Google is in the hot seat for allegedly scanning emails for commercial purposes. The emails in question were sent by Google Apps for Education (GAFE) users—specifically college students. It is no secret that advertising data for millennials is a valuable commodity, and according to a new lawsuit filed on Jan. 27 in the Northern District of California, San Jose Division, it is alleged that Google collected data on individual end users in this demographic without their consent. Beyond the data privacy concerns that this case raises, it has an additional wrinkle for schools. Here, the plaintiffs’ pleadings cite representations that their schools have made to them about how Google scans emails sent through GAFE, and the plaintiffs argue that in some cases, schools made affirmative representations about the security and privacy of those student emails to the student body. This new suit raises questions about Google’s representations about how and whether it scans GAFE accounts, and may leave schools wondering if they have unduly exposed sensitive information or violated The Family Educational Rights and Privacy Act, or FERPA, as a result of outsourcing email services to a third-party.
Understanding FERPA
The Family Educational Rights and Privacy Act, (FERPA) is a federal law that prohibits disclosure of student education records to anyone other than an eligible student or parent, except under limited circumstances, as held in 20 U.S.C. Section 1232(g), 34 C.F.R. pt. 99. FERPA defines “education records” as records that contain information directly related to a student, and that are maintained by an educational agency or institution or party acting for that agency or institution. Broadly, this covers personally identifiable information from a student record that does not fall within an exception. FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Schools that violate FERPA risk losing their federal funding.
