Hundreds of colleges and universities are suddenly shutting their doors and making a rapid switch to distance learning in an effort to slow the spread of novel coronavirus disease. Likewise, hundreds of K-12 districts nationwide have either already followed suit or are likely to in the coming days.

Online education comes with a whole host of challenges of its own, though, especially when everyone's doing the best they can to pull together ad hoc solutions at the last minute. Many of the logistical questions are daunting in their own right: does everyone have a device to use? Does everyone have an Internet connection to use it on? What software tools do we already have that we can use for this? How on earth do we adapt intensive hands-on classroom curriculum, like lab work, for home viewing?

Even when all of the immediate logistical and technical needs have been triaged and handled, though, there remains another complicating factor. While the United States doesn't have all that much in the way of privacy legislation, we do, in fact, have a law protecting some student educational data. It's called the Family Educational Rights and Privacy Act, or FERPA.

FERPA applies to both written and digital student records. For students under age 18, the provisions about what may (or must) be shared or not shared apply to their parents or guardians. Once a student turns 18, the protections transfer to them directly. The provisions also apply directly to any student enrolled in a college, even if that student is not yet 18 (such as in community college dual-enrollment programs for high school juniors and seniors).

The act prohibits "improper disclosure" to third parties of personally identifiable information (PII) derived from student records. Schools are not prohibited from allowing vendors access to information for the purpose of providing services—you can use third-party digital tools for administrative and educational purposes without being in violation of the law. But the school may then be held responsible if the vendors then do shady things with student data.

In a 2015 guide for tech vendors (PDF), the Department of Education cautions: "When PII from education records is disclosed to the provider, FERPA still governs its use, and the school or district is responsible for its protection." The guide adds that the data in question may only be used for the purposes authorized by the school.

Usually educational organizations—colleges, universities, or local K-12 districts—have agreements in place with certain dedicated educational software vendors such as Blackboard or Canvas to use their tools. Compliance with FERPA is ideally part of those agreements, although adherence can be somewhat hit and miss. But when everyone is suddenly scrambling for new tools as best they can in response to a pandemic, privacy considerations may fall by the wayside.

Software platforms allowing videoconferencing, recording, and screen sharing have all seen a massive spike in use in recent weeks. Microsoft, Google, Slack, and Zoom are all offering discounts or extra features to businesses, groups, and individuals to help with the everything from home era in which we (hopefully temporarily) find ourselves. Not all of those tools, many of which are designed for enterprise use, are necessarily going to be compliant with educational regulations.

Google, in particular, has been in hot water before. Neither schools nor individuals can sue for FERPA violations, as the Electronic Privacy Information Center explains, but both states and individuals have filed suit under different statutes alleging related violations.

In 2013, a group of students sued Google over its "creepy" data-mining from Google Apps for Education tools. Google ended the practice in 2014, only to be sued again in 2016 by a group of current and former university students alleging their data was collected and retained from their Google academic accounts in violation of the Electronic Communications Privacy Act.

Neither are all the lawsuits in the past. Just last month, New Mexico Attorney General Hector Balderas filed suit against Google. That suit alleges the company's collection and use of data from schoolchildren in New Mexico violates both the federal Children's Online Privacy Protection Act (COPPA) and New Mexico's Unfair Practices Act.