Policy Matters: Primers and Insights

Introduction to the Online Learning Regulatory Landscape

How the “Regulatory Triad” Applies to Online and Interstate Learning Experiences

Last Updated: January 22, 2024


As institutions of higher education continue to innovate with online courses and programs, having a general understanding of the regulatory landscape that such initiatives are subject to is critical to their long-term success. The geographic reach of these programs (e.g., whether offered only in the institution’s home state, nationally, or internationally) can introduce new jurisdictions beyond what the institution may have explored for any in-person program. Moreover, online programs can be subject to a variety of additional definitions, regulations, and expectations from enforcement agencies and accreditors that are unique to the instructional modality regardless of where such programs are being offered. 

This resource provides an introduction to foundational topics for online education regulatory compliance in the United States.

In the United States, the oversight of institutions of higher education is a shared responsibility divided among state governments, the federal government, and accreditors. Collectively, this group is often referred to as the “regulatory triad.” Each segment of the triad plays a distinct role in shaping and regulating higher education, offering a unique set of perspectives and responsibilities. The triad provides a balance of regional specificity, national coherence, as well as the third-party non-governmental quality assurance from accreditors to enable collaboration, coordination, and funding opportunities to address the diverse needs of students, institutions, and employers in the ever-evolving landscape of higher education.  

Where interstate education is concerned, most states (currently, all except California) and several territories have joined the State Authorization Reciprocity Agreements (SARA), which simplifies the authorization process and overall regulatory burden for participating institutions within these states through providing one, unified set of authorization requirements. As a result, SARA has become a significant focus area of state-level compliance efforts within the regulatory triad.

The U.S. Department of Education (ED) has promulgated a variety of regulations that uniquely address (or have unique application to) online courses and programs. Implementing regulations for Title IV of the Higher Education Act set criteria for institutional and programmatic federal student aid eligibility, including for what ED considers “distance education.” For example, aid eligibility depends in part on the frequency and quality of opportunities for academic engagement and instructor-student interactions which can (and should) influence course design considerations. More broadly applicable requirements, such as those concerning professional licensure eligibility disclosures and state authorization, are also more likely to impact online programs as these are based on the student’s location rather than the location of the institution. 

Rulemaking and enforcement activities from other federal agencies and offices can also impact online learning compliance efforts. For instance, the U.S. Department of Justice shares jurisdiction with ED over enforcement of the Americans with Disabilities Act and Section 504 of the Rehabilitation Act, which can have unique implications for digital accessibility and accommodations in the context of online learning. And rulemaking and guidance by the U.S. Copyright Office can impact course-level decisions around the use of third-party media and embedding practices.

State governments can make determinations as to which institutions can legally operate within their geographic boundaries, including with regard to purely online learning offerings should they choose. State workforce boards also focus on aligning education and training programs with the needs of the local job market, promoting workforce development, and ensuring that educational offerings are responsive to the evolving demands of employers. States also have a significant role to play in their own public institutions of higher education.

With regard to “out-of-state” institutions, states have created various authorization application and review procedures that more clearly define a state’s oversight role and institutional responsibilities. The applicability of these requirements to certain institution types and activities varies by state. 

The State Authorization Reciprocity Agreements (SARA), which are governed by the National Council for SARA (NC-SARA), provide a single set of rules to follow for participating institutions in all SARA member states, at least with regard to authorization requirements and consumer protections specific to institutions of higher education. As is further detailed below, however, states can still enforce various general purpose laws and regulations, such as those relating to data privacy, general consumer protections, professional licensure requirements, anti-discrimination laws, tax, and business operations. 

Accrediting agencies are private, third-party, non-governmental educational associations responsible for evaluating and ensuring educational institutions and their programs meet acceptable levels of quality. They provide external validation and assurance to students, employers, and the public, helping to maintain the integrity and reputation of higher education while informing federal policies relating to accreditation standards and accountability. Accreditors also work to ensure consistency of experience and resources (e.g.,  libraries and studios). 

In order for students to receive federal student aid for their education, the institution must be accredited by an agency recognized by ED to accredit a school at the institution level. Institutional accreditors also support federal enforcement of certain requirements tied to these federal student aid programs as a condition of their recognition under ED. Enforcement is often carried out by requiring institutions to submit assurance statements and federal compliance filings during accreditation review periods. Individual programs may also be subject to programmatic or specialized accreditation which can involve additional academic quality standards specific to a discipline or profession and are sometimes tied to state-specific requirements for professional licensure.  

This regulatory landscape expands significantly when offering online courses and programs to individuals located outside of the United States. Consider the following, for example: 

  • Individual countries may have unique requirements for seeking authorization through a ministry of education as well as unique expectations regarding marketing practices and student-consumer protections. 
  • Individual countries may have unique tax frameworks (e.g., Digital Services Tax and Value Added Tax frameworks that have become more popular in recent years) and extraterritorial data privacy frameworks, such as the European Union’s General Data Protection Regulation (GDPR) which may attach to online learning initiatives even where there is no direct physical presence aside from the physical location of a participating student.  
  • Online degrees and certificates may not be recognized or viewed as equal to those earned through traditional education in all countries. 
  • U.S. export controls, which are a set of national security regulations enforced through multiple federal agencies (e.g., the Departments of State, Commerce, and the Treasury) that restrict both the physical and electronic export of sensitive items, software, information, and services, also need to be closely followed. These regulations can even restrict the export of most or all services being offered to anyone located in certain countries or regions through comprehensive or near-comprehensive sanctions. They may be more targeted around individuals and organizations through blocked persons lists.  
  • Local restrictions can impact which tools and content students located abroad, whether through banned categories of technology (e.g., encryption technologies that can sometimes be used for student identity verification purposes) or through censorship restrictions enforced through controlled versions of the Internet.  

Compliance Challenges 

1. Complex and Evolving Regulatory Landscape. Even for institutions participating in SARA, the online learning regulatory framework is vast, complex, and constantly evolving. Effectively monitoring regulatory updates across individual states and countries in numerous areas can be particularly resource intensive and requires broad subject matter expertise. But institutions also must consider more than just the content and technologies used as part of these programs. For example, interstate and international education can also often involve employing individuals located in other jurisdictions, bringing with them the employment laws of those jurisdictions.

2. Risk Mitigation in Decentralized Environments. Certain compliance responsibilities (e.g., seeking authorization, satisfying various data reporting and disclosure obligations—including those relating to professional licensure eligibility—and creating and implementing policies in a consistent manner) can require a high degree of central coordination to execute, which may be difficult to develop from the ground up. As maintaining compliance can be resource intensive as well, concerns over individual units taking on too much or too little responsibility are likely to arise. Implementing additional student fees for online programs could help offset additional staffing needs; however, there are obvious downsides to increasing the cost of a program. These decisions will not just impact students but can also harm the institution itself, whether in consideration of a reputation to support the public good or perhaps of its position in a competitive marketplace for online learning. Decisions over how to fairly distribute any revenue generated by these programs in decentralized environments can also be controversial, even without the addition of new, unique fees.

3. Risk Mitigation at the Course Level. Many compliance responsibilities relating to online courses and programs can only be carried out at the individual course level (e.g., making sure content is accessible to individuals with disabilities, avoiding privacy violations and the use of infringing materials, and ensuring courses meet federal student aid requirements for distance education). Therefore, training and resources developed to support policy implementation must account for a wide range of audiences, including both instructors and administrators, and be paired with more targeted support efforts.

4. Partnerships. Institutions need to deeply consider their internal capacity to manage regulatory compliance for online education programs and weigh pros and cons involved with partnering with outside entities to support compliance efforts. Partnering with a foreign-owned company or institution of higher education can invite helpful subject matter experience on the laws of a foreign jurisdiction but might also serve as the determining factor for whether the U.S. institution must now follow such laws while perhaps being subjected to additional requirements in the U.S. as well. Regulatory compliance should be considered as a key factor when making  “build, buy, partner” determinations with regard to online program development, marketing, delivery, and support services.

Regardless, the design and delivery of online programs will generally involve working with third parties to some degree. Institutions may simply wish to procure educational software or courseware to support online instruction or they may be interested in enlisting the services of Online Program Managers (OPMs) that provide more comprehensive services, such as through a combination of course hosting and marketing and recruitment support. At a minimum, institutions will be subject to the unique terms they have agreed to as part of contracts or licensing agreements with these companies. But additional compliance requirements will exist beyond these agreements.

Often OPMs will rely on revenue sharing models that are subject to additional scrutiny (e.g., prohibitions on incentive compensation). A third party could also be considered a “third party servicer” for federal student aid purposes, which can subject both the institution and its would-be partner to even more requirements. Finally, private companies may attempt to pass their compliance obligations on to institutions of higher education even when those obligations would not otherwise exist. Meanwhile, institutions may not always be able to return the favor and can even be found liable for the actions of their partners in certain cases (e.g., for any deceptive recruitment practices). Contracts and any terms and conditions must therefore be carefully reviewed and negotiated, as applicable, despite these partnerships often being necessary to effectively deliver online education.   

Compliance Tips

1. Convene Experts and Stakeholders. Establish central online learning compliance mechanisms to support interstate and, as applicable, international learning experiences. Where there is no designated office to coordinate these compliance efforts, consider establishing a working group or task force featuring subject matter experts to consult with central administrative units while providing support to academic units. Casting a wide net may be appropriate, as these activities can implicate unique considerations for financial aid, authorization, business registration, military-affiliated students, consumer protections, data security and privacy, tax, employment law (out-of-state instructors), student services and library resources, export controls and restricted party screening, etc. depending on geographic reach of specific components of these programs. Involving General Counsel or otherwise obtaining legal support as part of these conversations is strongly recommended.

2. Know Where Your Students Are Located. Develop policies and procedures concerning student location determinations. As states play a significant role in regulating online education—both directly and indirectly through federal requirements concerning state authorization and state-specific disclosures—knowing where students are located is essential, both at the time of initial enrollment and whenever a location change occurs throughout the duration of an academic program.

3. Establish Governance and Supporting Resources. Consider developing an online education policy that outlines key requirements and any approval procedures. Ideally, this policy would direct to resources addressing the following areas: internal and external approval processes for new programs, credit hour estimates, regular and substantive interaction, academic engagement, digital accessibility, copyright, state authorization, accreditor expectations, various disclosure requirements, SARA policies and procedures (as applicable), and additional factors impacting the admissions and enrollment of international students (e.g., student visa restrictions) and students located abroad (e.g., authorization, tax, data privacy, and export control considerations). UPCEA has collected several examples shared by member institutions, which are linked in the Resources section below or available in UPCEA’s CORe.

4. Stay Informed. Ensure there are qualified units or staff who are following online education regulatory  updates at your institution and that there are communication channels in place through which these updates can be shared with stakeholders. Critical updates can come from a variety of sources, including the U.S. Department of Education’s negotiated rulemaking efforts and publication of Dear Colleague Letters, the SARA Policymaking Process, various state and federal legislative efforts, and policymaking updates from institutional accreditors.   

History of Changes/Authorship

This guide was originally authored by Richard LaFosse of the University of Michigan with input by the UPCEA Policy Committee and Staff. It was first published on January 22, 2024.

Have a question about or suggestion for this resource? Contact us at [email protected].