This information is also located at:
Is Office 365 compliant with FERPA?
While an educational institution has many varied obligations under FERPA, Microsoft stipulates the key contractual terms that govern the use and disclosure of education records that may be stored in Office 365, allowing educational institutions to use Office 365 as part of a broader FERPA compliance strategy.
FERPA requires any educational agency or institution that receives funding from the U.S. Department of Education to protect privacy rights of students by safeguarding “education records” from use or disclosure without consent. Department of Education guidance makes clear that email communications are considered education records subject to FERPA and that cloud email providers should be similarly restricted in how they use or disclose information in emails and documents.
FERPA requires that a cloud provider agree that “education records” contained in faculty, staff, and student emails and other electronic documents will be used only for the narrow purpose of providing the cloud service and that such information will not be scanned or used to support and maintain commercial activities such as advertising. Microsoft provides educational institutions with a route to FERPA compliance by agreeing to be deemed a “school official” subject to FERPA with “legitimate educational interests” in the institution’s data, and by agreeing to abide by the limitations and requirements imposed by FERPA on school officials, including agreeing that it will not scan institution emails or documents for advertising purposes.
If my school uses Office 365, does Microsoft require direct parental consent for students under the age of 13 to ensure COPPA compliance?
No. Microsoft uses Office 365 customer data only to provide the Office 365 service and not for other commercial purposes (such as for advertising or marketing or to build commercial profiles). The Federal Trade Commission (FTC) has stated that under such circumstances an “operator is not required to obtain consent directly from parents.”
Microsoft provides Office 365 to the school as our customer and all customer data belongs to the school. We do not use or share Office 365 customer data for any other commercial purposes (for example, in connection with advertising or marketing or to build user profiles for commercial purposes not related to the provision of Office 365). For more information, please visit the Office 365 Trust Center. Accordingly, the FTC’s guidance indicates that an operator such as Microsoft does not need to obtain direct consent from parents of students using the service—even if they are under the age of 13. As the FTC explains, COPPA allows schools to act as either as an intermediary for parental consent or “the parent’s agent in the process of collecting personal information online from students in the school context” where, as here, the operator collects users’ personal information only for the use and benefit of the school. However, consistent with the FTC’s guidance, we believe schools should forward information to parents about how personal information is collected, used, and shared in Office 365—including assurances that Microsoft will not use such information for other commercial purposes—in the school’s own Acceptable Use Policies for Internet Use or similar document that educates parents about in-school Internet use of Office 365 and any other online services, whether provided by Microsoft or other providers. For more information on COPPA compliance generally, see the FTC’s Complying with COPPA: Frequently Asked Questions. For unique issues related to COPPA and Schools, refer to FAQs M1 to M4 from the foregoing document.
If my business is subject to the Children’s Online Privacy Protection Act (COPPA), can I use Office 365 and remain compliant?
Yes. Microsoft uses customer data only to provide the Office 365 service and does not use or share the data for its own or a third party’s commercial purposes, such as for advertising purposes. Moreover, Office 365 provides features and security that support customers’ compliance with COPPA.
We understand that Microsoft customers may use Office 365 in connection with activities that may be governed by COPPA—like providing commercial online services directed to children under 13 years of age or otherwise knowingly collecting personal information from such children. Office 365 customers are ultimately responsible for complying with their own COPPA obligations, which may include providing parents with notice of the customer’s practices regarding the collection, use, and disclosure of personal information from children under 13, and obtaining any necessary parental consents. However, the use of Office 365 creates no additional COPPA burdens for customers beyond those that would apply if the customer used an on-premises solution. Microsoft uses the customer data in the Office 365 services only for the benefit of the customer—we don’t use or share customer data for commercial purposes other than to provide the Office 365 service. Moreover, Office 365 supports customers’ compliance with COPPA through our implementation of extensive measures designed to help protect the confidentiality, security, and integrity of customer data. For more information on COPPA compliance generally, see the FTC’s Complying with COPPA: Frequently Asked Questions.
If my organization is subject to the Children’s Internet Protection Act (CIPA), does Office 365 provide controls that help with compliance?
Yes. CIPA requires certain schools and libraries that receive funds from the U.S. Department of Education, or that receive certain discounted services through the U.S. E-rate program, to annually certify that they have an Internet safety policy that includes technological measures to protect against Internet access to visual depictions that are obscene, child pornography, or harmful to minors. Entities subject to CIPA must also certify that their Internet safety policy addresses unauthorized disclosure, use, and dissemination of personal information regarding minors, among other requirements. Although CIPA obligations do not directly apply to Microsoft or to the provision of Office 365 services, and customers must independently assess whether their Internet safety policy complies with CIPA obligations (including technological measures governing web access entirely unrelated to Office 365), the Office 365 service supports customer compliance through administrative controls that allow customers to control user access to Office 365 components, and through the implementation of extensive security measures designed to help safeguard customer data.
Updated September 14, 2017