The Family Educational Rights and Privacy Act (FERPA) is the cornerstone of student data privacy in the United States. Enacted in 1974, FERPA gives parents and eligible students specific rights regarding educational records — and imposes strict obligations on schools, universities, and increasingly, the EdTech companies they partner with.
With the explosive growth of educational technology, online learning platforms, and student information systems, FERPA compliance has become more complex than ever. Violations can result in loss of federal funding — a catastrophic consequence for educational institutions.
FERPA protects student education records at any school receiving US federal funding. It grants parents (or students 18+) rights to access, amend, and control disclosure of records. Penalty: loss of federal Department of Education funding.
What is FERPA?
FERPA is a US federal law (20 U.S.C. § 1232g) that protects the privacy of student education records. It applies to all schools that receive funds under any program administered by the US Department of Education — which covers virtually all public schools, universities, and most private institutions.
Who Must Comply with FERPA?
- Public K-12 schools and school districts
- Public colleges and universities
- Private schools receiving federal education funding
- State and local education agencies
- EdTech vendors acting as "school officials" with legitimate educational interest
FERPA by the Numbers
What Are Education Records?
FERPA defines "education records" broadly as records that:
- Contain information directly related to a student
- Are maintained by an educational agency, institution, or party acting on their behalf
Examples of Education Records
- Grades, transcripts, and class rosters
- Student disciplinary files
- Attendance records
- Financial aid information
- Special education records (IEPs, 504 plans)
- Student health records (if maintained by school)
- Email correspondence about a student
- Online learning platform data
What's NOT an Education Record?
- Sole-possession notes (kept by teachers, not shared)
- Law enforcement unit records
- Employment records of student employees
- Treatment records by school medical/mental health professionals
- Alumni records (post-graduation)
FERPA Rights
Parental Rights (Students Under 18)
Parents of minor students have the right to:
- Inspect and review their child's education records within 45 days
- Request amendments to inaccurate or misleading records
- Consent to disclosure of personally identifiable information (with exceptions)
- File a complaint with the US Department of Education
Eligible Student Rights (Age 18+ or in College)
When a student turns 18 OR enrolls in postsecondary education, FERPA rights transfer from parents to the student. The student becomes the sole decision-maker about their records.
Parents of college students cannot automatically access their child's grades, even if they pay tuition. The student must provide explicit written consent for parental access.
Disclosure Rules
FERPA generally requires written consent before disclosing personally identifiable information from education records. However, several exceptions allow disclosure without consent:
Permitted Disclosures Without Consent
- School Officials: With "legitimate educational interest"
- Other Schools: Where student seeks to enroll
- Specified Officials: For audit/evaluation purposes
- Financial Aid: Parties involved in aid determination
- Accrediting Organizations: For accreditation purposes
- Judicial Orders: Subpoenas (with notice to family)
- Health/Safety Emergencies: To address immediate threats
- Directory Information: If parents/students don't opt out
What is Directory Information?
Schools may disclose certain "directory information" without consent (unless opted out):
- Student name, address, telephone, email
- Date and place of birth
- Major field of study
- Participation in activities and sports
- Dates of attendance
- Degrees and awards received
- Photograph
FERPA for EdTech Companies
EdTech vendors face unique FERPA obligations when handling student data on behalf of schools.
"School Official" Exception
EdTech vendors can access student records without parental consent only if they qualify as a "school official" with "legitimate educational interest." To qualify:
- Perform a service the school would otherwise use employees for
- Be under direct control of the school regarding data use
- Be subject to FERPA requirements on use and re-disclosure
- Use data only for authorized purposes
EdTech Contractual Requirements
Schools should ensure EdTech contracts include:
- Clear definition of authorized data use
- Prohibition on selling/sharing student data
- Data security requirements (encryption, access controls)
- Data retention and deletion timelines
- Breach notification procedures
- Audit rights for the school
- Compliance with state student data privacy laws
Many EdTech companies sign the Student Privacy Pledge — a voluntary commitment to not sell student data, not target advertising based on student data, and to maintain comprehensive security programs.
Beyond FERPA: State Student Privacy Laws
Many states have enacted additional student data privacy laws that often go beyond FERPA:
- SOPIPA (California): Student Online Personal Information Protection Act
- NY Education Law 2-d: Strict requirements for student data sharing
- Colorado Student Data Transparency Act
- Connecticut Student Data Privacy Act
- Over 40 states have student-specific privacy laws
Penalties and Enforcement
Unlike HIPAA, FERPA doesn't carry direct monetary fines for individuals. Instead, the consequences fall on institutions:
- Loss of federal funding from the US Department of Education
- Department of Education investigations and corrective action requirements
- Reputational damage and parent/student lawsuits under state laws
- Inability to participate in federal student aid programs
Need Help with FERPA Compliance?
Our compliance experts help schools, universities, and EdTech companies build comprehensive FERPA-compliant data protection programs.
Get FERPA Compliance AuditFERPA Compliance Best Practices
For Educational Institutions
- Designate a FERPA Compliance Officer
- Develop and publish a FERPA notification policy
- Train all staff annually on FERPA requirements
- Implement access controls on student information systems
- Maintain detailed disclosure logs
- Review and approve all EdTech vendor contracts
- Conduct annual FERPA compliance audits
- Establish clear data breach response procedures
For EdTech Companies
- Sign the Student Privacy Pledge
- Implement privacy by design principles
- Maintain SOC 2 / ISO 27001 certifications
- Provide clear privacy notices to schools and parents
- Allow data access, correction, and deletion requests
- Conduct regular security assessments
- Train all employees on FERPA obligations
Modern FERPA Challenges
AI and Machine Learning
AI tools analyzing student data raise new FERPA questions about training data, model outputs, and de-identification standards.
Cloud Computing
Schools must ensure cloud providers meet FERPA "school official" requirements and properly handle data location/sovereignty.
Remote Learning
Video conferencing, recorded classes, and online assessments create new categories of student records requiring protection.
Cybersecurity Threats
Ransomware attacks on schools are increasing — making robust incident response planning essential.
Conclusion
FERPA compliance is non-negotiable for educational institutions and the EdTech ecosystem supporting them. As technology transforms education, the principles of student privacy — control, transparency, and accountability — remain foundational.
The most successful institutions treat FERPA not as a compliance burden, but as a framework for building trust with students, parents, and the broader community. Strong privacy practices protect institutions from regulatory action while creating safer learning environments where students and families can thrive.