The Policy Your Faculty Isn't Reading
When a professor pastes a student essay into an AI detection website, they're making a compliance decision — most likely without knowing it.
The Family Educational Rights and Privacy Act (FERPA) treats student-authored work as an education record once a school maintains it. Education records carry disclosure restrictions. Routing those records to a third-party service — even a well-intentioned AI detector — without an appropriate data processing agreement or institutional vetting may trigger FERPA's consent and disclosure requirements.
The National Education Association made this explicit in its Federal Regulations Related to Artificial Intelligence guidance: "using a program to detect AI usage may require students' work to be processed through an outside third party, which may be a violation of FERPA."
This is not a hypothetical. It is happening in classrooms right now.
What the Law Actually Says
FERPA applies to all schools and education agencies that receive funds under a program of the U.S. Department of Education — which means virtually every public K-12 district and nearly every college in the country. The U.S. Department of Education's Student Privacy Policy Office administers and enforces FERPA, and actively investigates complaints.
The NEA guidance is direct about the problem: "The last regulatory updates to FERPA predate the widespread use of technology in learning environments, including the storage of education records, the technological generation of records, and the use of technology to support and assess students. School districts and education institutions that are subject to FERPA must interpret this law for how data is accessed, used, and stored in light of artificial intelligence."
In plain language: FERPA was written for file cabinets and fax machines. Congress last updated its regulatory framework before cloud AI existed. Institutions are now responsible for applying a 50-year-old privacy law to a problem it was never designed to address — without clear federal guidance on how to do it.
The UC Santa Cruz Warning That Most Institutions Missed
UC Santa Cruz identified this risk concretely in 2023. Their guidance, cited by the NEA, "warned that using services that purport to detect when AI is used in assignments should not be used without disclosure and consent required under FERPA unless certain preconditions were undertaken pertaining to the service having been purchased and vetted by the institution or that the tool is 'protected from external access.'"
Read that carefully. The preconditions UC Santa Cruz identified are:
- The service must be purchased and vetted by the institution — not adopted by an individual faculty member using a personal or free account.
- The tool must be "protected from external access" — meaning the student data it processes cannot be used for third-party commercial purposes, model training, or data sharing outside the institution's control.
Most of the AI detection tools faculty are discovering and adopting today satisfy neither condition. A professor who runs student essays through a free browser-based AI detector has made an institutional disclosure decision that the institution's IT and compliance teams have no visibility into.
COPPA Adds a Second Layer for K-12
For K-12 districts, the exposure extends beyond FERPA. The Children's Online Privacy Protection Act (COPPA) governs online services that collect personal data from children under 13. In January 2025, the Federal Trade Commission finalized amendments to the COPPA rule that significantly strengthened requirements.
Under the updated rule, operators are now "required to obtain distinct verifiable parental or guardian consent before disclosing a child's personal information to third parties." The FTC also mandated that operators "retain children's personal information only as long as necessary to fulfill the purpose for which it was collected" and establish explicit data deletion policies.
A teacher who routes a middle schooler's essay through an unvetted AI detector — without a district-level COPPA agreement in place — may be creating liability that runs to the district. The NEA notes that schools can provide consent on behalf of parents in some circumstances, but only "particularly when the data is used solely for educational purposes." Using student work to feed a commercial AI detection model falls well outside that carve-out.
The Shadow AI Pattern Education Has Inherited
This is the same dynamic that CISOs in financial services and healthcare have been fighting for years: employees adopting AI tools faster than procurement can vet them. In those industries, the compliance exposure is GLBA or HIPAA. In education, it is FERPA and COPPA — but with a student population, a decentralized faculty structure, and a compliance framework that explicitly predates the problem.
The governance failure is structural. Most institutions have an acceptable use policy for AI tools. Policy says "only use approved AI tools with student data." Governance asks a harder question: How would you know if someone didn't?
A faculty member who discovers GPTZero or a free browser-based AI detector leaves no institutional audit trail. The submission goes out. The student data is processed by a third-party server the institution never reviewed. The FERPA clock starts running. IT finds out when a complaint arrives — if it arrives at all.
What Governance-Ready Institutions Are Building
The institutions navigating this well have moved beyond policy documents. They've built four operational controls:
Approved AI tool registry with procurement gate. Every AI tool that will interact with student work clears a procurement review — FERPA data processing agreement, vendor vetting, IT security sign-off — before faculty can access it. Tools that don't clear procurement aren't just against policy; they're blocked.
Real-time monitoring at the network layer. Browser-level or proxy-level enforcement intercepts submissions to AI services and classifies them by data type. Student essay text routed to an unapproved detection service triggers a policy alert before the data reaches the third party — not after.
COPPA-specific policy tiers for K-12. Separate controls for students under 13, where COPPA's parental consent requirements are stricter than FERPA's general provisions. Districts need policy logic that distinguishes a high school teacher submitting a 17-year-old's essay from a middle school teacher submitting work from an 11-year-old.
Audit trail for compliance documentation. Every AI-related disclosure — approved or blocked — logged with timestamp, tool, data category, and outcome. When the Family Policy Compliance Office opens an investigation, the institution demonstrates proactive governance rather than reactive response.
The Gap Containment.AI Closes
Containment.AI operates as an enforcement layer between users and AI services. When a faculty member or student routes content through an AI tool — a detection service, ChatGPT, Gemini, any LLM-powered platform — the proxy applies the institution's configured policies in real time, before data leaves the network.
For education institutions, this means:
- FERPA classification at the point of submission. Student PII and education-record content is detected and flagged before it reaches an unapproved third party.
- Shadow AI visibility across the institution. Every AI tool being used on campus is logged — not just the ones IT approved.
- COPPA-aware policy tiers. District-wide controls that treat under-13 student data differently from faculty-originated requests, reflecting the actual difference in legal exposure.
- Browser-native enforcement. The Chrome extension intercepts AI submissions at the moment of entry — before they're processed by any third-party server.
The Department of Education's enforcement posture is strengthening. The question for district CTOs and university CISOs isn't whether faculty are routing student work through AI tools. They are. The question is whether your institution can see it, govern it, and prove it when the Family Policy Compliance Office asks.
Containment.AI enforces AI governance policies in real time — at the proxy layer, in the browser, and in the admin dashboard. Start a free trial or read our documentation to see how it works for education institutions.