Lake Elsinore Unified School District

Skip to main content
En Español
Information Technology Services » Data Privacy Laws and Board Policies

Data Privacy Laws and Board Policies

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. 
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
  • School officials with legitimate educational interest;
  • Other schools to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Appropriate parties in connection with financial aid to a student;
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations such as WASC;
  • To comply with a judicial order or lawfully issued subpoena;
  • Appropriate officials in cases of health and safety emergencies; and
  • State and local authorities, within a juvenile justice system, pursuant to specific State law.
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

“Family Educational Rights and Privacy Act (FERPA).” Home, US Department of Education (ED), 15 Dec. 2020,

Established in 1978, the PPRA (20 U.S.C. § 1232h, 34 CFR Part 98) affords parents of students certain rights regarding, among other things, participation in surveys, the collection and use of information for marketing purposes, and certain physical exams.
These include, but are not limited to, the right to:
  • Consent before students are required to submit to a survey that concerns one or more of the
    following eight protected areas:
  1. Political affiliations or beliefs of the student or student’s parent;
  2. Mental or psychological problems of the student or student’s family;
  3. Sex behavior or attitudes;
  4. Illegal, anti-social, self-incriminating, or demeaning behavior;
  5. Critical appraisals of others with whom respondents have close family relationships;
  6. Legally recognized privileged or analogous relationships, such as with lawyers, doctors, or
  7. Religious practices, affiliations, or beliefs of the student or student’s parent; or
  8. Income, other than as required by law to determine program eligibility.
  • Receive notice and an opportunity to opt a student out of –
  1. Any protected information survey administered or distributed to a student by a school district
  2. Any non-emergency, invasive physical examination or screening required by a school district as a
    condition of attendance; administered by the school and scheduled by the school in advance;
    and, that is not necessary to protect the immediate health and safety of a student, with some
    exceptions; and
  3. Activities of an LEA involving collection, disclosure, or use of personal information collected
    from students for the purpose of marketing or sale (or to otherwise distribute such information
    to others for that purpose), with some exceptions.
  • Inspect, upon request –
  1. Protected information surveys and surveys created by a third party, before the administration or distribution by a school district of the surveys to a student;
  2. Any instrument used by a school district to collect personal information for the purpose of marketing or sale (or otherwise distributing such information for that purpose), before the instrument is administered or distributed to a student, with some exceptions; and
  3. Instructional material, excluding academic tests or academic assessments, used by a district as part of the educational curriculum for a student.
These rights transfer from the parents to the student when the student turns 18 years old or becomes an
emancipated minor under applicable State law.
Requirements of LEAs under PPRA
LEAs are required to develop and adopt policies, in consultation with parents, to address the protection of
student privacy and parents’ rights under PPRA, including those discussed above. In addition, LEAs
must directly notify parents of these policies at least annually, at the start of each school year, and within
a reasonable period after any substantive change to the policies.
LEAs must also directly notify, such as through U.S. Mail or email, parents of students who are scheduled
or expected to be scheduled to participate in any of the activities or surveys listed below and must provide
an opportunity for parents to opt their child out of participation. LEAs must make this notification to
parents at least annually at the beginning of the school year, and this notification must include the specific
or approximate dates when the activities or surveys are scheduled or expected to be scheduled. For
activities or surveys that are scheduled after the school year starts, LEAs must provide parents with
reasonable notification and an opportunity to review, as well as an opportunity to opt their child out.
These activities and surveys involve:
• Collection, disclosure, or use of personal information collected from students for the purpose of
marketing or sale (or otherwise distributing such information to others for that purpose), with
some exceptions;
• Administration or distribution to a student of any protected information survey not funded as part
of a program administered by the Department or funded as part of a program administered by the
Department but to which students are not required to submit; and
• Certain non-emergency, invasive physical examinations or screenings, as described above.
Established in 1998, The Children’s Online Privacy Protection Act (“COPPA”) is a federal law governed by the Federal Trade Commission (“FTC”) that controls what information may be collected from children under the age of 13 by companies operating websites and mobile applications. (15 U.S.C. § 6501, et seq.) COPPA requires companies to post a clear privacy policy on their website or mobile application, provide notice to parents, and obtain parental consent before collecting personal information from children under the age of 13. Under COPPA, school districts1 are authorized to provide consent on behalf of parents and may approve a student’s use of an educational program. An LEA’s ability to consent on a parent’s behalf is strictly limited to the educational context. That is, an LEA may only consent on the parent’s behalf if the personal information collected is used strictly for educational purposes and not for any commercial purpose. Additionally, the FTC recommends that an LEA provide notice on its website identifying all of the websites and applications for which the LEA has provided consent on a student’s behalf. What is Personal Information? For COPPA purposes, personal information is individually identifiable information collected online, including: # A first and last name; # A home or other physical address including street name and name of a city or town; # Online contact information as defined in this section; # A screen or user name where it functions in the same manner as online contact information, as defined in this section; # A telephone number; # A social security number; # A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (“IP”) address, a processor or device serial number, or unique device identifier; # A photograph, video, or audio file where such file contains a child’s image or voice; # Geolocation information sufficient to identify street name and name of a city or town; or # Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition. Consent to Collection of Student Data is Presumed An LEA may act as a parent’s agent and can consent to the collection of a student’s information on the parent’s behalf, as long as the consent is limited to the educational context. Technically, in order for a commercial website operator that collects, uses, or discloses personal information from children under 13 to get consent from the school, the operator must provide the school with 1 COPPA specifically references school districts, but given that County Offices of Education (“COE”) may utilize student data in the exact same way as California school districts, we recommend that COEs follow the same guidelines as school districts. Accordingly, LEAs are referred to generally in this section even though COPPA only specifically identifies school districts. Data Privacy Guide 2 all the notices required under COPPA. However, as long as the operator limits use of the student’s information to the educational context authorized by the LEA, the operator can presume that the LEA’s authorization is based on the LEA having obtained parental consent. Website Operators Must Provide LEA with Information Upon Request Upon request from the LEA, website operators must provide: a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information. FTC-Recommended Best Practices # Allow parents to review the personal information collected. # Ensure operators delete a student’s personal information once the information is no longer needed for its educational purpose. # LEAs should make available to parents notice of the websites and online services to which it has provided consent on behalf of the parent concerning student data collection, as well as the operators’ direct notices. This information or a link to this information can be maintained on the LEA website. FTC-Recommended Inquiries According to the FTC, in deciding whether to use online technology with students, an LEA should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that LEAs should ask potential operators are: # What types of personal information will the operator collect from students? # How does the operator use this personal information? # Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the LEA? # Does the operator enable the LEA to review and have deleted the personal information collected from its students? If not, the LEA cannot consent on behalf of the parent. # What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects? # What are the operator’s data retention and deletion policies for children’s personal information? Policy and Notice of Right to Opt Out of Data Collection for Marketing LEAs must adopt policies and provide direct notification to parents at least annually regarding the rights of parents to opt their children out of participation in activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for such purpose). For more information on COPPA, see Section M: COPPA and Schools on
Established in 2000, The Children’s Internet Protection Act (“CIPA”) is a federal law enacted to address concerns regarding children’s access to obscene or harmful content over the Internet. CIPA imposes requirements on LEAs that receive discounts for Internet access or internal connections through the federal E-rate program. In order to receive E-rate funding, LEAs must certify that they have in place an Internet safety policy that includes certain technology protection measures. Public Notice Requirement Prior to adoption and certification of an Internet safety policy, CIPA requires sufficient public notice for at least one public meeting to address the proposed policy. A public meeting called for the purpose of complying with CIPA must be open to all.
What is Required for Certification of the Internet Safety Policy? LEAs subject to CIPA may not receive discounts offered through the E-rate program unless they do the following: # Certify that it has an Internet safety policy that includes protection measures that block or filter Internet access to content that is: " Obscene; " Child pornography; or " Harmful to minors. # Include a provision in its Internet safety policy that requires monitoring of online activities of minors on the LEA network. # Provide for educating minors about appropriate online behavior, including: " Interacting with others on social networking websites and in chat rooms; and " Cyberbullying awareness and response. What Must the Internet Safety Policy Address? The Internet safety policy must address the following six components: # Access by minors to inappropriate matter on the Internet; # The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communication; # Unauthorized access, including so-called “hacking” and other unlawful activities by minors online; # Unauthorized disclosure, use, and dissemination of personal information concerning minors; and # Measures restricting minors’ access to materials harmful to them.
Established in 2015, California Education Code section 49073.6 requires that LEAs considering “a program to gather or maintain in its records any pupil information obtained from social media” first notify pupils and their parents or guardians about the proposed program, and then provide an opportunity for public comment at a regularly scheduled public meeting before adopting the program. “Social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant messages, email, text messages, online services or accounts, or Internet website profiles or locations. For purposes of this law, “social media” does not mean an electronic service or account used exclusively for educational purposes or primarily to facilitate creation of school-sponsored publications, such as a yearbook or pupil newspaper, under the direction or control of a school, teacher, or yearbook adviser.
Any LEA that adopts a program pursuant to this provision must:
  • Gather and maintain only information pertaining directly to school or student safety;
  • Provide a student with access to any information about the student obtained from social media; and
  • Destroy the information gathered from social media and maintained in its records within one year of the student turning 18 or discontinuing attendance with the LEA, whichever is sooner.
If an LEA contracts with a third party to gather student information from social media, California Education Code section 49073.6:
  • Prohibits the third party from using the information for purposes other than to satisfy the terms of the contract; 
  • Prohibits the third party from selling or sharing the information with outside persons or entities; and
  • Provides additional restrictions on the destruction of the information by the third party.
The foregoing requirements could be incorporated by an agreement with the third party. California Education Code section 49073.6 does not specifically define “a program to gather or maintain in its records any pupil information obtained from social media.” However, many LEAs research public social media sites following a complaint of cyberbullying or school-related misconduct. To the extent this information is collected, maintained, or utilized for disciplinary purposes, this practice likely falls under the definition of “a program to gather or maintain in its records any pupil information obtained from social media” and would need to meet the requirements of 49073.6. 
Technology services agreements entered into, amended, or renewed by a California LEA on or after January 1, 2015 must follow specific requirements. These requirements apply to contracts for services that utilize electronic technology, including cloud-based services, for the digital storage, management and retrieval of pupil records, as well as educational software that authorizes a third-party provider to access, store and use pupil records. All of the following requirements must be included in such contracts:
  • A statement that pupil records continue to be the property of and under the control of the school district;
  • A description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account;
  • A prohibition against the third party using any information in the pupil record for any purpose other than those required or specifically permitted by the contract; 
  • A description of the procedures by which a parent, legal guardian, or eligible pupil may review personally identifiable information in the pupil’s records and correct erroneous information;
  • A description of the actions the third party will take—including the designation and training of responsible individuals—to ensure the security and confidentiality of pupil records;
  • A description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records;
  • A certification that a pupil’s records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced (NOTE: This requirement does not apply to pupil-generated content if the pupil chooses to establish or maintain an account with the third party for the purpose of storing that content, either by retaining possession and control of their own pupil generated content, or by transferring pupil-generated content to a personal account.);
  • A description of how the district and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act; and
  • A prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.
References: AB 1584; Cal. Educ. Code § 49073.1; 20 U.S.C. § 1232g
California Business and Professions Code section 22584, also known as the Student Online Personal Information Protection Act (“SOPIPA”), takes effect on January 1, 2016 and sets forth privacy laws for operators of websites, online services, and applications that are marketed and used for K-12 school purposes, even if those operators do not contract with educational agencies. While primary responsibility for compliance with SOPIPA lies with website operators, LEAs should proceed with reasonable due diligence when evaluating technology service providers, especially providers based outside of California, to ensure their policies and procedures comply with SOPIPA.
SOPIPA adds to the K-12 student privacy scheme the following requirements:
  • Operators cannot target advertising on their website or any other website using information acquired from students.
  • Operators cannot create a profile for a student, except for school purposes.
  • Operators cannot sell a student’s information.
  • Operators cannot disclose student information, unless for legal, regulatory, judicial, safety, or operational improvement reasons.
  • Operators must protect student information through reasonable security procedures and practices.
  • Operators must delete school- or district-controlled student information when requested by schools or districts. 
  • Operators must disclose student information: when required by law; for legitimate research purposes; or for school purposes to educational agencies.