University of Miami Law Review


While student privacy has been a public issue for half a century, its contours change in response to social norms, technological capabilities, and political ideologies. The Family Educational Rights and Privacy Act (FERPA) seeks to prevent inaccurate or inappropriate information about students from being incorporated into pedagogical, academic, and employment decisionmaking. It does so by con- trolling who can access education records and, broadly, for what purposes.

New education technologies take advantage of cloud computing and big data analytics to collect and share an unprecedented amount of information about students in class- rooms. Schools rely on outside, often for-profit, entities to provide these innovative tools. With the shift from education records to student data systems, privacy protection through access control does not account for the possibility that authorized recipients, or even educators themselves, might use student data for commercial or other non-educational purposes.

Both FERPA and new state reforms rely on education purpose limitations as a compromise that allows schools to outsource data-reliant functions while addressing stake- holder concerns. However, current regulations define “education purposes” as information practices conducted on be- half of schools or pursuant to their authorization. Accordingly, they provide more procedural than substantive constraints.

As with student privacy protections based on controlling access to education records, modern technological affordances limit the protection provided by education purpose limitations. Data-driven education tools change the nature of student information, the structure and method of school decisionmaking, and the creation of academic credentials. Broad education purpose limitations provide limited protection under these circumstances because they (1) treat education and non-education purposes as binary and mutually exclusive; (2) presume data practices serving education purposes align with students’ academic interests; (3) overlook the ethical complications created by “beta” education; (4) neglect the pedagogical effects of computerized instructional tools; and (5) discount the impact of data-driven technology on education itself. Ethical discourse regarding education technology points to productive avenues for more substantive student privacy protection.