FERPA/COPPA

ALDCA hero banner

Family Education Rights and Privacy Act (FERPA)

FERPA provides parents and students over 18 years of age (“eligible students”) certain rights regarding students’ education records, including:

  • The right to inspect and review the student’s education records within 45 days of the day ALDCA receives an access request. To request an inspection and review, the parent or eligible student should submit a written request to the academic administrator that identifies the record(s) they wish to inspect. The academic administrator makes access arrangements and notifies the parent or eligible student of the time and place where the records may be inspected.
  • The right to request an amendment of the student’s education records that the parent or eligible student believes is inaccurate. Parents or eligible students may ask ALDCA to amend a record that they believe is inaccurate. They should write to the academic administrator and clearly identify the part of the record they want changed and specify why it is inaccurate. If ALDCA decides not to amend the record as requested by the parent or eligible student, ALDCA notifies the parent or eligible student of the decision and advises them of the right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures is provided to the parent or eligible student when notified of the right to a hearing.
  • The right to consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that FERPA allows disclosure without consent. One exception that permits ALDCA to disclose information without consent is when ALDCA discloses information to school officials with legitimate educational interests. A school official is a person employed by or contracted to provide services to or designated by the contractor to provide services to ALDCA as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel); a person serving on the board of directors of the school; a person or company with whom ALDCA has contracted to perform a special task (such as an attorney, auditor, medical consultant, or therapist); or a parent or student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record to fulfill their professional responsibility. Upon request, ALDCA discloses education records without consent to officials of another school district in which a student seeks or intends to enroll. 
  • The right to file a complaint with the U.S. Department of Education concerning alleged failures by ALDCA to comply with the requirements of FERPA. The Office that administers FERPA is:
    Family Policy Compliance Office 
    U.S. Department of Education 
    400 Maryland Ave., SW 
    Washington, DC 20202-4605
  • FERPA requires that ALDCA with certain exceptions, obtain a parent’s or eligible student’s written consent prior to the disclosure of personally identifiable information from a child’s education records. However, ALDCA may disclose “directory information” without written consent, unless the parent or eligible student has advised ALDCA in writing that he/she does not want all or part of the directory information disclosed. The method for objecting to disclosure of directory information is specified below. The primary purpose of directory information is to allow ALDCA to include the following information from education records in certain school publications or disclose it to certain parties. Examples include:
    • Shipment of computer and school materials to and from student’s home
    • Entry of student enrollment information into a computer database for use by school officials 
    • Sports activity sheets, such as for wrestling, showing the weight and height of team members
  • FERPA permits the disclosure of Personally Identifiable Information (PII) from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information and disclosures to the parent or eligible student, §99.32 of the FERPA regulations require the school to record the disclosure. Parents and eligible students have a right to inspect and review the record of disclosures. A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student:
    • To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests. This includes contractors, consultants, volunteers or other parties to whom ALDCA has outsourced institutional services or functions, provided that the conditions listed in §99.31(a)(1)(i)(B(l)-(a)(1)(i)(B)(3) are met. [§ 99. 31(a)(1)]; and/or
    • To officials of another school, school system or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of § 99.34. [§ 99.31(a)(2)].

Data Use and Governance Policy

The Alabama State Board of Education’s Data Use and Governance Policy is based upon, but not limited to, maintaining compliance with FERPA. Said policy is also based on the knowledge that the appropriate use of data is essential to accelerating student learning, program and financial effectiveness and efficiency, and policy development.

This policy serves the purpose to ensure that all data collected, managed, stored, transmitted, used, reported, and destroyed by the department is done so in a way to preserve and protect individual and collective privacy rights and ensure confidentiality and security of collected data.

Data Collection Process

The Alabama State Department of Education (ALSDE) does not collect individual student data directly from students or families. This function is retained at the local school and system level through our state-funded and state-owned student data management system. Local school and system student data is transmitted daily to the state’s data management system from which state and federal reporting is completed. Each student is assigned a unique student identifier upon enrollment into the student management system to ensure compliance with the privacy rights of the student and his or her parents/guardians. No personally identifiable individual student data is shared in either state or federally required reporting. 

Data Categories

All data elements collected and transferred to the U. S. Department of Education (USDOE) are based on the reporting requirements contained in EDFacts and include only aggregated data with no personally identifiable data. 

View the ALDCA USDOE ED Facts report. 

This data is used by the USDOE for policy development, planning, and management and monitoring of individual states’ federally funded programs under the Elementary and Secondary Education Act (ESEA). 

Data Security

Data collected by the ALSDE is maintained within a secure infrastructure environment located within the department and within a remote location for backup. Access to data is limited to pre-identified staff that are granted clearance related to their job responsibilities of federal reporting, state financial management, program assessment, and policy development. Training in data security and student privacy laws is provided to these specific individuals on a regular basis in order to maintain their data use clearance along with a signed Data Use Policy assurance of confidentiality and privacy.

External Data Requests

The ALSDE maintains a managed external data request procedure managed through a Data Governance Committee. Each external data request is measured against a pre-determined set of qualifiers that includes, but are not limited to, applicability to the goals of the Alabama State Board of Education, data availability, report format ability, cost of report development, and adherence to FERPA requirements. 

Third Party Data Use Assurances

The ALSDE provides one-way data feeds to approved service providers to carryout goals of the Alabama State Board of Education. These data feeds are sub-sets of the data system limited by executed agreements or individual Memorandums of Use (MOU) that meet all state and federal privacy laws and re-disclosure assurances set by the state.

Local School and School System Data Use Compliance

All of Alabama’s Local Education Agencies (LEAs) shall have a locally adopted student records governance and use policy. These policies and their implementation shall be monitored by the ALSDE as part of our comprehensive monitoring that requires annual assurances of compliance, on-site monitoring on a three-year cycle or more often based on deficiencies noted in annual assurances or prior comprehensive monitoring cycles, and investigations of reported non-compliance activities.

Notification of Rights Under the Protection of Pupil Rights Amendment (PPRA)

PPRA affords parents of elementary and secondary students certain rights regarding the conduct of surveys, collection and use of information for marketing purposes, and certain physical exams. These include, but are not limited to, the right to:

Consent before students are required to submit to a survey that concerns one or more of the following protected areas (“protected information survey”) if the survey is funded in whole or in part by a program of the USDOE:

  • Political affiliations or beliefs of the student or student’s parent;
  • Mental or psychological problems of the student or student’s family; 
  • Sex behavior or attitudes;
  • Illegal, anti-social, self-incriminating, or demeaning behavior;
  • Critical appraisals of others with whom respondents have close family relationships;
  • Legally recognized privileged relationships, such as with lawyers, doctors, or ministers;
  • Religious practices, affiliations, or beliefs of the student or student’s parent; or
  • Income, other than as required by law to determine program eligibility.

Receive notice and an opportunity to opt a student out of:

  • Any other protected information survey, regardless of funding;
  • Any non-emergency, invasive physical exam or screening required as a condition of attendance, administered by the school or its agent, and not necessary to protect the immediate health and safety of a student, except for hearing, vision, or scoliosis screenings, or any physical exam or screening permitted or required under state law or the Individuals with Disabilities Act; and
  • Activities involving collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling or otherwise distributing the information to others. (This does not apply to the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions.)

Inspect, upon request and before administration or use:

  • Protected information surveys of students and surveys created by a third party;
  • Instruments used to collect personal information from students for any of the above marketing, sales, or other distribution purposes; and
  • Instructional material used as part of the educational curriculum if the instructional material will be used in connection with any survey, analysis, or evaluation as part of any survey funded in whole or in part by a program of USDOE. These rights transfer from the parents to a student who is 18 years old or an emancipated minor under state law. 

ALDCA has developed policies, in consultation with parents, regarding these rights, as well as arrangements to protect student privacy in the administration of protected information surveys and the collection, disclosure, or use of personal information for marketing, sales, or other distribution purposes. ALDCA will directly notify parents of these policies at least annually at the start of each school year and after any substantive changes. ALDCA will also directly notify, such as through U.S. mail or email, parents of students who are scheduled to participate in the specific activities or surveys noted below and will provide an opportunity for the parent to opt his or her child out of participation of the specific activity or survey. ALDCA will make this notification to parents at the beginning of the school year if the district has identified the specific or approximate dates of the activities or surveys at that time. For surveys and activities scheduled after the school year starts, parents will be provided reasonable notification of the planned activities and surveys listed below and be provided an opportunity to opt their child out of such activities and surveys. Parents will also be provided an opportunity to review any pertinent surveys.

Following is a list of the specific activities and surveys covered under this direct notification requirement: 

  • Collection, disclosure, or use of personal information collected from students for marketing, sales, or other distribution.
  • Administration of any protected information survey not funded in whole or in part by USDOE.
  • Any non-emergency, invasive physical examination or screening as described above.

Parents who believe their rights have been violated may file a complaint with: 

Family Policy Compliance Office 
U.S. Department of Education 
400 Maryland Avenue, SW 
Washington, D.C. 20202

Children’s Online Privacy Protection Act (COPPA)

General Questions About the COPPA Rule

1. What is the COPPA Rule?

Congress enacted COPPA in 1998. COPPA required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The Commission’s original COPPA Rule became effective on April 21, 2000. The Commission published an amended Rule on January 17, 2013. The amended Rule took effect on July 1, 2013.

The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13, while accounting for the dynamic nature of the internet. The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices, such as smart toys) directed to children under 13 that collect, use, or disclose personal information from children, or on whose behalf such information is collected or maintained (such as when personal information is collected by an ad network to serve targeted advertising). The Rule also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13, and to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Operators covered by the Rule must:

  • Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  • Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; 
  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  • Provide parents access to their child’s personal information to review and/or have the information deleted;
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; 
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
  • Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

2. Who is covered by COPPA?

The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. 

3. What is personal information?

The Rule defines personal information to include:

  • First and last name;
  • A home or other physical address including street name and name of a city or town; 
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A telephone number;
  • A social security number; 
  • A persistent identifier that can be used to recognize a user over time and across different websites or online services;
  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Geolocation information sufficient to identify street name and name of a city or town; or
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above. 

4. Where can I find information about COPPA?

The Federal Trade Commission (FTC) has a comprehensive website that provides information to the public on a variety of agency activities. The children’s privacy section includes a variety of materials regarding COPPA, including all proposed and final Rules, public comments received by the commission in the course of its rulemakings, guides for businesses, parents, and teachers, information about the commission-approved COPPA safe harbor programs, and FTC cases brought to enforce COPPA. Many of the educational materials on the FTC website also are available in hard copy free of charge at www.bulkorder.ftc.gov.

Learn more about COPPA.