Family Educational Rights and Privacy Act
FERPA is a US law protecting the privacy of student education records, giving parents and eligible students access and consent rights and restricting disclosure. It applies to federally funded schools and their vendors, with loss of federal funding as the ultimate sanction.
What FERPA Is and Why It Exists
The Family Educational Rights and Privacy Act (FERPA) is a US federal law enacted in 1974 that protects the privacy of student education records. It gives parents, and students once they turn 18 or enter postsecondary education ("eligible students"), rights to access, review, and request correction of education records, and it restricts how schools disclose those records. FERPA is administered by the US Department of Education.
It exists to ensure that the detailed records schools keep, on grades, discipline, health, and more, are not shared inappropriately, and that families have meaningful control over their educational information.
Who It Applies To
FERPA applies to educational agencies and institutions that receive funds under programs administered by the US Department of Education, which covers virtually all public schools and districts and most colleges and universities. It also reaches, through contractual and "school official" provisions, the technology vendors and service providers that handle student data on a school's behalf, a growing concern as education technology expands.
Key Requirements
- Access rights: institutions must let parents and eligible students inspect and review education records and seek amendment of inaccurate records.
- Consent for disclosure: generally, written consent is required before disclosing personally identifiable information from education records, subject to specific exceptions (such as disclosures to school officials with a legitimate educational interest).
- Directory information: schools may designate and disclose limited "directory information" but must give notice and an opportunity to opt out.
- Annual notification of FERPA rights is required.
- Vendor safeguards: providers acting as school officials must use data only for authorized purposes and protect it.
Penalties for Non-Compliance
FERPA's primary enforcement mechanism is the potential withdrawal of federal education funding from institutions that fail to comply, a severe but rarely invoked sanction; in practice the Department of Education seeks voluntary corrective action. FERPA does not create a private right for individuals to sue for damages. Nonetheless, violations can bring investigations, mandated remediation, reputational harm, and, where vendors are involved, contract termination.
How to Comply
- Identify your education records and who may access them.
- Implement consent workflows and document the exceptions you rely on.
- Publish an annual FERPA notice and a clear directory-information policy with opt-out.
- Bind technology vendors with agreements that restrict data use and require safeguards.
- Train staff on disclosure rules and maintain records of disclosures where required.
For education-technology providers, aligning data practices with FERPA's "school official" requirements is essential to serving the sector.
EdTech, Cloud, and the School-Official Exception
The rapid growth of education technology has made the "school official" exception central to FERPA compliance. Schools may share education records with vendors that perform an institutional service or function, but only if the vendor is under the school's direct control regarding data use and maintenance, uses the data only for authorized purposes, and does not redisclose it improperly. This places real obligations on EdTech providers: clear contracts, purpose limitation, security safeguards, and deletion on request. For both schools and vendors, the safest posture is data minimization and contractual clarity, ensuring student data is used solely to deliver the educational service and never repurposed for unrelated commercial aims.