Overview
Why it Matters
Marketing professionals in the field of online and professional continuing education have many skills and a lot of knowledge when it comes to target audience, key performance indicators, digital and social platforms, consumer behavior, strategy, and the list goes on. However, one area that may be less developed is their understanding of federal and state regulations that affect various aspects of a higher education marketing professional’s work. These regulations are designed to ensure transparency, accessibility, and compliance, which are essential for building trust and avoiding legal repercussions. As such, marketers in the online and professional education space have a responsibility to be aware of these regulations and adhere to them.
Main Compliance Considerations
There are over 200,000 pages in the Code of Federal Regulations representing the rules created by agencies, commissions, and departments in the federal government’s executive branch. In addition, every state has their own regulations throughout the various state agencies. Many of these rules are already part of an organization's operational procedures, but there are several that uniquely impact the work of a marketer at an institution - because of their nature, because they change often, and/or because they are a priority of the current presidential administration (meaning federal agencies will more actively investigate these areas for compliance gaps).
The misrepresentation regulation (34 CFR §668.71 through 668.75), enforced by the U.S. Department of Education, prohibits educational institutions from providing false, misleading, or deceptive statements about their programs, financial charges, or the employability of their graduates. The 2022 version of the Borrower Defense to Repayment Rule, which is subject to ongoing litigation and not currently enforceable by court order, made the “omission of facts” actionable, as defined under §668.75, whereby a reasonable person would have considered the omitted information in making a decision to enroll or continue attendance at the institution. The misrepresentation regulation aims to protect students from being misled about key aspects of their education, such as the quality of the programs, job placement rates, and availability of financial aid. It requires that all claims in marketing and recruitment materials be substantiated and truthful, ensuring transparency and accountability in higher education.
If a student feels that they have been misled by a false claim made by an institution, they have the right to seek loan forgiveness under the “Borrower Defense to Repayment” (BDR) regulation (34 CFR §685.206). If your institution is found to have misled students or engaged in other misconduct related to federal loans or educational services and a BDR claim is granted, the Department of Education may seek to recover the discharged loan amounts from the institution. BDR claims often arise from allegations of misrepresentation concerning costs, post-graduation employment prospects, credit transferability, or accreditation status. As such, it's crucial for marketers to ensure that all promotional materials and communications are accurate and transparent to not only do the right thing, but also avoid potential BDR claims.
As discussed in UPCEA’s Policy Primer, “Digital Accessibility Requirements for Online Learning,” marketing professionals in higher education need to understand the importance of complying with digital accessibility regulations to ensure that all online content, including websites and marketing materials, is accessible to individuals with disabilities. For public institutions of higher education, compliance with Title II of the Americans with Disabilities Act (ADA) requires that digital content meet the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA standards. Enforcement activities involving private and nonprofit institutions will also generally incorporate these same standards in settlements and resolution agreements despite the absence of an explicit conformance requirement in existing regulations for these institutions. WCAG 2.1, AA conformance involves making sure that all multimedia content, such as images and videos, includes alternative text descriptions and captions, that websites are navigable via keyboard for individuals who cannot use a mouse, and that color contrasts are sufficient to ensure readability for people with visual impairments. Additionally, marketing professionals must regularly audit their digital content to identify and address any accessibility issues and ensure that third-party vendors also adhere to these standards. Keep in mind that state-specific regulations may impose even stricter accessibility requirements.
Marketers in higher education need to be aware of, and be in compliance with, the various state regulations that govern the activities of university and college recruiters crossing state lines, particularly for those institutions not participating in the National Council for State Authorization Reciprocity Agreements (NC-SARA). States individually regulate out-of-state institutions to ensure they meet local educational standards and consumer protections.
Non-SARA institutions must navigate a complex landscape of varying state regulations, which can include restrictions on marketing practices, recruitment activities, and delivery of online programs. For example, Tennessee requires out-of-state institutions to apply for authorization if they want to operate in Tennessee, which includes advertising and recruiting. So if a non-SARA institution wanted to have a billboard or on-the-ground recruiter in Tennessee, they would need authorization from the Tennessee Higher Education Commission first. Tennessee is not unique with this requirement. These regulations are designed to protect students from fraudulent or substandard educational offerings and to ensure that institutions provide accurate information about program costs, accreditation, and educational outcomes. Without NC-SARA membership, institutions face the administrative burden and cost of obtaining authorization from each state where they wish to operate, which can complicate marketing strategies and limit outreach potential.
For non-SARA institutions, understanding and complying with these state-specific regulations is crucial for marketers to legally and effectively promote educational programs across state lines, ensuring that all marketing practices align with both federal and state guidelines to maintain institutional credibility and protect student interests.
Beyond SARA, marketers must be aware of the language and data they use to promote programs on websites and ads, such as job employment data or salaries earned. Further, marketers must know whether their accreditor, or the state they are operating in, allows them to market programs that have not yet been fully approved by their accreditor, or what language must be used when marketing a program that is awaiting approval.
As institutions continue to collect large quantities and different types of student information, the concern around data privacy becomes more and more important. This consideration is vital to take into account as marketing professionals design new and innovative ways to support the enrollment, registration, and retention of students in online and professional continuing education programs. Regardless of the route taken, institutions gather large amounts of sensitive, personal data, all of which make for appealing targets for attacks. Being that students are trusting institutions with this information, it is vital that institutions take the proper steps to protect this information beginning with lead generation.
Through the process of gathering student information, it is important that these avenues, which in recent times have been largely online, follow the various collection policies as outlined by the institution or state governing agencies. Offices of higher education have the authority to act under state and federal law to access, maintain, and secure educational, personal, and financial records. Many of these laws are based on the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Family Educational Rights and Privacy Act (FERPA), and other state-based government data privacy acts.
General Data Protection Regulation (GDPR)
As it pertains to marketing for online and professional education units, the GDPR provides data privacy and security law for countries around the world in efforts to outline the necessary obligations that organizations anywhere must adhere to. Being that many of our community’s units reach and enroll students from around the globe, it is necessary to stay in compliance with the regulations outlined by the GDPR to avoid penalties. Besides holding institutions accountable for the collected data, one of the key tenants of the GDPR is transparency. Higher education institutions must be transparent about what and why certain information is being collected, and how the information will be used and protected. For marketers, this is crucial when launching data-gathering forms, in addition to placing tracking cookies on websites.
California Consumer Privacy Act (CCPA)
Another commonly followed privacy act is the CCPA, outlined in 2018, that gives users more control over the information collected by organizations. As marketing efforts aim to attract and enroll students, it is important that this act be taken into consideration to ensure that a prospective student is aware of their rights to: know what is being collected; delete information once collected; opt-out of sharing information; correct information; and limit use of collected information.
China Personal Information Protection Law (PIPL)
Though only a few years old, the Chinese government set in place a consumer privacy law for its citizens effective November 1, 2021, that is similar to the European Union’s GDPR in a number of ways. What is dissimilar, however, is the lack of a “legitimate interest” exception where under GDPR, companies and organizations may handle or process personal information if it is gathered legally and justifiably. Another area of divergence is that once data gathering reaches a certain quantity, data must be stored in China. Data transfer outside China but be approved by the Cyberspace Administration of China. The PIPL is vague on what the quantity limit is and what data would be approved for transfer outside the country.
Federal Educational Rights and Privacy (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal statute that confers upon parents the right to access their children’s educational records, request amendments to those records, and control the disclosure of personally identifiable information contained therein. Upon a student reaching the age of 18 or enrolling in a postsecondary institution, these rights transfer from the parents to the student. This regulation is applicable to educational agencies or institutions that receive funding from programs administered by the Secretary of Education, provided they offer educational services or have authority over public elementary, secondary, or postsecondary educational institutions.
The U.S. Department of Education has recently proposed a negotiated rulemaking session to update regulations on third-party servicers (TPS) that aims to expand oversight and ensure greater accountability among entities that administer any aspect of federal student aid programs on behalf of educational institutions. The upcoming regulatory changes could significantly broaden the definition of TPS to include many activities and functions performed by outside entities, such as marketing, student recruitment, enrollment management, and technology-related support that is often provided by Online Program Managers (OPMs).
Marketing professionals in higher education, particularly those working in online learning, need to be aware of these proposed regulations because they can impact how institutions engage with external vendors. While still unclear on what changes may occur, based on the actions attempted in 2023, the proposed regulations, which have been in flux and are not yet enforced or codified, could require institutions to report all TPS arrangements to the Department of Education and ensure these agreements include specific terms to comply with Title IV requirements.
Risks
Non-compliance - either intentional or unintentional - can have severe consequences for an institution. The most important risk is setting up students for failure either because they received misleading information (misrepresentation), could not access information appropriately (accessibility), or enrolled in a program that was not approved by their state, which could lead to them having to find another program. Fortunately, we do not hear of many stories of this happening to students, but the risk is real.
Additionally, higher education institutions face the risk of student complaints, costly fees, lawsuits, and the potential loss or required refund of Title IV funds, as demonstrated by the Borrower Defense to Repayment regulation. These risks have been realized by some institutions. In June 2024, a company that provides educational and marketing services to a private for-profit university was hit with a class action lawsuit alleging that it orchestrated a racketeering scheme pushing students to enroll in the university’s Ph.D. programs by lying about the costs of a degree. The same university had previously received a $37.7 million fine from the U.S. Department of Education for allegedly falsely advertising the costs of its doctoral programs. Another example includes an institution that was found non-compliant with state authorization regulations when they enrolled students from a state without proper authorization. The state agency required the institution to refund the tuition collected from these students and threatened further action, including a potential ban on operating in the state, to ensure compliance.
Strategies and Tips for Compliance
Online and professional education units have become indispensable arms of higher education institutions, though widely operating outside of the core of the organization. It is imperative that marketing efforts stay in compliance to ensure that the methods in which prospective students are connected, and the ways in which information is used, does not put the institution at risk. The following strategies are outlined in efforts to provide institutions a roadmap to compliance and mitigate potential risk.
- Partner with departments and divisions within the institution: Be proactive by establishing and maintaining partnerships with key departments within your institution, such as the compliance office, legal counsel, university communications team, financial aid, academic programs/accreditation office, and admissions staff. These departments often have personnel on staff who are knowledgeable about relevant internal, state, and federal regulations and can help interpret guidelines and assess risks that may impact work. Maintaining these relationships creates transparency and ensures that various academic groups stay informed about each other’s initiatives. This collaborative approach helps the institution anticipate potential risks as new projects arise, such as implementing digital credentialing policies and understanding how they align with compliance requirements set by higher education offices and accreditation bodies.
- Establish review processes within the online and professional education unit: As units expand their academic portfolio, it is important to maintain review processes of each program in addition to the various related marketing efforts. The consideration and establishment of various standards for the marketing efforts (e.g., lead generation, click data, form submission, expense efforts by year/campaign) will ensure that the institution stays within operational guidelines and has accountability measures established for marking program success criterion.
- Create training modules in partnership with your instructional design unit/team: For some compliance information, the complexity of it warrants creating a brief training module. If you have access to an instructional designer, work with them to create a self-paced module in your LMS or other tool to present the main ideas and do quick knowledge checks with examples, such as this misrepresentation module created by the University of Louisville. Have these be part of the new faculty or staff onboarding programs.
- Work with your compliance team and/or the provost’s office to create annual reminders: A simple email sent to the entire university/college community that informs people about regulations that may affect them, along with links to training modules or related websites, can help with spreading the word. Similarly, brief postings in your school’s daily news email works, too.
Resources and Other Legal Considerations
- The Federal Trade Commission Act (FTCA) (which prohibits unfair methods of competition and deceptive acts or practices) and the Telemarketing Sales Rule (TSR) (which governs telemarketing activities), enforced by the Federal Trade Commission (FTC) [you can sign up for FTC Consumer Alerts at Federal Trade Commission | Protecting America's Consumers (ftc.gov)]
- The Telephone Consumer Protection Act (TCPA) (which restricts the making of telemarketing calls (including ringless voicemails) and texts and governs the use of automatic telephone dialing systems and artificial or prerecorded voice messages), enforced by the Federal Communications Commission (FCC) [you can find latest developments at FCC Actions on Robocalls, Telemarketing | Federal Communications Commission]
- The Federal CAN-SPAM Act (which governs the use of emails in the U.S.), enforced by the FTC [you can find an overview at CAN-SPAM Act: A Compliance Guide for Business | Federal Trade Commission (ftc.gov)]
- The Higher Education Act (HEA) and the Family Educational Rights and Privacy Act (FERPA), enforced by the U.S. Department of Education [you can find an overview of laws and guidance at Policy - ED.gov]
- The United States government provides comprehensive outlines of the various privacy laws designed to protect user information and how organizations are required to protect said collected data. https://studentprivacy.ed.gov/
- DOJ Guidance on Web Accessibility and the ADA
- DOJ Title III Accessibility Rule: Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities
- Web Content Accessibility Guidelines (WCAG) 2.1
- FSA Partners September 2024 Bulletin on Conduct for Substantial Misrepresentations
History of Changes/Authorship
This guide was originally authored by Kristen Brown of the University of Louisville as well as Abram Hedtke of St. Cloud State Unversity with input by the UPCEA Policy Committee and Staff. It was first published and last updated on October 29, 2024.
Have a question about or suggestion for this resource? Contact us at [email protected].