Yearbook Companies Exploit FERPA Exemption to Collect Student Data

By Samantha Cleaver

When Cheri Kiesecker, co-chair of the advocacy organization Parent Coalition for Student Privacy in Colorado, ordered her son’s yearbook, she reviewed the privacy policy and was shocked at what she saw.

According to the privacy statement, Jostens Inc., like other yearbook companies, receives personal information from schools — and then combines that data with information from other sources to validate and update their databases.

They use the data collected for myriad purposes, including creating and promoting their products — and, as stated in their privacy policy, “for other purposes permitted under this Policy except as prohibited by applicable by law.”

Digital Privacy News reached out to Jostens for comment but did not receive a response.

The broad collection and use of data by Jostens are just two ways yearbook and other companies are collecting and using data under the U.S. Family Educational Rights and Privacy Act (FERPA) directory-information exemption.

FERPA, the 1974 law that governs student information, includes an exemption that allows schools to identify data as “directory information.”

That material then can be disclosed to outside organizations without explicit permission from parents or students.

“The repurposing of data is no longer safe.”
Cheri Kiesecker, Parent Coalition for Student Privacy, Colorado.

Photographs, Too

Under FERPA, images and photos are personally identifiable information that could be included as directory information. Photographs are a common disclosure, said LeRoy Rooker, senior fellow with the American Association of Collegiate Registrars and Admissions Officers, because they could be used for a school annual or sporting event.

However, a new World Privacy Forum (WPF) report shed light on concerns related to how photos and other pieces of identifiable information that can be released under directory information may be made available and used.

According to a U.S. Department of Education spokesperson, “Congress included the directory-information exception under FERPA to allow schools to make disclosures of the type of information not generally considered harmful or an invasion of privacy, such as information that would normally be found in a school yearbook or directory.”

The WPF report, released last month, raised concerns with how yearbook companies were using student data after obtaining it from school systems.

For example, yearbooks have been using facial-recognition technology to search old yearbooks, and some are using this technology with current student photographs.

Facial-Recognition Exemption

According to the WPF study, while data that schools hold is regulated under FERPA, facial recognition that yearbook companies do may not, depending on implementation.

Then, concerns arise about how yearbook companies use the data once they have completed a yearbook. Schools may think the data is trashed, but that may not be the case.

“Data is valuable,” Kiesecker told Digital Privacy News. “The repurposing of data is no longer safe.”

Also, when student images are included under directory information, it leaves student materials up for data-scraping.

The WPF identified that facial-recognition companies can target school web sites for scraping. Once that information is scraped, Kiesecker posed, “How much of that data is being used to sell to colleges or future employers or data brokers?

“In the 1970s,” when FERPA was created, Kiesecker told Digital Privacy News, “we didn’t think about how school photos could be attached to artificial intelligence.”

Now, risks abound for misuse and repurposing of data that didn’t exist, even a few years ago. 

“So many schools have the best interest of kids at heart,” said Kiesecker, “and they don’t understand how the data could be used.”

Samantha Cleaver is a writer based in Charlotte, N.C.

Safeguarding Digital ‘Footprints’

In addition to opting out of providing your child’s directory information data, the World Privacy Forum recommends taking these other steps:

  • Ask your child’s school not to designate photos as directory information. Schools then gain more control over how data is shared and used. Obtaining consent before using facial-recognition technology is preferable.
  • Encourage your child’s school to write its contract with the yearbook company so that the photos are used for the yearbook and nothing else.
  • For images included on a web site, schools can include “anti-scraping” tools or image-clocking techniques that prevent them from data-scraping.
  • Schools should avoid posting photos of students on public websites that can be scraped. Images should be emailed to parents or put on password-protected pages.

Cheri Kiesecker of the Parent Coalition for Student Privacy in Colorado advises encouraging your child to think about their data footprint. For older students, help them think through what directory information is being released and why, and how they can manage their personal data footprint.

Sources (external links):