Are Educational Institutions Adequately Protecting Student Email Addresses?

With advances in education technology and the prevalence of technology use in general, instructors, system administrators, online service providers, and others are commonly requesting that students and parents supply their email addresses in order to facilitate communications and learning.  Under current California law applicable to K-12 public educational institutions, student email addresses may be classified as “directory information” by a school district.  (Ed. Code § 49061(c).)  The Education Code definition of directory information applicable to community colleges, however, does not include email addresses.  (Ed.Code § 76210.)   Instead, community colleges are required to adopt a policy that identifies those categories of “directory information” as defined by the federal Family Educational Rights and Privacy Act (“FERPA”).  The FERPA Regulations identify email addresses as a possible category of directory information.  (34 CFR § 99.3.)

Educational institutions must have a policy identifying the categories of directory information which can be released, and provide annual notice of that policy.  (Ed. Code § 49073 and § 76240.)   However, educational institutions may not provide directory information of individuals who have notified the educational institution that such information shall not be released.  (Ed. Code § 49073 and Ed. Code § 76240.)

Although school districts have discretion to determine which individuals, officials, or organizations may receive directory information, school districts are prohibited from releasing such information to private profit-making entities other than employers, prospective employers, and certain representatives of the news media.  (Section 49073.)  Community colleges may limit or deny the release of specific categories of directory information based upon a determination of the best interests of the students.  (Ed. Code § 76240(b).)  These restrictions emphasize the importance of ensuring that the educational institution is not improperly releasing directory information or violating FERPA.

If student email addresses are included in the categories of directory information, they may be released pursuant to an adopted and properly noticed policy and applicable law, except for the email addresses of those who have opted out of such release.  (Ed. Code § 49061 and § 49073.)  However, educational institutions should carefully consider whether to include email addresses as directory information for several reasons.

Even if email addresses are properly released, educational institutions should be aware that the courts and legislature have an interest in protecting personal information which, if disclosed, could lead to the harassment of students and families.  For instance, in the Education Code, the California Legislature stated with respect to the release of telephone numbers:

“[It is] in the interest of pupil confidentiality, that school districts minimize the release of pupil telephone numbers in the absence of express parental consent.  The Legislature finds and declares that the nondisclosure of pupil telephone numbers will reduce the possibility of harassment of pupils and their families by organizations that receive pupil directory information.”  (Ed. Code §  49073.5(b).)

Although Section 49073.5(b) does not address email addresses, it is arguable that the release of student email addresses, like the release of phone numbers, could lead to the harassment of pupils and their families.  This is supported by the reasoning of a recent California court decision pertaining to the release of email addresses in connection with credit card transactions.  While the case, decided by the U.S. District Court for the Eastern District of California, is limited to addressing language under California’s Song-Beverly Credit Card Act of 1974 (Credit Card Act), the court addressed an issue of first impression which may provide insight about the protection of email address information.  (Capp v. Nordstrom, 2013 WL 5739102 (E.D.Cal.).)  Specifically, the court found that email addresses, like zip codes, are “personal identification information” under the Credit Card Act.  Most relevant to educational institutions was the court’s discussion about what can happen when email addresses are released.  For example, collected email addresses can be used to “reverse append” and obtain additional information about their owners, such as address and phone information.  The release of such information could not only subject the consumer to unwanted marketing but also undermine privacy.  While the Capp v. Nordstrom case was a limited matter of first impression, it is possible that this case is signaling a change in attitude toward email addresses.  In particular, there are some risks associated with sharing and distributing email addresses.

In addition, the release of student email addresses of children could invoke the Children’s Online Privacy Protection Act (“COPPA”) (15 USC §§ 6501-6506).  COPPA applies to operators of commercial websites that collect personal information from children, including email addresses.  That is, COPPA defines “personal information” as “individually identifiable information about an individual collected online,” including a first name, last name, home address, email address, telephone number, social security number, as well as any other information that “permits the physical or online contacting of a specific individual.”  (15 USC § 6501(8).)  Additionally, personal information includes any information collected online concerning a child or the parents of that child that is then combined with any of the foregoing identifiers.  (15 USC § 6501(8)(G).)  So a school district should consider whether categorizing email addresses as directory information may have the unintended consequence of facilitating targeted advertising to District students through their email addresses.

Educational institutions should periodically examine their policies and practices with regard to the collection and release of email addresses.  Are they treating email addresses as directory information?  Are they restricting the release of such information?  Are they protecting their students and families from unwanted marketing, harassment, and privacy invasions?  Are teachers and instructors using care when collecting and releasing email addresses?  These are just a few of the basic questions educational institutions should consider as they increasingly rely upon email communications and online services.

Other AALRR Blogs

Recent Posts

Popular Categories



Back to Page

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Privacy Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.