6.2. AI, Data Privacy, and Your Rights (FERPA, HIPAA, GDPR & TDPSA)

As we established in the introduction, your digital interactions are never neutral; they generate data that powers AI systems. Because this information is so sensitive, specific laws have been created to protect it. Learning these rights is the first step toward becoming an informed digital citizen who can navigate the opportunities and risks of AI with confidence.

Foundational U.S. Privacy Laws: Protecting Specific Data

FERPA: Your Rights in an Educational Context

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. While FERPA does not extend to faculty or staff records, the principles it sets have shaped institutional practices for decades. In an AI-driven classroom, FERPA introduces new challenges:

• Faculty as Evaluators: If a professor uses a third-party AI tool to analyze student participation, the resulting analysis may itself count as an education record. Strong vendor contracts and compliance protocols are needed to protect student privacy.
• Faculty as Learners: Faculty completing online, AI-powered training modules also generate data. While not legally covered under FERPA, this information is still sensitive and requires careful stewardship by the institution.

HIPAA: Protecting Health Information

The Health Insurance Portability and Accountability Act (HIPAA) safeguards Protected Health Information (PHI). This is vital not only in clinical settings but also in academic programs where patient data may be used. AI creates new risks: anonymized data used for research could be re-identified by machine learning. For example, if a student enters patient details into a public chatbot while brainstorming a care plan, even partial information could lead to a HIPAA violation if handled outside a secure, compliant system.

Comprehensive Data Privacy Frameworks

GDPR: The Global Standard for Data Rights

The General Data Protection Regulation (GDPR), created by the European Union, is one of the strongest privacy laws in the world. It grants individuals rights such as the Right to Erasure (often called the “Right to Be Forgotten”). Yet AI complicates this right—once personal data has been used to train a massive language model, how can it truly be removed? GDPR also requires a “right to an explanation” for automated decisions, pushing companies toward greater transparency in how AI systems operate.

The Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) follows in GDPR’s footsteps, giving Texans the right to access, correct, and delete their personal data, and to opt out of its use for targeted advertising. For AI, this means companies must disclose how user data contributes to personalization, training, or automated decision-making—empowering individuals to hold organizations accountable for ethical practices.

Why These Laws Matter in the Age of AI

Together, FERPA, HIPAA, GDPR, and TDPSA serve as a patchwork of protections that set boundaries for data collection and use. Think of them as “guardrails” along the highway of AI innovation: they do not dictate exactly where technology goes, but they prevent the most dangerous misuses. Still, gaps remain—particularly in areas where AI tools operate outside traditional educational or healthcare systems. For students, educators, and professionals, knowing these frameworks is key to making informed choices about data sharing and advocating for stronger protections.

AI, Data Privacy, and Your Rights – True or False

📚 Weekly Reflection Journal

Looking Ahead

In the next chapter, we will turn from legal frameworks to the real-world uses of AI in education, such as learning analytics and remote proctoring. These examples will show how the laws you’ve just learned about intersect with everyday academic technologies—and why balancing innovation with privacy is so challenging.