Student photos taken by school photography vendors are education records under FERPA when maintained by the school or a party acting on the school’s behalf. Districts must have written agreements with photography vendors covering data use restrictions, security standards, re-disclosure prohibitions, and deletion timelines — or risk losing federal funding.

Last updated: March 2026

That’s the short version. But most school administrators don’t know how deep the privacy obligations run — or how many gaps exist in the typical photography vendor contract. With 37.6 million student records exposed in 3,713 data breaches since 2005 (Comparitech, 2024), 82% of K-12 schools experiencing a cyber incident between July 2023 and December 2024 (CIS MS-ISAC, 2025), and 68% of Americans opposing sharing student data with AI software (PDK Poll, 2025), the stakes have never been higher.

This guide covers exactly what FERPA requires for school photography, when COPPA applies, which state laws add requirements, and what your vendor contract must include. If your district is evaluating photography vendors for the 2026-2027 school year, this is the compliance foundation every RFP should build on.

Are Student Photos Protected Under FERPA?

Yes — When Maintained by the School or Its Agents

FERPA (the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) protects “education records” — defined as records directly related to a student that are maintained by an educational agency or institution, or by a party acting for the agency or institution.

Student portrait photographs fit this definition when:

1. They’re taken by a vendor acting on behalf of the school (which covers virtually every school photography contract)
2. They’re maintained in school records, yearbooks, student information systems, or ID cards
3. They can be used to identify a specific student

The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) has confirmed that photos maintained by or for a school are education records subject to FERPA protections (PTAC, 2023). The moment your photography vendor captures a student’s image, they’re handling protected education records.

What This Means for Photography Vendors

Under FERPA, a school photography vendor operates as a “school official” — a third party performing a service the school would otherwise perform itself. The school official exception (34 CFR § 99.31(a)(1)) allows schools to share education records with vendors without individual parental consent, but only when the vendor meets five specific requirements:

1. Written agreement. The school and vendor must have a written contract specifying the vendor’s role and responsibilities.
2. Legitimate educational interest. The vendor must perform a function for which the school would otherwise use its own employees.
3. Direct control. The school must maintain direct control over the vendor’s use and maintenance of education records.
4. Use restrictions. The vendor may only use education records for the purposes specified in the agreement.
5. Re-disclosure prohibition. The vendor cannot share student records with any third party without the school’s written authorization.

If your current photography vendor contract doesn’t address all five elements, you have a FERPA compliance gap. And the enforcement mechanism isn’t academic: FERPA violations can result in the loss of all federal education funding — Title I, IDEA, school lunch programs, everything. The Department of Education has never actually pulled funding from a district (the penalty is functionally a nuclear option), but the regulatory obligation is real, auditable, and increasingly scrutinized.

Building a photography vendor RFP? Our free RFP template includes FERPA compliance scoring criteria and 35+ evaluation questions — including privacy-specific requirements. Download the RFP template →

Does COPPA Apply to School Photography?

When COPPA Kicks In

COPPA (the Children’s Online Privacy Protection Act, 16 CFR Part 312) applies when an operator collects personal information from children under 13 through an online service. Student photographs are explicitly classified as “personal information” under COPPA — any image containing a child’s likeness qualifies.

If your photography vendor uses an online platform to capture, store, deliver, or order student photos — and your students include children under 13 — COPPA applies.

The Federal Trade Commission enforces COPPA aggressively. Penalties run up to $53,088 per violation (FTC, 2025 inflation-adjusted). In May 2023, the FTC hit ed tech provider Edmodo with a $6 million penalty for unlawfully collecting children’s data and using it for advertising (FTC, 2023). School photography vendors aren’t exempt — if they operate an online service that touches children’s data, COPPA’s requirements are in play.

How Schools Handle COPPA Consent

COPPA normally requires “verifiable parental consent” before collecting a child’s personal information online. But the FTC recognizes a school consent exception: schools can consent on behalf of parents when the data collection is solely for a school-authorized educational purpose.

The exception comes with conditions:

1. The school must authorize the collection for educational purposes only
2. The vendor cannot use student data for any commercial purpose beyond the school service
3. The school must be able to review and delete collected data on request
4. The vendor must provide the school with a COPPA-compliant privacy policy

As FTC Chair Lina Khan stated in the Commission’s 2022 COPPA Policy Statement on EdTech: \”Simply put, an ed tech provider cannot require that parents or schools sign off on sweeping data collection of children as a condition of children accessing the ed tech service\” (FTC, 2022). In practice, most schools handle COPPA consent through the annual photo day opt-in/opt-out process that’s already part of their FERPA directory information designation. But the vendor is still required to operate within COPPA’s framework — meaning no commercial use of student images, no sharing with third-party advertisers, and documented data security practices.

The AI Training Question

One issue that didn’t exist five years ago: AI companies training facial recognition and image generation models on photo datasets. The 2025 COPPA amendments expanded the definition of \”personal information\” to include biometric identifiers like facial templates — directly relevant to any vendor using facial recognition for photo matching or sorting (FTC, 2025). Under both FERPA and COPPA, using student images to train AI models constitutes unauthorized commercial use and re-disclosure. Yet most school photography contracts written before 2023 don’t explicitly prohibit it.

If your vendor contract doesn’t include an explicit prohibition on using student images for AI training, add one. In 2026, this is non-negotiable.

Which State Privacy Laws Affect School Photography?

Federal laws set the floor. Several states have passed stronger student privacy protections that add requirements beyond FERPA and COPPA. If your district operates in any of these states — or if your vendor serves schools across multiple states — pay attention.

California — SOPIPA

The Student Online Personal Information Protection Act (SB 1177, 2014) prohibits vendors from using student data for non-educational commercial purposes, including targeted advertising. Vendors must maintain reasonable security, delete data when no longer needed for the educational purpose, and provide transparency about data collection practices. SOPIPA was the first law of its kind and became the template for many states that followed.

New York — Education Law 2-d

Ed Law 2-d (2014, updated 2020) requires schools to publish a Parents’ Bill of Rights for data privacy. Every vendor contract must include a data security and privacy plan. Third-party vendors must adopt NIST-aligned data security standards. Penalties include contract termination and potential damages. New York’s law is among the most prescriptive in the country — vendors must complete a detailed data privacy questionnaire before contracts are executed.

Texas — Student Privacy Act

Texas requires explicit parental consent before vendors share student data with third parties. The law prohibits using student data for advertising or building marketing profiles. Vendors must publish privacy policies specific to their education products. Texas also mandates breach notification to affected parties, typically within 60 days of discovery.

Illinois — SOPPA

The Student Online Personal Protection Act (105 ILCS 85, amended 2021) mandates that vendors implement strong security measures, prohibits targeted advertising using student data, requires schools to publish and maintain a public list of all vendors with access to student data, and requires vendors to delete data within 60 days of a school’s request. Illinois’ SOPPA is notable for its transparency requirements — if your vendor has access to student data, parents can see the vendor’s name on a public list.

Apply the Most Restrictive Standard Everywhere

Fifty states. Varying requirements. Tracking each one individually is a compliance headache no district needs. The smarter approach: identify the most restrictive requirements across all states and make them your baseline. If your vendor agreement meets Illinois’ SOPPA and New York’s Ed Law 2-d, it likely exceeds requirements everywhere else.

The Student Privacy Compass maintained by the Future of Privacy Forum tracks state-by-state student privacy legislation (FPF, 2025). As of 2026, 40+ states have passed nearly 150 student privacy laws in the past decade (Public Interest Privacy Center, 2025) — the trajectory is toward more protection, not less.

State	Law	Key Requirement for Photography Vendors
California	SOPIPA (SB 1177)	No commercial use of student data; delete when no longer needed
New York	Ed Law 2-d	Parents’ Bill of Rights; NIST-aligned security; detailed privacy questionnaire
Texas	Student Privacy Act	Explicit parental consent for data sharing; 60-day breach notification
Illinois	SOPPA (105 ILCS 85)	Public vendor list; 60-day data deletion on request; no targeted ads
Colorado	Student Data Transparency & Security Act	Transparency requirements; annual vendor review
Connecticut	Student Data Privacy Act (PA 16-189)	Comprehensive security plan; parental access rights

Evaluating vendors for next school year? Capturely provides a complete FERPA and COPPA compliance documentation package — including a data security overview, privacy policy, and sample vendor agreement with all required provisions. Request Capturely’s compliance package →

What Should Schools Require From Photography Vendors?

Data Security Checklist: 10 Non-Negotiable Items

Every school photography vendor contract should address these ten security requirements. If your current vendor can’t answer “yes” to all ten, it’s time for a conversation — or a new vendor.

1. Encryption at rest and in transit. Student images must be encrypted using AES-256 (or equivalent) during storage and TLS 1.2+ during transmission.
2. Role-based access controls. Only authorized personnel can view student photos. Not everyone at the vendor company should have access to every student image.
3. Written data retention policy. A documented policy specifying how long student images are stored, where they’re stored, and what triggers deletion.
4. Data deletion timeline. An explicit commitment to delete all student data within 30-60 days after the school year ends or upon school request — whichever comes first.
5. Breach notification commitment. Written commitment to notify the school within 72 hours of discovering a data breach involving student records. Some states require faster disclosure.
6. AI training prohibition. An explicit prohibition on using student images to train machine learning models, including facial recognition, image generation, or any other AI system.
7. Third-party sharing restrictions. The vendor may not share student data with any third party — including parent companies, affiliates, or advertising partners — without the school’s written authorization.
8. Physical and logical security controls. Documentation of firewalls, intrusion detection, regular security audits, and employee training on data handling.
9. Incident response plan. A documented plan for responding to security incidents, including roles, escalation procedures, and communication protocols.
10. Annual security attestation. A yearly written statement from the vendor certifying compliance with every security requirement in the contract.

The Background Check Question

Background checks for school photographers are required in most states for anyone with unsupervised access to students. But the definition of “access” matters more than most districts realize.

With traditional on-site photography, photographers are physically in your school building for 4-8 hours. They’re in the gym or hallway with students, often one-on-one during portrait sessions. They see student names on class rosters, may access student ID numbers, and are physically proximate to children all day. That’s extensive access — and it demands thorough background screening.

Virtual photography models change the equation fundamentally. When sessions happen at home with parents present and photographers connecting through a phone screen, the photographer never enters a school building and is never physically alone with a child. The parent is present and supervising the entire 10-minute session.

The security distinction matters more than it might seem. Shutterfly — which owns the largest school photography vendor, Lifetouch — has been hit by two ransomware attacks in two years: Conti in December 2021 (52,777 individuals affected) and Clop/MOVEit in June 2023 (BleepingComputer, 2023). While Shutterfly stated neither breach compromised student photo data, the incidents underscore why vendor security architecture matters — and why minimizing the amount of data a vendor collects and stores reduces your district’s exposure.

At Capturely, photographers still undergo background checks as a best practice, even though the virtual model eliminates physical access to children entirely. But the privacy advantage is structural: there’s no unsupervised physical contact, no access to school hallways, and no proximity to students beyond the parent-supervised phone session.

How to Manage Photo Consent and Opt-Outs

Under FERPA, schools can designate student photographs as “directory information” — a category of personally identifiable information that can be disclosed without individual consent. But parents must receive annual notice and the opportunity to opt out.

Here’s the practical workflow for school photography consent:

1. Annual notice. At the start of the school year, notify parents that student photos are designated as directory information and explain how they’ll be used (yearbook, ID cards, school website, etc.).
2. Opt-out period. Give parents a defined window (typically 2-4 weeks) to opt out of having their child photographed or their images shared.
3. Track and flag opt-outs. Maintain an accurate list of opted-out students and share this list with your photography vendor before sessions begin.
4. Vendor enforcement. Your vendor must have a system for flagging opted-out students so they are not photographed. With virtual models, this is straightforward — opted-out families simply don’t receive a session link. Zero manual line management. Zero human error.

Opt-out management is one of the highest-friction compliance tasks on traditional picture day. When 500 students cycle through a gym in a single day, ensuring that every opted-out student is identified and excluded requires real-time roster checking, volunteer coordination, and constant attention. Mistakes happen — and each one is a potential FERPA violation that didn’t need to happen.

How Does Virtual Photography Improve Student Privacy?

The model a photography vendor uses directly affects your district’s privacy risk profile. Here’s how virtual school photography compares to traditional on-site models on every dimension that matters for compliance.

Privacy Dimension	Traditional On-Site	Virtual (At-Home)
Physical access to children	Photographer in school 4-8 hours; one-on-one sessions	No physical access; parent present; phone-screen interaction only
Background check exposure	Required — physical proximity to minors in school	Best practice maintained — but no physical proximity exists
Student roster access	Photographer sees full class rosters with names and IDs	Photographer sees only the child they’re directing in real-time
Photo capture device	Vendor’s camera equipment (vendor controls hardware)	Family’s own phone (family controls the device)
Data transit path	Vendor camera → vendor laptop → vendor cloud → delivery	Family phone → encrypted upload → secure delivery
Equipment on school property	Camera, laptop, lighting, backdrop — all day in school	None — zero vendor equipment on school property
Opt-out management	Manual — must identify and exclude students from line	Automated — opted-out families never receive a session link
Data footprint in school	Student images captured and processed on school premises	No student data captured on school premises at all

These advantages aren’t theoretical — they’re structural. A virtual model eliminates entire categories of risk that on-site photography creates by design. No vendor equipment in your building means no physical security risks. No photographer in your hallways means no background check complications. No class roster exposure means a drastically reduced data access surface.

Capturely’s platform accesses only the phone’s camera through an API — not the device’s photos, contacts, storage, or any other personal data. The parent is present and supervising every session. No app download is required, so there’s no persistent software on the family’s device after the session ends. This is the same minimal-footprint security architecture that passes enterprise security reviews at organizations like Google, UnitedHealth Group, and McKinsey — applied to K-12 school photography.

Want to see how the virtual model works? Capturely offers free pilot programs for schools — photograph one grade at no charge and experience the privacy-first approach firsthand. Request a free pilot →

What Compliance Documents Should You Request From Vendors?

When evaluating school photography vendors, request these seven documents before signing any contract. A vendor that can’t produce them — or pushes back on the request — is telling you something about their privacy posture.

1. FERPA Compliance Statement. Written documentation of how the vendor meets FERPA requirements as a school official, including data use restrictions and re-disclosure prohibitions.
2. COPPA Compliance Statement. How the vendor handles personal information from children under 13, including their use of the school consent exception and parental notification practices.
3. Privacy Policy (K-12 specific). Not a generic corporate privacy policy — a version specifically addressing how student data is collected, used, stored, and deleted in the school photography context.
4. Data Security Overview. Technical documentation covering encryption standards, access controls, server locations, backup procedures, and incident response protocols.
5. Background Check Certification. Verification that all personnel who interact with students or handle student data have passed background screening, with documentation of the screening methodology.
6. Insurance Certificates. Current certificates for general liability ($1M per occurrence / $2M aggregate), professional liability (E&O), cyber liability, and workers’ compensation.
7. Sample Vendor Agreement. A draft contract that includes all FERPA-required provisions — information definition, authorized use, re-disclosure prohibition, school access and control, and security standards.

According to Amelia Vance, President of the Public Interest Privacy Center and former VP of Youth & Education Privacy at the Future of Privacy Forum, \”Student privacy is a microcosm of every privacy issue out there, except we’re talking about kids, which makes things so much more sensitive\” (PIPC, 2024). The vendor agreement is where that sensitivity gets translated into binding obligations.

If a vendor holds SOC 2 Type II certification, that’s a strong signal. 78% of school district CTOs now require SOC 2 Type II for vendors handling student PII — and the number jumps to 94% for districts serving 10,000+ students (Hireplicity, 2026). Capturely routinely passes enterprise security reviews at organizations like Google and UnitedHealth Group — and applies those same security standards to its K-12 platform.

For a complete vendor evaluation framework with privacy-specific scoring criteria, see our school photography RFP template and guide.

Frequently Asked Questions

Are school photos protected by FERPA?

Yes. Student photos taken by a school photography vendor are education records under FERPA when maintained by the school or a party acting on its behalf (20 U.S.C. § 1232g). Photography vendors must have written agreements with schools specifying data use restrictions, security standards, re-disclosure prohibitions, and deletion timelines. Schools share student images with vendors under the “school official” exception without individual parental consent, provided the vendor meets all five requirements under 34 CFR § 99.31(a)(1).

Do photography vendors need COPPA compliance?

If the vendor collects personal information from children under 13 through an online service — which includes digital photography platforms used for ordering, galleries, or delivery — COPPA applies (16 CFR Part 312). Student photos are “personal information” under COPPA. Schools can consent on behalf of parents for educational purposes, but the vendor must still operate within COPPA’s framework: no commercial use of student data, documented security practices, and a COPPA-compliant privacy policy provided to the school.

Can schools share student photos on social media?

It depends on the school’s directory information policy and whether parents have opted out. If student photos are designated as directory information and parents haven’t opted out, schools generally can share them on social media. However, best practice is to obtain specific, separate consent for social media use — which goes beyond the standard yearbook or school website use that most parents expect when they consent to photography. Texas and Illinois have additional restrictions on sharing student data publicly. When in doubt, get explicit written permission.

What happens to student photos after the school year?

Your vendor agreement should specify a data retention period and deletion timeline. Best practice is requiring vendors to delete all student images within 30-60 days after the school year ends or after fulfillment is complete — whichever comes later. Illinois’ SOPPA mandates deletion within 60 days of school request. Make sure the deletion requirement covers all copies: primary storage, backups, and any third-party processors. Request written confirmation when deletion is completed.

Do school photographers need background checks?

Most states require background checks for anyone with unsupervised access to students on school property. For traditional on-site photographers who spend full days in school buildings, background checks are mandatory in virtually every jurisdiction. For virtual photography where the photographer never enters a school and the parent is present during every session, the legal requirement varies — but reputable vendors run background checks as a best practice regardless of model type. Ask for documentation, not verbal assurance.

How should schools handle photo opt-outs?

Notify parents annually that student photos are directory information and provide a 2-4 week window to opt out. Maintain an accurate opt-out list and share it with your photography vendor before portrait sessions begin. The vendor must reliably exclude opted-out students from photography. Virtual vendors handle this automatically — opted-out families never receive session links, eliminating the manual line-management errors that create FERPA risk during traditional picture day. On-site vendors need manual processes to identify and exclude students from the photography line.