Protecting prospect student data: an operational guide for US admissions teams

Your prospects have rights before they even apply

Data protection compliance does not start at enrollment. It starts at first contact. The moment a prospect shares their email address, name or phone number — via a form, a chatbot, a college fair or a campus tour — the institution takes on data protection obligations under federal and state law. While FERPA specifically governs education records of enrolled students, prospective student data falls under a patchwork of state privacy laws including CCPA/CPRA in California, the FTC Act for deceptive data practices, and state data breach notification laws in all 50 states.

This matters because admissions and marketing teams process prospect data long before any formal application. And prospect data is often the least protected data in the entire information system: Excel files shared by email, contact lists exported from college fairs without documented consent, chatbot conversations stored without a retention policy.

62% of institutions surveyed have no documented procedure for processing prospect data (Source: Skolbot survey of 62 marketing directors across higher education institutions, December 2025). This operational guide addresses that gap.

For a broader overview of student data protection in higher education, see our complete guide to student data compliance.

The US data protection landscape for prospect data

Unlike the EU's unified GDPR framework, the United States has a sectoral approach to data privacy. For admissions and marketing teams at colleges and universities, four overlapping frameworks matter most.

FERPA (Family Educational Rights and Privacy Act)

FERPA protects the education records of students once they are enrolled. Prospect data — inquiries, campus tour sign-ups, chatbot conversations — does not technically fall under FERPA until the student is admitted and enrolls. However, many institutions apply FERPA-like protections to prospect data as a best practice, and the US Department of Education encourages this approach.

Common mistake: assuming that because prospects are not yet enrolled, their data requires no protection. State privacy laws and FTC enforcement close that gap.

State privacy laws (CCPA/CPRA and beyond)

California's CCPA/CPRA grants consumers — including prospective students — the right to know what data is collected, the right to delete it, and the right to opt out of its sale. As of 2026, comprehensive privacy laws are active in over 15 states, including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and Montana. Each imposes obligations on institutions that collect data from residents of those states, regardless of where the institution is located.

For institutions that recruit nationally, compliance with multiple state frameworks is not optional — it is the operational reality.

FTC Act and enforcement

The Federal Trade Commission enforces against deceptive or unfair data practices. If your privacy policy says "we do not share your data" but you export prospect lists to third-party vendors, you face FTC enforcement risk. The FTC has increasingly pursued education technology companies and institutions for misleading data practices.

CAN-SPAM Act

The CAN-SPAM Act governs commercial email communications. Every marketing email to a prospect must include a physical mailing address, a clear unsubscribe mechanism, and truthful header information. Unsubscribe requests must be honored within 10 business days.

What you collect — and what you should not

The principle of data minimization

Even without a single federal privacy statute equivalent to GDPR, data minimization is a best practice endorsed by the FTC, NIST, and state privacy laws. In practice, every form field must be justifiable.

Data necessary for an information request: first name, last name, email, program of interest. Four fields suffice.

Questionable data: date of birth (why do you need this before an application?), mailing address (are you really sending printed viewbooks?), phone number (will you actually call?).

Problematic data: race/ethnicity (unless required for federal reporting after enrollment), family income, immigration status. These are sometimes collected "just in case" but represent a privacy risk without documented justification — and may trigger additional obligations under Title VI or state anti-discrimination laws.

Each additional form field reduces the completion rate by 5-8% (Source: Skolbot analysis of 45 institution contact forms, 2025). Data minimization is not just a legal best practice — it is a conversion lever. Our article on school website conversion benchmarks confirms this correlation.

Data collected by chatbots

A chatbot collects more data than a form. Prospects spontaneously share sensitive information (disabilities, financial difficulties, health conditions). Three measures are essential: prior notice that the conversation is recorded, automatic purging of sensitive data, and restricted access to conversation histories.

Retention periods: the weak spot

Retention is the weakest point for most institutions. Best practice, endorsed by EDUCAUSE and the NIST Privacy Framework, is to retain prospect data no longer than necessary — in practice, no more than 3 years after the last active contact. But this recommendation is a ceiling, not a target.

Recommended retention periods by data type

First-contact data (form, chat): 12 months after the last contact if the prospect has not applied. Beyond that, the interest is most likely abandoned.

Incomplete application data: 24 months after the last contact. The prospect may apply in the following cycle.

Rejected application data: 6 months after notification of rejection. Retaining data longer has no operational justification.

Chatbot conversations: 12 months, with automatic anonymization of sensitive data at 30 days.

Event data (campus tours, college fairs): 12 months after the event if the prospect has not taken further action.

The "keep everything" trap

47% of institutions retain prospect data indefinitely (Source: Skolbot survey, December 2025). This creates a double risk: regulatory (state attorney general enforcement, FTC action, and in California alone, CCPA penalties of up to $7,500 per intentional violation) and operational (degraded email deliverability, skewed metrics, increased attack surface for data breaches — which trigger mandatory notification under all 50 state breach notification laws).

Prospect rights under US law

While the US does not grant a single unified set of data rights, the combination of state privacy laws creates a practical rights framework that admissions teams must handle.

Right to know (CCPA and similar state laws): the prospect can request what data you hold. In California, response is required within 45 days. Other states have similar timelines. This means knowing where data is stored across all systems (CRM, chatbot, files, emails).

Right to delete (CCPA and similar state laws): deletion of all data upon request. Deletion must be effective across all systems: CRM, email platform, chatbot, shared files. Over 15 states now provide this right.

Right to opt out of sale/sharing (CCPA): if you share prospect data with third-party vendors, prospects can opt out. Many state laws extend this to "sharing" for targeted advertising.

Right to unsubscribe (CAN-SPAM): a prospect who says "stop emailing me" must be unsubscribed within 10 business days. This is absolute and requires no justification.

The case of minors

Under COPPA (Children's Online Privacy Protection Act), collecting data from children under 13 requires verifiable parental consent (Source: FTC COPPA guidance). For high school recruitment programs and social media campaigns that may reach under-13s, parental consent mechanisms are legally required.

For prospects aged 13-17, state laws vary. California's CCPA/CPRA imposes additional protections for minors under 16, requiring opt-in consent before selling their data. Other states are following suit. Include an age verification step in your forms and understand the specific requirements of the states where your prospects reside.

Operational checklist for admissions teams

Data collection

• Every form displays the required information (identity of institution, purpose, retention period, privacy policy link)
• Privacy policy is compliant with applicable state laws (CCPA notice at collection for California residents)
• Consent checkboxes are not pre-checked
• The chatbot identifies itself as AI and informs users that conversations are recorded
• College fair and campus tour forms include data protection notices
• Only necessary data is collected (minimization principle)
• "Do Not Sell or Share My Personal Information" link is visible for California and other applicable state residents

Storage and access

• Prospect data is stored in a CRM with role-based access control
• No Excel files containing personal data are shared by email
• Data access is logged
• Sensitive data (disability, financial situation) is isolated with restricted access
• CRM credentials meet security best practices (12+ characters, MFA enabled)
• All vendors handling prospect data have signed data processing agreements

Retention and purging

• A retention policy is documented and enforced
• Automatic purging is configured in the CRM
• Prospects with no interaction for 12 months are purged or enter a reactivation sequence before deletion
• Rejected application data is deleted at 6 months
• Data breach response plan is documented and tested annually

Exercising rights

• A process for handling access, deletion, and opt-out requests is documented
• The admissions team knows who to contact internally to process a request
• Response deadlines are tracked and met (45 days for CCPA, 10 days for CAN-SPAM unsubscribe)
• Marketing unsubscribes are processed immediately
• Records of requests and responses are maintained for compliance documentation

The five most common data protection mistakes in admissions

Mistake 1: the college fair spreadsheet. Collecting 200 emails at a college fair, emailing the file to yourself, then importing into the CRM without documented consent or a privacy notice. Multiple compliance violations.

Mistake 2: opt-in by default. Pre-checked "I agree to receive communications" checkbox. While not illegal under CAN-SPAM (which uses an opt-out model), it violates CCPA opt-in requirements for minors and creates trust issues with prospects.

Mistake 3: infinite retention. Prospect data from 2019 still in the CRM. Increased breach exposure, metrics skewed by dead contacts, and potential violations of state deletion requirements.

Mistake 4: late response. A deletion request circulating between three departments for three weeks. CCPA's 45-day deadline breached. State attorney general investigations often start with a single consumer complaint.

Mistake 5: the chatbot without notice. The chatbot collects name, email, program of interest without informing the user about data collection or AI disclosure. Breach of the transparency principle and potential FTC enforcement risk.

The trust dividend: beyond compliance

73% of 18-to-24-year-olds say that data protection influences their choice of institution (Source: Harris Poll survey for education sector, 2025 — cross-referenced with findings from the EDUCAUSE Student Technology Survey). Data protection compliance is not just a legal obligation — it is a professionalism signal that directly influences recruitment.

In an era where data breaches at universities make national headlines and the US Department of Education is increasing scrutiny of institutional data practices, demonstrating strong data stewardship is a competitive advantage.

FAQ

Is consent obtained at a college fair valid?

Only if it is documented and informed. A badge scan or a signature on a tablet without information about the purposes of data collection does not constitute meaningful consent. Prepare a paper or digital form with a clear privacy notice, and retain proof of consent. In states with comprehensive privacy laws, the privacy notice must meet specific content requirements.

Can you send a follow-up email without marketing consent?

Under CAN-SPAM (the federal standard), you can send commercial emails as long as they include an unsubscribe mechanism and your physical address. However, the distinction between "transactional" and "commercial" matters: a follow-up about an incomplete application is transactional, but a newsletter promoting a different program is commercial. For California prospects under 16, CCPA requires opt-in before sharing data for marketing purposes.

What should you do in the event of a prospect data breach?

All 50 states have data breach notification laws. Most require notification to affected individuals within 30-60 days. Some states (California, New York) also require notification to the state attorney general if breaches exceed a threshold number of residents. Document the incident (nature, data involved, measures taken). The FTC recommends having an incident response plan tested before a breach occurs.

Is a vendor (CRM, chatbot provider) liable in case of a breach?

The institution bears primary responsibility for the data it collects. A data processing agreement with each vendor should specify security measures, incident notification procedures, and indemnification terms. The FTC holds both the institution and the vendor accountable if reasonable security measures were not in place.

How do you train teams without a dedicated privacy officer?

Schedule a two-hour awareness session per year, focused on practical scenarios (college fair collection, forms, follow-ups). Designate a data protection lead as the point of contact. EDUCAUSE provides resources and toolkits for higher education institutions. The FTC's business guidance portal offers free, practical compliance resources. Many institutions also leverage their general counsel's office for annual privacy training updates.