Student Privacy Compliance Guide

1. Who This Guide Is For

This guide is written for the people inside a K-12 district who actually do the work of student privacy compliance: data privacy coordinators, IT directors, compliance officers, communications directors, and superintendents' designees. It assumes some familiarity with FERPA but does not assume legal training.

It is not legal advice. Every district should work with its own legal counsel on the specifics of its program, especially where state laws add requirements beyond FERPA.

2. The Legal Landscape

Student privacy in U.S. K-12 education is governed by a layered set of laws:

• FERPA — the Family Educational Rights and Privacy Act — protects the privacy of student education records. It is the foundational federal law.
• COPPA — the Children's Online Privacy Protection Act — applies mostly to commercial websites directed at children under 13, but intersects with K-12 EdTech procurement.
• PPRA — the Protection of Pupil Rights Amendment — governs surveys, evaluations, and certain kinds of data collection from students.
• State laws — many states have enacted student privacy laws that extend beyond FERPA. California's SOPIPA, New York's Education Law § 2-d, Illinois's SOPPA, and Connecticut's Public Act 16-189 are among the more substantive.

FERPA does not pre-empt these state laws; districts must comply with whichever is stricter.

3. Who Owns Student Privacy in a District

Effective compliance programs have clear accountability. In most districts, the right structure looks like this:

• Superintendent — ultimate accountability, sets program priority
• Data Privacy Officer (or equivalent) — day-to-day ownership; may be the assistant superintendent, CIO, legal counsel, or a dedicated role
• IT Director — technical infrastructure, vendor management, data security
• Communications Director — what goes on the district website; board minutes and public materials
• Principals and Department Heads — school-level publications, rosters, honor rolls
• Legal Counsel — contracts, DPAs, enforcement response

The single most common failure pattern is diffuse accountability: everyone assumes someone else is checking. A named Data Privacy Officer with a standing agenda item on a regular cadence prevents this.

4. The Annual Compliance Cycle

A well-run program operates on an annual cycle aligned with the school year:

• July – August: Annual FERPA notice drafted and reviewed; directory-information designation confirmed; annual staff training prepared
• August – September: Annual notice distributed to families; staff training delivered; opt-out forms collected
• September – October: Baseline compliance scan of district web presence; remediation of identified exposures
• October – May: Monthly or quarterly monitoring scans; ad hoc review of new publications
• May – June: Annual report to the board summarizing privacy posture, findings, remediation, and incidents
• June – July: Vendor/DPA renewals, annual policy review, planning for next cycle

5. Step 1: Inventory Your Public Web Presence

You can't monitor what you don't know about. Districts almost always have more public web presence than staff assume. A complete inventory typically includes:

• The primary district website
• Individual school websites (often on a separate CMS)
• Athletic department sites (sometimes hosted by third parties)
• Staff-maintained pages, blogs, and class sites
• Board/agenda portals (often a separate system like BoardDocs, Simbli, or equivalent)
• PDF archives linked from any of the above
• Third-party EdTech embeds (LMS portals, parent portals, SSO gateways visible to the public)
• Social media accounts that publish student-identifying information

Build this inventory once, then maintain it as new sites and systems are added.

6. Step 2: Confirm Your Directory Information Designation

The directory-information exception to FERPA's consent requirement is only as protective as your designation is precise. Confirm annually:

• What categories has the district formally designated as directory information?
• Is the annual notice clear and specific about those categories?
• Are opt-out records current and accessible to staff who publish student information?
• Are there publications on the district's web presence that fall outside the designation?

For a deeper treatment, see Directory Information: The Most Commonly Misunderstood Part of FERPA.

7. Step 3: Scan for Exposures

The core operational step. A compliance scan reviews the district's public web presence for content that may violate FERPA or state student privacy laws. A thorough scan covers:

• Direct PII — student names linked to non-directory records (grades, discipline, health)
• Indirect re-identification — combinations of attributes that identify students without naming them
• Directory information mishandling — publications outside the designated scope
• Education records — IEPs, 504s, assessment data exposed on public-facing pages
• Metadata leakage — PII embedded in document properties, Open Graph tags, or file metadata
• Vendor exposure — student data surfaced through third-party EdTech integrations

Scans can be done manually, but manual review doesn't scale. A typical district has thousands of pages, hundreds of PDFs, and dozens of spreadsheets across its public web presence. Automated scanning (including SchoolScan) makes this work tractable.

8. Step 4: Triage and Prioritize Findings

Not every finding is equally urgent. A good triage framework sorts findings into:

• Critical — direct PII exposure, education records on public pages, single-student re-identification risk. Remediate immediately.
• High — small-cell data (k < 10), directory information outside designation, IEP/504 references. Remediate within 7 days.
• Medium — metadata leakage, opt-out violations, older archived content. Remediate within 30 days.
• Low / Informational — findings the district's policy designates as compliant but that are worth noting for trend analysis.

9. Step 5: Remediate

Remediation usually means one of four actions:

• Remove the exposing content from the public web presence
• Redact the specific PII while keeping the underlying document available
• Replace a granular disclosure with a safer aggregate version (e.g., suppress small cells, combine categories)
• Restrict access to appropriate audiences (authenticated parent portal rather than public page)

For each remediation, document what was done, who did it, when, and how you confirmed the fix. Re-scan to verify.

10. Step 6: Document and Report

A compliance program is only as strong as its documentation. Maintain records of:

• Scan dates, scope, and findings counts by severity
• Remediation actions taken, with dates and owners
• Incidents or complaints received, with disposition
• Annual notices distributed, opt-outs received, and how they're tracked
• Training delivered, to whom, and when
• DPAs executed and their review dates

An annual privacy report to the superintendent and board closes the loop and demonstrates diligence. It's also the document you want to have ready if a complaint is filed with the U.S. Department of Education's Student Privacy Policy Office.

11. Ongoing: Vendor and Third-Party Management

Most student data exposure today involves third-party vendors. A disciplined vendor management process includes:

• Maintaining a current list of all EdTech vendors with access to student data
• Executing a Data Privacy Agreement (DPA) with each vendor
• Reviewing vendor privacy practices annually
• Tracking subprocessor changes the vendor announces
• Confirming data destruction at contract end

A common failure mode: district signs with a vendor, vendor changes its own subprocessors silently, and the district doesn't notice. A once-a-year vendor audit catches this.

12. Ongoing: Staff Training

Effective training is short, specific, and repeated. Covering the following in 45 minutes each August is typically enough:

• What FERPA is and what "education records" means
• What the district's directory-information designation is (exactly)
• How to check opt-outs before publishing
• What kinds of publications need review before going public
• How to redact PDFs properly
• Who to contact if they think an exposure has occurred

Optional but valuable: a shorter refresher in January and a targeted session for specific roles (coaches, counselors, principals).

13. When Something Goes Wrong

Exposures happen. The measure of a compliance program is not zero incidents; it's how quickly and appropriately incidents are handled.

A basic incident response process:

1. Contain. Remove or restrict access to the exposing content immediately.
2. Assess. Determine what was disclosed, how long it was public, and which students are affected.
3. Notify. Follow applicable legal and contractual notification obligations. Some state laws require specific timelines.
4. Document. Record the incident, response, and outcome in your privacy records.
5. Learn. Identify the upstream cause and adjust process, training, or tooling to prevent recurrence.

For a complaint or suspected violation, the U.S. Department of Education's Student Privacy Policy Office investigates; many states also have their own complaint channels.

14. Annual Compliance Checklist

A compact version of everything above:

• □ Annual FERPA notice reviewed and distributed
• □ Directory information designation confirmed in writing
• □ Opt-out tracking list current and accessible
• □ Staff training delivered to all relevant roles
• □ Web presence inventory updated
• □ Baseline compliance scan completed
• □ Findings triaged and remediated, with documentation
• □ Ongoing monitoring scans scheduled
• □ Vendor inventory and DPAs reviewed; renewals executed as needed
• □ Annual privacy report delivered to superintendent and board
• □ Incident log reviewed for pattern trends
• □ Program improvements identified for next cycle