100 dollar bills

Article Highlight: Big Tech Makes Big Data out of Your Child: The FERPA Loophole EdTech Exploits to Monetize Student Data

This Article Highlight features work by Amy Rhoades published in the American University Business Law Review.

Note: This post reflects the first I hope to make in a series that highlights interesting work related to student privacy and educational data mining and analytic practices.


Rhoades, A. (2020). Big tech makes big data out of your child: The FERPA loophole edTech exploits to monetize student data. American University Business Law Review, 9(3), 445–474. https://digitalcommons.wcl.american.edu/aublr/vol9/iss3/4


No abstract provided. Instead, part of the introduction is quoted below.

With the increase of technology use in schools, parents, students, and privacy advocates have growing concerns that current regulation is inadequate to meet the rapidly advancing technology EdTech companies employ.6 Commercial companies must abide by the Children’s Online Privacy Protection Act (“COPPA”), which regulates online operators’ collection and use of children’s personally identifiable information (“PII”).7 However, the Federal Trade Commission (“FTC”), the enforcement agency overseeing COPPA, issued an exception for data disclosed by schools to online operators acting as authorized educational partners.8 The FTC maintains that student PII disclosed as an education record is regulated by the Family Educational Right and Privacy Act (“FERPA”).9 The legislation’s overly broad definition of education records, combined with the 2011 Amendments expanding FERPA to permit schools to disclose data to third parties, creates a loophole for the EdTech industry to avoid COPPA regulation regarding student data.10 As a result, commercial companies can Big Tech Makes Big Data Out of Your Child: The FERPA Loophole EdTech Exploits to Monetize Student Data can quickly amass large amounts of data and potentially avoid the FTC’s oversight of COPPA compliance by contracting directly with schools.11 This practice runs afoul of legislative intent for both FERPA and COPPA, places student data at risk by creating a vacuum of oversight, and leaves little recourse for violations of data collection or use in the EdTech industry.12 This Comment argues that the EdTech industry is exploiting a loophole in federal regulations to grow the business sector by mining children’s data online at the expense of student privacy. Part II provides background on current laws protecting student data, how the laws are applied to the EdTech industry, and how the acts are enforced. Part III analyzes the application of FERPA to the EdTech industry, finding the collection of PII incompatible with the education record standard, and arguing that the Department of Education (“ED”) is ill-equipped to provide oversight or deterrence for commercial companies. Part IV presents solutions to increase security of student data. Part V concludes with a review of the growing imperative to address safety concerns of EdTech applications in schools and recaps how the regulation loopholes are increasing the risks to student privacy.


Open access available at the American University Business Law Review‘s website.

Kyle M. L. Jones

Dr. Kyle M. L. Jones is an associate professor in the Department of Library and Information Science within the School of Informatics and Computing at Indiana University-Indianapolis (IUPUI). Get in touch with Dr. Jones here.