US privacy compliance for remote testing is not “one law.” The operational reality is a mix of FERPA, state privacy laws, and contractual constraints—especially for institutions that must maintain ownership and control of student records.
FERPA: vendors as “school officials”
In many deployments, proctoring vendors are treated as school officials under FERPA. That typically requires:
- the institution retains direct control over education records
- data is used only for legitimate educational interests
- access is limited, audited, and time-bound
State-level momentum (including California)
State laws are increasingly explicit about:
- minimization of biometric and surveillance-adjacent data
- prohibitions on secondary use (e.g. marketing)
- tighter retention and deletion expectations
The architectural shortcut: don’t collect what you don’t need
A privacy-first system that performs monitoring on-device and avoids storing raw video reduces the footprint of what must be protected, audited, and contracted.
What to request from a proctoring provider
- a clear data inventory (what is processed and where)
- retention schedule and deletion guarantees
- reviewer access controls + audit logs
- incident response and breach notification commitments