Privacy law in the United States is a complicated patchwork of state and federal caselaw and statutes. Harvard Law School’s Cyberlaw Clinic, based at the Berkman Center for Internet & Society, prepared this briefing document in advance of the Student Privacy Initiative’s April 2013 workshop, “Student Privacy in the Cloud Computing Ecosystem,” to provide a high-level overview of two of the major federal legal regimes that govern privacy of children’s and students’ data in the United States: the Children’s Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA).

This guide (downloadable from SSRN here) aims to offer schools, parents, and students alike a sense of some of the laws that may apply as schools begin to use cloud computing tools to help educate students. Both of the relevant statutes – and particularly FERPA – are complex and are the subjects of large bodies of caselaw and extensive third-party commentary, research, and scholarship. This document is not intended to provide a comprehensive summary of these statutes, nor privacy law in general, and it is not a substitute for specific legal advice. Rather, this guide highlights key provisions in these statutes and maps the legal and regulatory landscape.

About the Cyberlaw Clinic

The Clinic provides high-quality, pro- bono legal services to appropriate clients on issues relating to the Internet, new technology, and intellectual property. Students enhance their preparation for high- tech practice and earn course credit by working on real-world litigation, client counseling, advocacy, and transactional / licensing projects and cases.

About the Student Privacy Initiative

The Berkman Center for Internet & Society’s Student Privacy Initiative explores the opportunities and challenges that may arise as educational institutions consider adopting cloud computing technologies. In its work across three overlapping clusters – Privacy Expectations & Attitudes, School Practices & Policies, and Law & Policy – this initiative aims to engage diverse stakeholder groups from government, educational institutions, academia, and business, among others, to develop shared good practices that promote positive educational outcomes, harness technological and pedagogical innovations, and protect critical values.

This report (downloadable from SSRN here) draws from ongoing Student Privacy Initiative research as well as participant inputs from an April 2013 exploratory workshop, “Student Privacy in the Cloud Computing Ecosystem,” to begin to map the current landscape and connect the often-siloed perspectives of educational institutions, students, parents, and administrators as well as cloud service providers and policy makers.

Following the workshop, the Berkman Center distilled a number of high-level observations that may be particularly critical in informing and catalyzing both future research and action. Some of the key points include the following:

• Expanding educational and knowledge sharing efforts will be integral to engage parents, students, and teachers alongside representatives from a variety of disciplines. These diverse stakeholders may have vastly different baseline knowledge of relevant issues—from cloud computing to privacy concerns to regulatory considerations—and addressing these differences may require a multi-pronged approach. In particular, it will be important to share up-to-date information about rapidly developing educational technologies so that potential users can better understand what data vendors might access and collect as well as what the vendor might do with this data.
• Developing a shared vocabulary and understanding of privacy and technological termswill be central to future research, outreach, policy, and educational efforts. Taxonomies and guides can help to cultivate a shared language and bolster communication and collaboration across educational, commercial, and regulatory settings.
• Good practices and draft standards, especially around contractual practices and terms of service, represent a fruitful area for attention. Stakeholders should enter this space in close communication with vendors and industry representatives.
• Ongoing normative analysis and discussion will be critical in grappling with the many dimensions of the topic and considering how core technologies, opportunities, and behaviors may evolve. In particular, the rapid emergence of data analytics technologies raise important questions about how existing legal frameworks should be interpreted or evolve. This dialogue should be grounded in real-world examples and data, and address open questions such as whether and how cloud technologies support broader educational values and if so, what specific value trade-offs may be involved.

This report offers many more concrete details regarding research, policymaking, outreach, and engagement around student privacy and cloud computing.

By considering norms and values alongside the opportunities for research, policymaking, outreach, and engagement around student privacy and cloud computing in the working road map, the Berkman Center looks forward to continuing the dialogue around this timely and important topic as part of its evolving privacy research agenda.