The US Department of Education released a report on student-data privacy. (PDF) in an attempt to answer the growing concerns about student privacy and disclosing their personal information to third-party vendors. The report is far from reassuring. The answer to whether Personal Identifiable Information (PII) is protected is, "it depends....there is no universal answer."
Is Student Information Used in Online Educational Services Protected by FERPA? (p. 2)
It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question......
What Does FERPA Require if PII from Students’ Education Records is Disclosed to a Provider? (p.3)
It depends. Because of the diversity and variety of online educational services, there is no universal
answer to this question. Subject to exceptions, the general rule under FERPA is that a school or district cannot disclose PII from education records to a provider unless the school or district has first obtained written consent from the parents (or from “eligible students,” i.e., those who are 18 years of age or older or attending a postsecondary school). Accordingly, schools and districts must either obtain consent, or ensure that the arrangement with the provider meets one of FERPA’s exceptions to the written consent requirement.
It depends...with excpetions is NOT acceptable.
The report also cites The Protection of Pupil Rights Amendment (PPRA) which also provides parents with some rights but it also has exceptions.
FERPA is not the only statute that limits what providers can do with student information. The Protection of Pupil Rights Amendment (PPRA) provides parents with certain rights with regard to some marketing activities in schools. Specifically, PPRA requires that a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities. 20 U.S.C. § 1232h(c)(2)(C)(i).
There is always an exception. And in this case it's a big one,
PPRA has an important exception, however, as neither parental notice and the opportunity to opt-out nor the development and adoption of policies are required for school districts to use students’ personal information that they collect from students for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools. 20 U.S.C. § 1232h(c)(4)(A).
Exceptions render any protection meaningless by creating loopholes big enough for student-data to fly right through. If third-party vendors need student data to develop educational products, they collect it independently, outside of school hours, and invite parents to bring their students to participate. There should be NO exceptions by FERPA or PPRA or anyone else that allows data to be collected, shared, or or sold without the written consent of the parents.