Skip to content
MooDIY Blog

Appearance

Moodle Data Privacy Compliance Guide 2026: GDPR, FERPA, CCPA blog illustration
MooDIY Technical TeamMoodle Infrastructure Experts
14 min read

Moodle Data Privacy Compliance Guide 2026: GDPR, FERPA, CCPA

Moodle sites commonly hold student grades, attendance records, submissions, profile data, messages, logs, and analytics signals. Depending on the jurisdiction, that data may be education records, personal data, children's data, or data used in automated decision-making. Privacy compliance is therefore not a checkbox setting in Moodle -- it is an operating model that combines platform configuration, institutional policy, vendor contracts, and incident response.

Moodle ships a mature privacy compliance toolkit for an open-source LMS. The challenge is configuring it properly and filling the gap between what the software provides and what compliance actually requires. This guide walks you through both.

This guide is technical implementation guidance, not legal advice. Use it to prepare Moodle workflows, then validate your institution's obligations with privacy counsel or a qualified data protection officer.

The Compliance Landscape in 2026

Data privacy compliance for educational technology is a patchwork of overlapping regulations that depend on your location, your students' locations, and what data you collect.

  • General Data Protection Regulation (EU/EEA) applies to organisations that process personal data in scope of the GDPR, including many institutions outside the EU that offer services to EU residents. It includes data subject rights, data portability, erasure rights, processor contract requirements, and breach notification duties. Administrative fines can reach EUR20 million or 4% of annual worldwide turnover, depending on the infringement.
  • Family Educational Rights and Privacy Act (United States) protects education records at schools that receive funds under an applicable US Department of Education program. It includes inspection and review rights, amendment procedures, annual notice requirements, and consent rules for disclosure subject to defined exceptions.
  • California Consumer Privacy Act / California Privacy Rights Act (California) rules covering cybersecurity audits, risk assessments, and Automated Decision-Making Technology (ADMT) took effect on January 1, 2026, with phased compliance. CPPA guidance states that risk assessment compliance begins January 1, 2026, first submissions are due April 1, 2028, ADMT significant-decision requirements begin January 1, 2027, and cybersecurity audit certifications phase in from April 1, 2028 through April 1, 2030 based on business revenue.
  • Children's Online Privacy Protection Act (United States) requires verifiable parental consent before covered operators collect personal information from children under 13, with important school-consent rules for educational uses. The FTC finalised COPPA amendments in January 2025; the final rule becomes effective 60 days after Federal Register publication, with one year for full compliance with amendments that do not specify earlier dates.

EU AI Act -- classify the use case, not the Moodle feature. The EU AI Act applies progressively. The European Commission's AI Act Service Desk lists August 2, 2026 for the majority of rules, including Annex III high-risk AI systems, with separate timing for some embedded-product high-risk systems and possible changes under the Digital Omnibus process. In education, high-risk use cases can include systems that determine access to education, evaluate learning outcomes, or affect the course of a person's education. Emotion recognition in education institutions is treated as an unacceptable-risk practice and has been prohibited since February 2025, subject to narrow legal exceptions.

If your Moodle deployment uses AI-powered proctoring, automated grading, or behavioural analytics tools and serves EU students, you need to assess compliance before August 2, 2026.

1. Moodle's Built-In Data Privacy Toolkit

Moodle has shipped native GDPR compliance tools since version 3.5 released in 2018. These are core platform features built on a dedicated Privacy API that extends compliance to every installed component.

Data Privacy Plugin (tool_dataprivacy)

Navigate to Site Administration > Users > Privacy and policies > Data requests to access the request management interface.

  • Subject Access Requests (SARs): Users submit data export requests from their profile page. The system generates a downloadable JSON package organised by context: site, course category, course, activity. Associated files (submissions, uploads) are included.
  • Right to Erasure: When a privacy officer approves a deletion request, the user's login access is revoked and personal data is systematically deleted across all contexts. Forum posts are replaced with a removal notice. Grade records and audit logs can be retained where legal obligations require it.
  • Automatic Approval: For high request volumes, configure automatic approval at Site Administration > Users > Privacy and policies > Privacy settings. Use this carefully -- deletion requests may have legitimate-interest retention implications that warrant human review.

Data Registry

The data registry documents what personal data your Moodle installation stores, why, and how long you keep it. Navigate to Site Administration > Users > Privacy and policies > Data registry and configure at six context levels: Site, Users, Course Categories, Courses, Activity Modules, and Blocks. Set category and purpose at site level first -- lower levels inherit defaults, which you override where needed.

Data Retention Policies

Retention periods are measured from the course end date (for courses/activities) or last login (for inactive users). Contexts past their retention period appear on the "Data deletion" admin page for your review before any deletion occurs. This controlled process -- you approve, then a scheduled task executes -- creates an auditable record of your data minimisation practices.

The Policies plugin lets you create and version site, privacy, and third-party policies. When you update your privacy notice, Moodle can require users to re-consent. Consent records include timestamps and are maintained even after user deletion for audit purposes.

For K-12 deployments, enable digital age of consent verification at Site Administration > Users > Privacy and policies > Privacy settings. GDPR's default threshold is 16, but member states can set between 13 and 16; the UK uses 13.

2. The Privacy Officer Role

GDPR Article 37 requires certain organisations to designate a Data Protection Officer (DPO). Moodle provides the technical infrastructure for this role.

Setting Up the Privacy Officer in Moodle

Create a custom role with these capabilities: tool/dataprivacy:managedataregistry, tool/dataprivacy:managedatarequests, and tool/dataprivacy:makedatarequestsforchildren. Assign this role to your designated privacy officer at the system level. If no privacy officer is designated, site administrators receive data request notifications by default -- but this conflates administrative and compliance responsibilities in ways auditors flag.

Beyond the software: Your organisation must separately ensure the DPO has appropriate qualifications (Article 37(5)), reports directly to senior management (Article 38(3)), has adequate resources (Article 38(2)), and is protected from dismissal for performing their duties. No LMS can satisfy these organisational requirements. The privacy officer should review the Plugin Privacy Registry (Site Administration > Users > Privacy and policies > Plugin privacy registry) after every plugin installation and every Moodle upgrade. Non-compliant plugins create blind spots in your data export and deletion workflows.

3. FERPA Compliance: What Moodle Handles and What It Doesn't

Moodle's privacy tools were designed primarily with GDPR in mind. Here's the practical alignment with FERPA.

FERPA RequirementMoodle FeatureGap
Student access to recordsSAR workflow via data privacy toolCovers Moodle data; SIS integration needed for full records
Right to request correctionsUser profile editing, instructor-managed gradesSome records require admin intervention
Consent for disclosurePolicies plugin, role-based access controlsNo FERPA-specific consent workflow
Directory information controlsUser profile visibility settingsNo dedicated FERPA directory information toggle
Audit trail for record accessEvent logging, report builderComprehensive logging available
Annual notificationN/ANo built-in annual FERPA notification system

The biggest FERPA gaps in Moodle are procedural, not technical. There's no FERPA configuration wizard, no automated annual notification system, and no distinction between FERPA directory information and other profile data. Manage these through institutional policy documents and manual processes -- and ensure annual notifications reach parents through genuinely accessible channels, not a buried link in your Moodle instance.

4. The Plugin Privacy Gap

This is the compliance risk most Moodle administrators miss entirely. Every plugin that stores personal data must implement export and deletion methods via the Privacy API. Plugins that don't store personal data must explicitly declare that with a null_provider.

The problem: third-party plugins may not implement the Privacy API. If a non-compliant plugin stores personal data, that data won't appear in SAR exports and won't be deleted when an erasure request is processed. You could tell a user their data is gone while their personal information still sits in a plugin's database tables.

How to Audit Plugin Privacy Compliance

Navigate to Site Administration > Users > Privacy and policies > Plugin privacy registry and review every plugin with a warning icon. For each flagged plugin, check its database tables for stored personal data, contact the maintainer for non-compliant plugins that do store data, and consider removing plugins that can't be brought into compliance. Repeat this audit after every plugin installation and Moodle upgrade.

Custom quiz plugins, attendance tracking tools, and third-party analytics plugins are the most common offenders. H5P interactive content, by contrast, does not store personal data itself -- the Moodle platform handles user data for H5P activities.

5. Data Processing Agreements for Hosted Moodle

When you use a hosting provider, GDPR defines three roles: your institution is the data controller, the hosting provider is the data processor, and any third-party services integrated with Moodle are sub-processors.

What Your Hosting Provider DPA Must Include

Under GDPR Article 28, the DPA must specify: the subject matter, nature, and purpose of processing; types of personal data and categories of data subjects; technical and organisational security measures; sub-processor management; breach notification procedures; data return and deletion on contract termination; and audit rights for your institution.

A hosting provider that pushes back on audit rights or breach notification timelines is a red flag. A DPA isn't optional under GDPR -- it's a legal requirement.

What Moodle's Software Layer Doesn't Cover

Moodle provides application-level privacy tools. Several critical compliance layers sit below the application and are your hosting provider's responsibility: server-level encryption at rest (LUKS, dm-crypt, or cloud-provider disk encryption), TLS certificate management, database encryption (MySQL/MariaDB TDE), backup encryption (AES-256 minimum), physical security and data centre access controls, and incident response procedures aligned with the 72-hour breach notification window.

6. Breach Notification Requirements

  • GDPR: Notify your supervisory authority within 72 hours of becoming aware of a breach. If the breach poses high risk to individuals, also notify affected data subjects without undue delay. Your notification must include the nature of the breach, categories and approximate number of data subjects affected, your DPO's contact details, likely consequences, and measures taken.
  • FERPA: No specific breach notification timeline, but the Department of Education's Student Privacy Policy Office expects prompt notification to affected students and parents. State-level breach laws may layer additional requirements on top.
  • CCPA/CPRA: California requires notification to affected residents if unencrypted personal information is compromised. Breaches affecting more than 500 California residents also require notification to the California Attorney General. If the incident also exposes missed risk-assessment, ADMT, or cybersecurity-audit obligations under the phased CPPA rules, legal exposure can increase.

Your Breach Response Runbook

Have this documented before you need it:

  1. Contain -- isolate the affected system; your host's SLA should define their incident response time
  2. Assess -- determine what data was accessed, how many records, and what categories
  3. Start the clock -- under GDPR, you have 72 hours from the moment of awareness; log the exact time
  4. Engage legal counsel -- involve your DPO or institution's legal team immediately
  5. Notify authorities -- submit to the relevant supervisory authority within the 72-hour window
  6. Notify individuals -- if high risk, notify affected users with clear language about what happened
  7. Document everything -- record every action taken for post-incident audit

7. Regional Privacy Law Quick Reference

RegulationRegionKey RequirementMoodle Alignment
UK GDPRUnited KingdomSame as EU GDPR, age of consent at 13Configurable age threshold supports this
PIPEDACanada (federal)10 fair information principles, privacy officerData registry and consent tools align well
LGPDBrazilSimilar to GDPR: consent, portability, erasureMoodle's GDPR tools largely applicable
PDPAThailandConsent requirements, data subject rightsSAR and consent tools align
POPIASouth AfricaConsent and data subject rightsMoodle's tools applicable
DPDP ActIndiaDigital personal data protection frameworkMonitor implementing rules and enforcement guidance
Vietnam PDPLVietnamComprehensive data protection frameworkSAR and consent tools align; verify specifics
Malaysia PDPAMalaysiaMandatory DPO, breach notification requirementsMoodle's DPO role and consent tools align

If you serve an international student body, you likely need to comply with multiple overlapping regulations simultaneously. Moodle's GDPR toolkit covers the broadest requirements, but verify jurisdiction-specific details -- particularly age of consent thresholds, notification timelines, and DPO appointment obligations.

8. Privacy Compliance Checklist for Moodle Administrators

Any unchecked item represents a compliance gap.

Data Registry and Retention

  • Data registry configured with purposes and categories at site level
  • Retention periods set for each context level (courses, activities, users)
  • "Delete expired contexts" scheduled task enabled and running
  • Annual review of retention periods documented

Subject Access Request Workflow

  • Privacy officer role created and assigned to a designated individual
  • SAR workflow tested end-to-end (submit -> approve -> export -> download)
  • Deletion workflow tested (submit -> approve -> verify deletion)
  • Response time targets documented (GDPR: 1 month; FERPA: 45 days)

Consent Management

  • Privacy policy published via Policies plugin
  • Policy versioning enabled (re-consent required on updates)
  • Digital age of consent verification enabled (if serving minors)
  • Consent records auditable with timestamps

Plugin Privacy Compliance

  • Plugin Privacy Registry reviewed -- all plugins have green checkmarks
  • Non-compliant plugins identified and assessed for personal data storage
  • Plugin compliance review scheduled after every installation and upgrade

Hosting and Infrastructure

  • Data Processing Agreement signed with hosting provider
  • Server-level encryption at rest confirmed
  • Backup encryption verified (AES-256 minimum)
  • Data centre location documented (for data residency requirements)
  • Breach notification procedures documented and tested with hosting provider

Documentation and Training

  • Privacy Impact Assessment completed for Moodle deployment
  • Breach response runbook documented and tested
  • Annual FERPA notification sent (US institutions)
  • Staff privacy training conducted and documented
  • AI tools inventory and EU AI Act risk classification completed (if using AI features with EU students)

Conclusion

Privacy compliance isn't a configuration you finish once and forget. Regulations evolve, plugins get updated, new staff join, and your student body changes jurisdiction. The GDPR toolkit, FERPA procedures, and breach runbook in this guide give you a strong foundation -- but only if someone in your organisation owns the process and reviews it regularly.

Use the checklist in Section 8 as a living document. Run your SAR and deletion workflows quarterly. Audit your plugin registry after every Moodle upgrade. If your deployment uses AI-powered assessment, proctoring, admissions, or learner-profiling tools for EU students, complete a use-case classification before the relevant EU AI Act obligations apply. Compliance isn't the goal -- it's the baseline. The goal is student trust.

References

Related Topics

Assessment & Grading 3Performance 3Course Design 2Backup & Recovery 2Installation & Setup 2Getting Started 2Upgrades & Migration 1Mobile Learning 1Cost & Pricing 1Hosting 1