How NYC parents can opt out of data sharing and better protect their child’s privacy

 

 Important update:  Our special privacy briefing via Zoom has been rescheduled to Wed. Oct. 22 at 6 PM! 

In May 2025, the NYC Department of Education revised Chancellor’s regulations A-820, to authorize DOE and schools to disclose a category of student personal data called Directory Information for the first time within the school  or to non-school vendors, as long as parents were provided with the right to opt out.

Yet the instructions for parents on how to opt out on the DOE website are difficult to access and understand, requiring clicks across many webpages and forms.  In some cases, the webpages omit key details, including which grade levels these disclosures apply to and the deadlines for opting out.  In at least case, the deadline listed is from last year and in the case of disclosures to charter schools requires that you know your child’s OSIS number.

1. How to opt out of the disclosure of your child’s Directory Information

To simplify the opt out process for parents, the Parent Coalition for Student Privacy has developed a simple one page opt out form that offers all this information in a clear and organized fashion, and can be printed, filled out and handed in at your child’s school.

To be clear, this is an unofficial form that we have created based on the opt out form used by Los Angeles public schools.  Though we repeatedly urged DOE to create a similar form, they have refused to do so.  Still, we recommend you print this form , fill it out and hand it in at your school as soon as possible.

• In any case, to ensure that the DOE recognizes your intention to opt out, you should also check our instructions on how to opt out of four different directory information disclosures that DOE intends to make: to charter schools, the military and/or colleges for recruitment purposes, as well as the National Student Clearinghouse.

• Also, here are  instructions on how opt out of the NYC Kids Rise savings program, which DOE and the company have made especially complicated.

• Your school is also supposed to provide you with a separate opt-out form for whatever disclosures they intend to make to other organizations and/or purposes, as well as specific information about what data will be disclosed in each case if you do not opt out. If you haven’t received that form, ask your principal or Parent Coordinate for it asap.

• If any of these disclosures are being made to companies or individuals outside of the school community, there must also be a written agreement or contract that protects the confidentiality of your child’s personal data. This is the only significant change that we managed to convince DOE to make to improve their initial proposed regulations.  Ask your principal to provide that written agreement.

Additional questions parents should be asking about their children’s privacy and ed tech at their schools

In any case, it is important to note that  the instructions above only deal with the category of directory information provided to non-school vendors, generally for non-educational purposes.

DOE and individual schools have signed up with more than 500 ed tech companies to provide various types of services and programs, each of which collect and process personal student  data, much of it extremely sensitive.  As a result, NYC students have suffered multiple damaging data breaches over the last few years.

While in most cases, parents cannot opt out of this type of disclosure, they do have the right under NY Ed Law 2D  to be alerted as to which companies have access to their children’s personal info, how it will be protected from breaches and misuse, and how they can check to see if it is accurate and ask for it to be corrected if necessary.  See our Parent Bill of Rights summary here.

So if you are concerned about your child’s privacy, here are some additional questions that you should ask your principal or School Leadership Team about the educational apps or programs employed in your child’s classroom and school:

• Request the names of all the ed tech programs used by your children, their teachers, and/or school administrators that can access your child’s personal information. Be sure to request the names of all the programs that DOE has told them to use, as well as the programs that the administrators or teachers have chosen  that collect or process your child’s personal student data.
• If they seem reluctant, remind them that the state student privacy law, Ed Law 2D, provides parents with the right to see the data collected by outside agencies, companies, organizations or other third parties. Parents cannot do that unless they know the names of these programs or apps.
• Also, ask for a copy of the privacy and security protections for each of these programs, explaining how the data is secured, minimized and deleted when it is no longer necessary to provide the contracted services.

Some of that information is supposed to be on the DOE website but we have too often found that critical information there is missing or incomplete.   As a result, data breaches are all too common, including of the information of students  who have long graduated.

• Be sure to ask specifically which of these programs use Artificial Intelligence, and which additional privacy protections are for these programs, if any. Many AI programs are known to mine personal student data to improve their products, which is illegal under Ed Law 2D and/or its regulations.
• You should also ask how many hours per day or per week your child is spending on computers while in school. Now that there is a school cell phone ban, parents should also be concerned about excessive screen time in schools, which has been shown to be far less effective in terms of  student learning and engagement than classroom debate and discussion, as well as reading, writing and doing math on paper.

Finally, I will be holding a special privacy briefing for parents on Wed. October 22 at 6 PM to go over these and more issues in more depth. 

This  is the same day as the deadline of October 22 to be able to opt out of the disclosure of personal info of 11^th and 12^th graders for the purposes of military and/or college recruitment. 

 You can register for this briefing here or at https://tinyurl.com/specialprivacybriefing 

Or scan the QR code below. 

DOE privacy regulations: revised yet again but still put student privacy, health and safety at unacceptable risk!

The DOE has issued revisions to their earlier version of the Chancellor's A-820 regulations on student privacy for the second time.  They have also delayed the PEP vote on them until Nov. 20, in response to our letter, and the more than 3,000 emails sent by students and parents in opposition. Yet the revisions are minor and are not nearly strong enough. 

Despite the fact that Ed Law 2D, passed by the State Legislature in 2014, requires much more rigorous protections for the disclosure of any and all student personal information  outside schools and district walls, these regulations would significantly weaken existing student privacy.  They would do this by allowing a broad and essentially unrestricted array of highly sensitive personal information to  be designated as Directory Information, that DOE could share with any individual, corporation or organization they like, without parent consent, and without the full privacy protections of state law.

Instead, they would allow the following information to be disclosed to any third party they like, as long as they say this disclosure would "benefit" the district and students, and with only parent opt out as safeguards:

We know that many parents will never be alerted to their opt out rights, and,  as in the case of charter school disclosure, many parents may opt out and their children's information will still be shared with third parties anyway.  

Disclosing this extensive, highly personal, and essentially unrestricted array of personal information could be dangerous to a child's safety, risking predatory marketing, identity theft, and even abduction. The addresses of migrant children currently living in hotels or shelters could even be shared. with organizations claiming to have a positive purpose but actually with the intention of harassing or deporting them.

All the regs say about parent notification is that that the "Directory Information notice must be written and distributed in a manner reasonably likely to be seen by the Parent or Eligible Student."

This proposed dangerous policy is not aligned with the existing Chancellors regulations, which do not allow the district to disclose ANY personally identifiable student information without parent consent, nor is it consistent with what is currently written on the DOE's own website:

 

If DOE has properly considered home addresses, telephone numbers and dates of birth too "sensitive in nature" to be categorized as Directory Information, why are they changing their mind now? 

This proposal is also not aligned with how other districts in the state and the nation treat or designate  Directory Information, by excluding much of the personal information included in the Chancellors regulations:

• ·       BOCES Capital region DI policy excludes student birth dates, addresses, phone numbers and email addresses.

• ·       Nassau County BOCES DI policy does not include birth date, email, or phone number as Directory Information.

• ·       Fabius-Pompey school district in upstate NY includes only name, grade level, degrees and honors, sports participation, and team members’ weight and height as Directory Information. Moreover, the district says they will disclose this information only for the purposes of yearbooks, honor rolls, graduation programs and the like.

• ·       Scarsdale designates only a student's name, address, and school as Directory Information, and says they provide this information only to PTAs and the Village of Scarsdale for the purpose of mailings and pool passes.

·       Elsewhere in the nation, Boston Public Schools, even without a strong privacy law, only includes a student’s name, age, grade level, and dates of enrollment as Directory Information, understanding that sharing other sorts of personal data without consent or privacy protections would be too risky and intrusive.

There are other serious problems with these proposed regs, including how the DOE has refused to give the protections of Ed Law 2D to medical and health records maintained by schools, if they were made by Dept of Health employees.  

 

We have already seen in the Teenspace controversy how the Department of Health's contract with Talkspace does not have the protections required by Ed Law 2D.  Instead,  we  discovered that when a NYC student visits the Teenspace website on their phone, their personally identifiable information is shared with 15 ad trackers and 34 cookies, as well as Facebook, Amazon, Meta, Google, and Microsoft among other companies. Our findings were later confirmed by a security company and they are particularly concerning, given how the city is suing many of these companies for undermining children’s mental health and designing their platforms to be addictive, to maximize their profits. 

 

Please send yet another letter to the Chancellor, copied to the Chief Privacy officer and the members of the PEP, letting them know this is unacceptable, and that the regulations reveal a troubling lack of respect for students' privacy and safety.