1. One good thing (and bad at the same time) is that it all depends on what judge you get and how he/she perceives the law. I wish parents would band together and sue anyway. One thing that gives me hope is that the Judge who dismissed the ERIC lawsuit against the US Department of Ed for gutting FERPA stated that ERIC ‘does not have standing to bring the claim against the US Dept of Ed’…. meaning parents do have standing and should be the ones suing. If for no other reason than to draw attention to the need for change (maybe prompting congress to do something about it).

        1. I think the group you are referring to is EPIC. (P is for privacy). I think part of issue is in order for parents to sue, quantifiable damage has to be done, I.e not just the sharing but misuse which has a calculable impact. Problem is, once that occurs, once that bell is wrung, data is stolen (probably for millions of kids) you can’t fix it. That data will be out in thieves and vendor files forever.

          1. Yes, slip of the keys – I meant EPIC. The threat of/inevitability of damage is enough to BRING any lawsuit (not always enough to win though). After all, that was the intended purpose (supposedly) of the law to begin with, to protect from very obvious and forseeable damage that could arise from no privacy protections at all. Some article/reports say quantifiable damage has already been done, even before FERPA was gutted by Obama. Something has to be done to reverse course for future students at least. And what power do we have other than to sue? Look where our votes have gotten us in the last 20 years. The left’s lawyers are changing laws left and right by filing suit after suit until they win one here and one there. The right’s complacency or fear of suing is causing us to lose our rights. We should let the constitution do what is was created to do — defend our rights. But that cannot happen if we are too afraid to file a lawsuit now and again. The father in Kentucky suing his state over Common Core is my hero of 2013 (win or lose).

            1. Oh, I’m not saying not to sue, nor to be afraid of doing so. Sue to your heart’s content if you have the resources, perserverance,and standing. (Most parents do not.) If nothing else it helps clarify the very muddy waters that now exist and gives folks who would abuse these laws willy-nilly, pause. However lawsuits taketime. . . years.Appeals take years. ASupreme court rulingmight take even more years, or never come, leaving most ofus in limbo. Students do not have years to wait before their data is compromised. We need very clear laws, with strict penalties and defintionsthat cannot be “reinterpreted” and watered down byagencies or lobbyists. So sue to keep them in check while we work to make laws that will provide real enforcement and oversight or make the threat of lawsuits and/or jailtime a real deterrent. We need both in my opinion, but i don’t think suing alone will be enough over the longhaul or an option for most kids and parents under current laws.

                1. Thanks! Despite the relatively short length, there actually was a lot of behind the scenes interviewing, readingand research. I will address some of the creativeinterpretations made by FPCO and US ED that weakened even the very weak protections we had, but I thought it was most important to point out FERPA is not what many folks believe it to be, even without those changes.

  5. Pingback: VisitEstero.com |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s