ChatGPT
Claude
Perplexity
Gemini
GrokDisclaimer: This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your institution and jurisdiction.
When your admissions team runs a Meta lead-gen campaign, deploys an OpenAI-powered chatbot, or tracks prospect behavior through Google Analytics, every piece of data those tools collect flows through US-based commercial cloud infrastructure. Most institutions assume that because the data stays in the United States, compliance is straightforward. It isn't β but the real risk landscape looks very different from what most admissions and marketing staff expect.
The biggest misconception? That FERPA covers your prospect data. It doesn't. This article explains what actually applies, what contracts your school needs, and the five operational steps your team should complete before the next enrollment cycle.
What data your prospect-facing tools actually collect
Before diving into the legal framework, it's worth mapping exactly what your current tech stack is pulling in. Three tools dominate the US private school marketing funnel, and each creates a different compliance surface.
Google Analytics / Google Ads. Every time a prospect visits your program pages, Google Analytics records their IP address, browsing behavior, session duration, and referral source. If you're running Google Ads, conversion tracking links that behavioral data to a named ad interaction. Google's data may be processed in any Google data center globally under their standard terms β meaning prospect data doesn't necessarily stay within a jurisdiction just because your school is in Ohio.
Meta Ads (Facebook/Instagram). The Meta Pixel placed on your inquiry form captures form-field interactions, page events, and can match visitor data against Meta's profile database. For California-based prospects or those scrolling Instagram from a California IP address, this processing triggers CCPA obligations. Meta's Business Terms govern this relationship, not FERPA.
OpenAI / AI chatbot tools. If your admissions chatbot is powered by an OpenAI API, conversational data β including names, program interests, and contact details voluntarily shared β is processed on OpenAI's infrastructure. OpenAI offers a Data Processing Addendum (DPA) for enterprise customers, but many schools are using consumer or standard API tiers without one in place.
58% of prospects engaging with US private schools are non-native English speakers β international student recruitment relies heavily on multilingual AI tools, all of which process data on US servers subject to CLOUD Act exposure (Source: automatic language detection across 8,500 Skolbot conversations, 2025β2026). That means your chatbot conversations with a student in Seoul or SΓ£o Paulo may be accessible to US government agencies under a lawful order, even if the school itself never hands anything over.
The US privacy law landscape for prospect data in 2026
FERPA does not cover your prospects β full stop
FERPA (Family Educational Rights and Privacy Act), administered by the US Department of Education, is the bedrock of student data protection in US higher education. But its scope is specific: FERPA protects the education records of enrolled students at institutions receiving federal financial assistance. A prospect who submitted an inquiry through your website, downloaded a viewbook, or even started a Common App application that they never completed is not a student under FERPA. Their data is not an education record.
This is one of the most widely misunderstood compliance gaps in US higher education admissions. Institutions that rely on their FERPA policies and BAAs as a complete compliance answer for prospect data have a significant hole in their framework. The moment a student enrolls, their application file transitions to FERPA coverage β but everything before that moment is governed by a different set of rules.
The actual legal framework for prospect data in 2026
As of June 2026, more than 20 US states have enacted comprehensive consumer privacy laws. Most include an exemption for FERPA-covered data β but not for prospect data. The laws that matter most for the typical US private school recruiting nationally:
CCPA/CPRA (California): If you market to California residents β and if you recruit nationally, you almost certainly do β the California Consumer Privacy Act applies. Prospects have the right to know what data you hold, request deletion, and opt out of the sale or sharing of their personal information. You must provide a privacy notice at the point of collection and have a functioning "Do Not Sell or Share My Personal Information" mechanism. Fines run up to $7,500 per intentional violation.
Virginia CDPA, Colorado CPA, Texas TDPSA, Connecticut CTDPA: These laws follow a similar consumer rights framework. Texas's threshold β 100,000 consumers per year β is reachable for most national recruiting programs. Virginia and Colorado have 45-day response windows for consumer deletion requests, extendable to 90 days with notice.
CAN-SPAM: Every commercial email to a prospect must include a functioning opt-out mechanism, honored within 10 business days. Opt-out suppression records must be maintained indefinitely.
FTC Act Section 5: The FTC has authority to take action against unfair or deceptive data practices regardless of whether a specific state law applies. Misrepresenting your data practices in a privacy policy is an FTC enforcement target.
CLOUD Act: This is the sleeper risk for international recruitment. The Clarifying Lawful Overseas Use of Data Act allows US law enforcement to compel US-based cloud providers β Google, Meta, Microsoft, OpenAI β to disclose user data regardless of where it's physically stored. If your school actively recruits EU students, that subset of prospect data may also be subject to GDPR, creating a parallel compliance obligation.
For a broader look at your institution's overall data protection framework, see our complete guide to student data protection.
Google Workspace, Meta Ads, OpenAI β compliance scorecard 2026
The table below summarizes the current compliance posture for the three tools most commonly used in US private school prospect marketing. "Status" reflects what's available, not what your institution has necessarily implemented.
| Vendor | Applicable law (prospect data) | BAA / DPA available | Key risk | Status |
|---|---|---|---|---|
| Google Workspace for Education | CCPA, state privacy laws, CLOUD Act | FERPA BAA available (enrolled student data only); Google Ads DPA for prospects | Prospect data processed under Ads/Analytics terms, not Education BAA; data may route internationally | DPA required β not automatic |
| Google Analytics 4 | CCPA, state privacy laws | Google Ads Data Processing Terms | IP data processed globally; California-specific settings required for CCPA compliance | Must configure data retention + CA opt-out |
| Meta Ads / Pixel | CCPA (strong CA exposure), state privacy laws | Meta Business Partner Terms; CCPA data processing available | Pixel fires on inquiry forms = sensitive prospect intent data shared with Meta; CA "Do Not Sell" obligations | Business Terms must be signed; CA opt-out mechanism required on site |
| OpenAI API | CCPA, state privacy laws, CLOUD Act | Enterprise DPA available; FERPA provisions available separately | Standard API tier has no DPA; conversational data may be used to train models without enterprise agreement | Enterprise DPA required before use with identified prospects |
| Common App | State privacy laws + Common App Privacy Policy | Data sharing agreement with member institutions | Data imported into your SIS becomes your responsibility under FERPA (enrolled) or state law (denied) | DPA with Common App + clear data mapping required |
The critical gap most institutions have: Google Workspace for Education's FERPA BAA covers your enrolled student data processed through Gmail, Docs, and Drive β it does not automatically cover the prospect data flowing through Google Ads, Analytics, or any third-party integration. Those data flows require separate contractual treatment.
For a detailed breakdown of what to look for in a vendor contract for your admissions chatbot or CRM, see our guide to FERPA-compliant AI chatbot vendors for US schools.
5 things your admissions team needs to do now
1. Audit which tools touch prospect data before enrollment
Map every point where a prospect can share data with your institution β inquiry forms, chatbots, campus visit registrations, Open Day sign-ups, scholarship applications β and identify every vendor that processes that data. For each vendor, verify whether a data processing agreement or business associate agreement is in place. A spreadsheet with vendor, data category, contract status, and DPA link is the minimum starting point.
2. Execute DPAs with Google, Meta, and OpenAI
Don't assume that accepting standard vendor terms covers your compliance obligations. Google's standard Analytics and Ads terms are not tailored to educational institutions and do not provide the contractual protections required under CCPA. Meta's Business Partners Terms are available but must be actively accepted. OpenAI's DPA for enterprise customers must be separately negotiated β and if your school is using the API on a standard plan, you likely don't have one. Get these executed before the next recruiting cycle opens.
3. Update your privacy notice and add a California-compliant opt-out
If your school markets to California residents (again: if you recruit nationally, you do), your website must include a privacy notice that specifically discloses what personal information is collected from prospects, the purposes for which it's used, and categories of third parties with whom it's shared. A "Do Not Sell or Share My Personal Information" link must appear in your site footer. Under CPRA, you must also include a "Limit the Use of My Sensitive Personal Information" option. These are not optional enhancements β they're CCPA enforcement targets.
4. Assess your CLOUD Act exposure for international recruiting
If your school actively recruits internationally β EU students, Canadian students, students from APAC β your admissions and marketing team should understand that US cloud tools processing that data can be compelled to disclose it under US law. This doesn't mean you need to move off US platforms, but it does mean you need to disclose this in your privacy notice for international prospects and, if you have meaningful EU student enrollment or a physical presence in the EU, consult counsel on whether GDPR applies to that recruiting activity.
5. Build a prospect data retention and deletion workflow
Under CCPA, a California prospect who submits a deletion request must receive a response within 45 days. That response requires you to delete their data from your CRM, email platform, chatbot system, analytics tools, and backup systems. If your institution doesn't have a tested deletion workflow that covers all five of those systems, you can't fulfill that obligation. Document the workflow, assign ownership, and test it at least once per year. For detailed guidance on retention periods, see our article on prospect data retention periods for US colleges.
FAQ
Does FERPA apply to our admissions chatbot conversations with prospects?
No. FERPA covers education records of enrolled students. A chatbot conversation with a prospective student who has not yet enrolled β even one who has submitted a Common App application β is not a FERPA-covered record at your institution. That conversation is governed by state privacy laws (CCPA if the prospect is a California resident, potentially other state laws depending on their location) and your institutional privacy policy. The moment that student enrolls and you maintain their application as part of their student record, FERPA coverage kicks in.
We use Google Workspace for Education and have a FERPA BAA with Google. Are we covered for prospect data?
Not automatically. Google's FERPA BAA for Workspace for Education covers your enrolled students' data processed through core Workspace services (Gmail, Drive, Docs, etc.). Prospect data processed through Google Ads, Google Analytics, or any non-core Workspace service falls under Google's standard commercial terms and the Google Ads Data Processing Terms β separate agreements. Review exactly which Google services your prospects touch before assuming your Education BAA covers them.
Our OpenAI chatbot collects prospect names and emails. Do we need a DPA?
Yes. If you're using the OpenAI API with identified prospect data, you need OpenAI's Data Processing Addendum in place. Without it, OpenAI's standard terms apply, and those terms may permit the use of your data for model training purposes. An enterprise agreement with a DPA restricts how OpenAI can use your prospect data and establishes the contractual commitments you need to demonstrate compliance under CCPA and other state laws. Contact your OpenAI account representative or check their enterprise terms page.
A prospect in Virginia submitted a request to delete all their data. What's our timeline and scope?
Virginia's Consumer Data Protection Act (CDPA) gives you 45 days to respond, with a 45-day extension available if you notify the consumer. The deletion must cover all personal data you hold about that individual across every system β CRM, email platform, chatbot, analytics, and backups. Virginia's CDPA applies to controllers that process personal data of 100,000+ Virginia consumers per year or that derive 50% of gross revenue from the sale of personal data. Many private schools recruiting nationally meet the first threshold. Treat Virginia deletion requests with the same urgency as CCPA requests.
We recruit international students, including from the EU. Does GDPR apply to our prospect data?
Potentially yes, for that subset of data. GDPR applies when you are directing marketing activity toward individuals located in the EU or European Economic Area, regardless of where your school is headquartered. If your institution actively targets EU students β running ads in Germany, attending European college fairs, partnering with EU agents β then GDPR likely applies to the processing of those prospects' data. This is independent of your US law obligations and requires a separate legal basis for processing, privacy notice disclosures under GDPR Article 13, and potentially a Data Protection Impact Assessment for your AI tools.
Staying compliant with prospect data doesn't require dismantling your marketing stack. It requires executed contracts with Google, Meta, and OpenAI; a privacy notice that meets California's requirements; a tested deletion workflow; and a clear internal understanding that FERPA is not your answer for pre-enrollment data. Those four pieces, done properly, cover the large majority of your exposure.
Test Skolbot on your school in 30 seconds
