PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Changes are coming to FERPA, including the potential for fines

Posted on August 7, 2015June 26, 2025 by Dissent

Joseph W. Cornelison of Husch Blackwell LLP writes:

The House Committee on Education and the Workforce recently announced the introduction of a bill to amend FERPA. The Student Privacy Protection Act (H.R. 3157) has bipartisan support and is intended to modernize privacy protections, improve communication, and “hold schools, states and independent entities accountable for their use of student information.”

I’m pulling out a few of the changes Cornelison notes that are particularly significant, I think:

Prescribing additional security practices. The bill would require educational agencies and institutions and the SEA to designate an official responsible for maintaining security of their education records. They are to require any party given access to such records to have similar security practices and are to establish a notification policy in the event of a breach of their policies regarding the security of the education records they hold or maintain. This requires notification of the breach to parents or eligible students be made within three days of becoming aware of the breach.

Changing the “school official” exception for non-consensual disclosures. Per the regulations implementing the current version of FERPA, a “school official” is defined to include a “contractor, consultant, volunteer or other party to whom an agency or institution has outsourced institutional services or functions” subject to certain conditions. The bill, however, would limit this exception expressly to school officials, including teachers. However, it would then create a new exception for “an education service provider, contractor, consultant, volunteer, or other party” having legitimate educational interest and to whom the institution or agency has outsourced a function or service. It includes the conditions currently in the regulation for this exception to apply, but would add additional ones as well. Specifically, the bill would require that there be a written agreement with any such entity or individual that addresses the protection of the information being disclosed and specifies a number of provisions such an agreement is to address, including a description of any subcontractor or other person acting for the party and the penalties for a security breach in violation of the agreement.

Including a ban on marketing and advertising. The bill prohibits any “person with access to an education record or a student’s personally identifiable information contained in the education record” from marketing or otherwise advertising directly to students using information gained through that access. Some limited exceptions are provided such as for school pictures, class rings, yearbooks and similar school-sanctioned commemorative products, events or activities.

Authorizing the imposition of penalties. The bill would authorize the Secretary of Education to impose fines upon educational agencies or institutions and the SEA for failures to voluntarily comply or for substantial violations. The fine is to be a minimum of $100, but depending on the severity of the violation can go to a maximum of $1.5 million.

Read more on HigherEducationLegalInsights.com

Related posts:

  • EPIC Obtains FERPA Complaints from Education Department
  • Amassing Student Data and Dissipating Privacy Rights
Category: Featured NewsLawsU.S.Youth & Schools

Post navigation

← Privacy Badger 1.0 Is Here To Stop Online Tracking!
Lenny Kravitz Is Considering Legal Action Over Those #PenisGate Photos →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People
  • Searches of Your Private Data in the Cloud Amount to Illicit State Action

RSS Recent Posts on DataBreaches.net

  • Highlands Oncology Group notifies 113,575 people after ransomware attack by Medusa
  • Oklahoma Substantially Amends Its Data Breach Notification Statute
  • Hackers leak purported Aeroflot data as Russia denies breach
  • Palo Alto Networks investigating ransomware threat related to SharePoint exploitation
  • Six months after discovering an attack, Northwest Radiologists notifies almost 350,000 Washington State residents
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy