Education
A Wyckoff Mom Asked If Her Daughter's Opinions Were Allowed to Be Collected. No Law Clearly Says.
After Mia Joudeh told the K-8 Board her fifth-grader was asked to weigh in on presidential age limits and driving laws inside an iReady lesson, we mapped the federal and New Jersey privacy laws that could apply — and found none of them settles the question.
At the Wyckoff K-8 Board of Education's June 29 meeting, Mia Joudeh, of Kaitlin Lane, told the board that her fifth-grade daughter had been asked opinion questions inside an iReady vocabulary lesson — including prompts asking the student to agree or disagree that "18 year olds should be eligible to run for president" and that she "would voice support for a law that lowers the driving age."[1] She asked whether the district knew, how responses were stored, and whether opinions were being collected without parental consent.[2] (See our full coverage of the June 29 screen-time survey.) As of publication, the district has not addressed the matter publicly — neither on its website nor at a subsequent Board of Education meeting. This piece lays out what the law actually says about student data — and what it leaves unresolved.
The short version
None of the laws below gives a clear yes-or-no answer to whether the district or Curriculum Associates needed the Joudehs' consent for questions like whether an 18-year-old should be able to run for president, or whether the driving age should be lowered. FERPA likely permits the arrangement in principle, but the actual vendor contract isn't public. PPRA doesn't say whether an opinion prompt inside a lesson counts as a "survey," and COPPA doesn't say whether questions like these fall inside or outside the "educational context" a school can consent to on a parent's behalf — both statutes leave the quoted terms undefined. New Jersey's newest privacy law may not even apply, depending on facts about Curriculum Associates that aren't public either.
| Law | What it covers | Reaches iReady? | Private right to sue? | Enforced by |
|---|---|---|---|---|
| FERPA[3] | Education records; lets vendors act as "school officials" | Likely — but neither district has published the contract | No | U.S. Dept. of Education |
| PPRA[4] | Surveys touching 8 protected areas, incl. political beliefs | Unresolved — depends on what counts as a "survey" and how iReady is funded | No | Dept. of Education (Student Privacy Policy Office) |
| COPPA[5][6] | Commercial data collection from children under 13 | Contested — turns on COPPA's "educational context" limit | No | Federal Trade Commission |
| NJ Online Privacy Act (S332)[7] | General consumer data; applies above a size threshold | Unknown — Curriculum Associates' consumer scale isn't established | No | NJ Attorney General |
| N.J.S.A. 56:8-215 et seq.[15] | K-12 ed-tech vendors: bars profiling, selling data, targeted ads | Likely covers Curriculum Associates as an "operator" — but whether its practices cross the specific bans isn't established here | Yes, in principle — via NJ's Consumer Fraud Act | NJ Attorney General (Consumer Affairs) |
| N.J.S.A. 18A:36-35[8] | A district's own website postings only | No — doesn't reach vendor-collected data | N/A | N/A (self-executing prohibition) |
Who enforces these laws, and can I sue?
Every one of these laws is enforced by a government agency — the U.S. Department of Education, the Federal Trade Commission, or the New Jersey Attorney General — and none give an individual the right to sue over a violation, with one narrow exception: New Jersey's ed-tech-vendor statute is enforceable as a Consumer Fraud Act violation, which does carry a private right to sue, but only for someone who can show a quantifiable monetary loss. That's a real limitation in a case like this one, where the harm being described isn't financial.
What does each law actually say?
There is no single "student data privacy law." What applies is a stack of statutes — three federal, three from New Jersey — each written for a different purpose, plus each district's own board policies. And because Wyckoff families are served by two separate public school systems — the K-8 Wyckoff School District and the Ramapo Indian Hills Regional High School District, shared with Franklin Lakes and Oakland — the local policy layer exists in two versions. What follows is a map of that framework, not a verdict on any program.
FERPA, the oldest of these laws, dates to 1974 and gives parents the right to inspect their child's education records, seek correction of inaccurate entries, and control most disclosures.[3] The provision that matters most for iReady is its vendor exception: a company can be treated as a "school official" — and get data without individual parental consent — when it performs a service the district would otherwise use its own employees for and stays under the district's direct control, on the condition it not re-disclose the data.[3] That exception is the standard legal mechanism behind arrangements like iReady, but whether the specific contract between either Wyckoff district and Curriculum Associates meets FERPA's criteria is not something the public record here establishes; neither district has published its iReady vendor agreement.
The federal law most directly on point for questions like the ones Joudeh's daughter was asked — weighing in on presidential age limits, or the driving age — is the Protection of Pupil Rights Amendment, or PPRA — the first of its eight protected survey categories is "political affiliations or beliefs of the student or the student's parent."[4] What it requires turns on who funds the survey: one funded by the U.S. Department of Education requires a parent's prior written consent before a student is asked to submit to it, while a non-federally-funded survey only requires annual notice and an opt-out.[4] Two threshold questions determine whether PPRA reaches the iReady prompts at all, and the statute answers neither: whether an agree-or-disagree prompt embedded in an adaptive-learning lesson counts as a "survey, analysis, or evaluation," and how the district's iReady use is funded. This article does not resolve those questions.
COPPA, the third federal law, covers commercial online services collecting data from children under 13 — the age band that includes elementary students. A school may consent on parents' behalf, but only when the service is used "solely for the benefit of students and the school system" and specific to "the educational context"; beyond that, the vendor needs parents' direct consent.[5] That "educational context" limit is the thread most relevant to Joudeh's complaint: there is a plausible argument that attitudinal questions about laws and public policy fall outside what a school can consent to on a parent's behalf — but it is a contested question, not a settled one. iReady's own privacy policy states the company obtains consent through the school or district "acting on behalf of the Student's Parent," rather than from parents directly.[6]
New Jersey adds three statutes of its own, and it is easy to overstate the first. The New Jersey Online Privacy Act (P.L. 2023, c.266), effective January 15, 2025, is sometimes called the "NJ Student Data Privacy Act" in vendor blogs, but it is not an education law — it's a general consumer-data statute that reaches a business only above a size threshold: personal data of at least 100,000 consumers, or 25,000 where the company earns revenue from selling that data.[7] Within its scope, it treats a known child under 13's data as "sensitive," requiring opt-in consent, and restricts profiling and targeted advertising involving consumers aged 13 to 16.[7] Whether Curriculum Associates meets that size threshold isn't established by the public sources gathered here, so whether the act applies to iReady at all is an open question.
The second New Jersey statute is the one actually written for K-12 ed-tech vendors: P.L. 2019, c.494, codified at N.J.S.A. 56:8-215 through 56:8-221, applies to any "operator of an online education service ... designed and marketed for K-12 school purposes" — a definition Curriculum Associates likely meets outright, without S332's size-threshold question.[15] It doesn't regulate what a vendor may ask a student; it regulates what a vendor may do with student data once it has it. The law bars using student information to build a profile for any purpose other than K-12 school purposes, bars selling or renting it, and bars targeted advertising based on data collected for K-12 use, while requiring reasonable security and deletion of the data on a school's or district's request.[15] Unlike every other law in this piece, a violation is explicitly defined as an unlawful practice under New Jersey's Consumer Fraud Act — which does carry a private right to sue, though only for someone who can show an "ascertainable loss," the Act's standard for damages.[15] Whether Curriculum Associates' handling of the opinion-question data Joudeh described crosses any of the law's specific bans is not established by the public record here.
The third New Jersey statute is narrower still. N.J.S.A. 18A:36-35 bars a board of education from posting personally identifiable student information — names, photographs, addresses, phone numbers, or class-trip times — on the district's own website without written parental consent.[8] It appears in both districts' student-records regulations as the basis for their website-disclosure rules.[9][10]
What do the districts' own policies say?
Both districts' own Policy and Regulation 8330 on student records contains no vendor-agreement language.[9][10] Their Acceptable Use policies differ, though: Ramapo Indian Hills' Policy 2361 names CIPA, COPPA, and FERPA as compliance frameworks,[12] while the K-8 district's version names only CIPA.[11] Neither district's technology policy addresses opinion or attitudinal data collected by a learning platform.
Is anyone testing this in court?
Whether any of this reaches iReady specifically is being tested in a separate, ongoing lawsuit. We're preparing a companion piece on that case — the claims, the procedural history, and where it stands — to publish separately. The core legal question at the center of Joudeh's comment — whether embedding opinion questions in adaptive-learning software crosses a legal line — is precisely what that case will test, and it remains unresolved.
What can a Wyckoff family do right now?
These laws are enforced by agencies, not by individual lawsuits, so there's no direct legal remedy available to a single family. The nearest formal step for a specific concern is each district's own complaint process under Policy 9130.[13][14] Filing a complaint puts a concern on the record; it does not, by itself, resolve any of the open legal questions above.
This is the first in an occasional series examining student data privacy in Wyckoff's schools.
Every claim in this article is drawn from public Wyckoff records. To dispute a fact, request a fact-check, or ask that personal information be removed, contact the ombudsman.