Charter Data PrivacyJurisdictional Research
Home/Federal Baseline

Federal Baseline

federal

Universal US federal law applying to every charter school regardless of state.

Applies to: Every charter school in the United States that receives federal funds (essentially all of them).

Layered legal regime

A charter in this jurisdiction is subject to all of the following layers stacked:

  1. Layer 1Federal Baseline5 laws

Federal Baseline — Laws & Regulations

FERPA

Family Educational Rights and Privacy Act

Full detail →
Statute: 20 U.S.C. § 1232g
Regs: 34 C.F.R. Part 99

The foundational federal student-records privacy statute. Defines 'education record,' 'personally identifiable information,' and governs how schools may disclose student data to third parties including vendors.

School-side obligations

  • Designate a Records Officer
  • Provide annual FERPA notice to parents and eligible students
  • Maintain a record of PII disclosures (with limited exceptions)
  • Permit parent inspection of records within 45 days of request
  • Obtain written consent before disclosing PII (with limited exceptions)
  • + 1 more on detail page

Vendor-side obligations

  • Qualify as 'school official' with 'legitimate educational interest' under § 99.31(a)(1)(i)(B)
  • Be under the school's direct control with respect to use and maintenance of records
  • Use student data only for the contracted educational purpose
  • Comply with re-disclosure restrictions under § 99.33(a)
  • Maintain the confidentiality requirements as if the vendor were the school itself
Breach notification: FERPA itself does not impose a breach-notification timeline. Disclosure restrictions are the operative compliance regime.
Enforcement: No private right of action (Gonzaga v. Doe, 536 U.S. 273 (2002)). Enforcement is by US Department of Education through investigation and ultimately withholding federal funds. Rare and remedial in practice.

COPPA

Children's Online Privacy Protection Act

Full detail →
Statute: 15 U.S.C. §§ 6501-6506
Regs: 16 C.F.R. Part 312

FTC-enforced. Operators of websites or online services directed to children under 13 (or with actual knowledge of collecting PII from them) must obtain verifiable parental consent or rely on the 'school consent' exception for educational uses.

School-side obligations

  • Vet vendors for COPPA compliance before deployment
  • Provide parents with the operator's privacy notice
  • Honor parental opt-out requests
  • Maintain documentation of vendor vetting

Vendor-side obligations

  • Post a privacy policy describing data practices
  • Obtain verifiable parental consent or rely on school consent
  • Allow parents to review their child's PII
  • Allow parents to delete their child's PII
  • Maintain confidentiality, security, and integrity of children's PII
Breach notification: COPPA does not impose its own breach-notification timeline; FTC enforcement focuses on overall security adequacy.
Enforcement: FTC enforces. Penalties up to $51,744 per violation (inflation-adjusted, verify current). Notable: YouTube/Google $170M (2019), Epic Games $275M (2022).

PPRA

Protection of Pupil Rights Amendment

Full detail →
Statute: 20 U.S.C. § 1232h
Regs: 34 C.F.R. Part 98

Requires parental consent before requiring students to participate in surveys, analyses, or evaluations revealing information in protected categories (sex behavior, mental health, family relationships, religion, etc.).

School-side obligations

  • Obtain parental consent for federally-funded protected surveys
  • Notify parents and offer opt-out for non-federally-funded protected surveys
  • Develop policies on physical exams and personal information collection

Vendor-side obligations

  • Vendor surveys triggering PPRA must run through the school's consent flow
Breach notification: Not applicable.
Enforcement: US Department of Education investigation; complaints to Family Policy Compliance Office.

CIPA

Children's Internet Protection Act

Full detail →
Statute: 20 U.S.C. § 9134(f); 47 U.S.C. § 254(h)
Regs: 47 C.F.R. § 54.520

Conditions federal E-Rate discounts on adoption of an Internet Safety Policy with filtering, monitoring, and minor education components.

School-side obligations

  • Adopt and enforce an Internet Safety Policy (CIPA policy)
  • Hold public hearing or meeting before adoption
  • Certify compliance annually on E-Rate Form 486
  • Implement technology protection measures (filtering)
  • Educate minors on appropriate online behavior

Vendor-side obligations

  • Internet filtering vendors are infrastructure to CIPA compliance
  • Monitoring vendors must support school CIPA documentation
Breach notification: Not applicable.
Enforcement: FCC E-Rate program: non-compliant schools lose discounts.

IDEA

Individuals with Disabilities Education Act (data provisions)

Full detail →
Statute: 20 U.S.C. § 1417
Regs: 34 C.F.R. Part 300, Subpart F (§§ 300.610-300.627)

Confidentiality obligations for student data tied to special education services. Overlaps with FERPA but has its own enforcement track via OSEP.

School-side obligations

  • Maintain confidentiality of all PII in IDEA-protected records
  • Train all employees with access to IDEA records
  • Maintain a log of all employees with access
  • Provide annual notice of IDEA confidentiality rights

Vendor-side obligations

  • Any vendor handling IDEA records must have dedicated controls beyond FERPA-level
Breach notification: Follow FERPA / state-law breach procedures.
Enforcement: US Department of Education Office of Special Education Programs.