This week the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) released new guidance regarding how schools and districts should protect student data when using online educational services. PTAC defines online educational services as “computer software, mobile applications (apps), and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and use as part of a school activity.”

This guidance implicates numerous tools that can better personalize learning for students. How does privacy law impact how these tools can be used in schools? According to PTAC, “it depends.”

Such deep ambiguity is not PTAC’s fault. FERPA includes so many exceptions regarding when and how data can be shared (e.g., the school official exception, the directory information exception, the exception for metadata that is stripped of personally identifiable information) that it can be difficult to extrapolate hard and fast rules to guide districts. Moreover, because so much of what unfolds between districts and providers will depend on the particular contract terms that they agree upon, contract law will likely be as vital as privacy law when the rubber hits the road. Therefore, although guidance can help districts and vendors navigate the labyrinthine rules and exceptions articulated in FERPA and PPRA, it’s likely less helpful in the day-to-day decisions that districts leveraging technology stand to face.

My main takeaway from the 14-page document is that even with this guidance, privacy law’s effects on educational software will have to unfold on a case-by-case basis. As the document itself purports: “schools and districts will typically need to evaluate the use of online educational services on a case-by-case basis to determine if FERPA-protected information (i.e., PII from education records) is implicated.”

The worry then is that this case-by-case analysis will become so costly as to dissuade districts from contracting with software providers in the first place. Or, short of that, districts may be gun-shy about moving into the greyer areas of the laws and simply refuse to provide student identifiers to software providers. This would not keep learning technologies out of schools entirely, but it would limit content providers’ ability to track student progress in ways that could help guide wise data-driven instruction. From the perspective of trying to nurture demand for tools that can personalize instruction, that move may be of grave concern down the line.

On the other hand, the grey areas in the law leave a lot to the discretion of districts, particularly in how they choose to contract with providers. This would seem to provide a promising forum to address the real privacy debate that is raging outside of DC: not a debate between districts and the federal government, but between parent groups and districts contracting with third parties. Thus far, efforts to explain the law to groups concerned about privacy breaches have not appeared particularly successful, in part because those groups appear to fundamentally disagree with some of what the law allows (particularly around providing third parties with student data for research that could improve instructional models). If an individual district, however, can engage in contract negotiations with providers with parents at the table, then these negotiations might start to address parents’ real fears in a productive manner.

So what does all this mean for the future of personalized instruction? It’s unclear whether any of this new guidance will change the landscape of data-driven personalized instruction, particularly because so much instructional software can be fit within school official exception. It’s also unlikely that the student privacy debate can be solved even with the best possible guidance document. In fact, this debate is more local, more personal, and more nuanced than the federal or even state laws can necessarily accommodate. PTAC’s guidance should be the part of ongoing conversations about the ambiguities, drawbacks, and advantages of sharing student data with online providers; unfortunately, it can’t provide all of the answers.