Compliance & Regulations
What is FERPA?
FERPA (Family Educational Rights and Privacy Act) is a federal law enacted in 1974 that establishes student privacy rights and requires educational agencies and institutions receiving federal education funding to protect the confidentiality of student education records.
FERPA (Family Educational Rights and Privacy Act) is a federal law enacted in 1974 that establishes student privacy rights and requires educational agencies and institutions receiving federal education funding to protect the confidentiality of student education records. FERPA grants parents and eligible students (age 18 or older) the right to access, review, and seek amendment of education records, and restricts disclosure of personally identifiable information without written consent. The law applies to all schools receiving federal education funding and is administered by the Department of Education's Family Policy Compliance Office (FPCO), which investigates complaints and can withhold federal funding from non-compliant institutions.
How does FERPA work?
FERPA applies to all educational institutions receiving federal funding and grants specific rights to parents and students.
All public schools and school districts (elementary, secondary, and post-secondary), private schools and institutions receiving any federal education funding, Department of Education agencies administering education programs, and educational agencies serving students with disabilities must comply with FERPA. The funding connection is mandatory; any institution receiving federal funding from the Department of Education (including grants, loans, or other assistance) must comply. Loss of federal funding is the primary enforcement mechanism.
Parents have the right to access and review their child's education records within 45 days of request until the student becomes an eligible student. Eligible students (age 18 or older or attending post-secondary institutions) have the right to access their own records within 45 days of request. The right extends to official records maintained by schools including grades, transcripts, attendance records, test scores, health records, disciplinary records, and special education records. Schools cannot charge unreasonable fees for access but may charge for copies.
Parents and eligible students can request correction of inaccurate or misleading information in education records. Schools must respond to amendment requests within 45 days. If schools refuse to amend, students or parents have the right to a formal hearing. If still refused after hearing, parents or students can insert written statements into records explaining their position, which must be maintained with the disputed record.
Schools must obtain written consent before disclosing personally identifiable information from education records, with specific exceptions. Written consent must specify the records to be disclosed, state the purpose of disclosure, identify the party or class of parties to whom disclosure can be made, be signed and dated by the parent or eligible student, and include an expiration date or circumstances when consent expires.
Schools may disclose directory information without consent if they publicly announce directory information categories in writing, give parents and eligible students reasonable notice (minimum annually), provide reasonable opportunity for parents or students to opt out of disclosure, and do not disclose any category from which students have opted out. Permitted directory information (if schools classify it as such) includes student name, address, telephone number, email address, photograph, date and place of birth, major field of study, grade level, enrollment status, dates of attendance, participation in officially recognized activities and sports, weight and height of athletic team members, degrees, honors and awards received, and most recent educational institution attended.
Permitted disclosures without consent include school officials with legitimate educational interest (teachers, administrators, counselors, nurses, and other personnel who need information to perform job duties), financial aid processing to organizations assisting with federal or state financial aid programs, health and safety emergencies if necessary to protect health or safety of students or others, judicial orders and subpoenas (schools must make reasonable effort to notify parents or students unless court orders otherwise), academic research where researchers agree not to further disclose personally identifiable information, organizational transfers where students are transferring to other schools, government officials conducting audits or compliance reviews, and accreditation agencies for evaluation purposes.
When students become eligible students (at age 18 OR upon enrollment in post-secondary institutions at any age), FERPA rights transfer from parents to students. Parents lose access rights unless students provide written consent. Students can authorize parents to access records at any time through signed authorization.
How does FERPA differ from COPPA for student data protection?
Feature | FERPA | COPPA (Children's Online Privacy) |
|---|---|---|
Scope | Education records at schools receiving federal funding | Online collection of children's data by commercial services |
Age coverage | All students (rights transfer at 18) | Children under 13 |
Regulated entities | Schools receiving federal funding | Commercial websites, online services, apps |
Consent requirement | Written consent for most disclosures | Verifiable parental consent for collection |
Exemptions | Directory information (if notice and opt-out provided) | Educational institutions using services for school purposes |
Rights granted | Access, amendment, control disclosure | Parental access, deletion, control collection |
Enforcement | Department of Education (funding withdrawal threat) | FTC (monetary penalties) |
Private right of action | No (Supreme Court ruled in Gonzaga v. Doe) | No (FTC enforcement only) |
Penalties | Federal funding loss (never actually invoked) | Up to $43,792 per violation |
Overlap | Educational use of online tools subject to both | Schools using third-party services must comply with both |
Ideal for | Student records privacy at educational institutions | Protecting children's data from commercial collection |
Neither is universally better. FERPA protects educational records at schools receiving federal funding with broad coverage but limited enforcement. COPPA protects children's online data with monetary penalties but narrower age scope. Schools using third-party online tools must ensure compliance with both FERPA (education records protection) and COPPA (online collection restrictions for children under 13).
Why does FERPA matter?
Educational institutions comply with FERPA for three primary drivers, each with inherent limitations.
Federal funding dependency creates mandatory compliance. Schools receiving any Department of Education funding must comply with FERPA or risk losing all federal education assistance. This funding dependency affects virtually all public schools and most private educational institutions. However, enforcement through funding withdrawal has never been invoked; the Department of Education has issued hundreds of compliance orders requiring improved practices but never actually terminated federal funding, reducing the perceived enforcement risk and creating uneven compliance across institutions.
Student privacy protection establishes baseline rights. FERPA grants students and parents access to education records, control over disclosure, and ability to correct inaccurate information. These rights prevent arbitrary school record-keeping and unauthorized information sharing. However, no private right of action exists; the Supreme Court ruled in Gonzaga v. Doe (2002) that students cannot sue for damages under FERPA. The only remedy is correcting education records or filing complaints with FPCO, which often takes 6-12 months to resolve. Students harmed by FERPA violations have no compensation mechanism.
Third-party vendor oversight protects student data. FERPA requires schools to maintain responsibility for third-party compliance when vendors access education records, promoting contractual data protection obligations and vendor security assessments. However, schools have limited contractual leverage over large vendors; major educational technology companies serve thousands of schools and often resist custom security requirements. Vendor compliance is often inadequate, with schools unable to enforce FERPA requirements against large providers.
What are the limitations of FERPA?
FERPA's enforcement mechanism and scope create significant implementation challenges.
No monetary penalties or private right of action eliminates financial consequences. Schools cannot be fined for FERPA violations; the only penalty is federal funding withdrawal, which has never been invoked. Students cannot sue for damages (Supreme Court ruled in Gonzaga v. Doe); no monetary compensation exists for privacy violations. The only remedy is correcting education records through FPCO complaints, which doesn't compensate for harm. This lack of financial consequences reduces compliance incentives compared to regulations with monetary penalties.
Education record definition creates classification ambiguity. What constitutes "education record" subject to FERPA protection versus personal notes or observations not subject to protection sometimes remains unclear. Teachers' personal notes or records kept in private possession are not education records. Records maintained by law enforcement or security offices are excluded. Organizations interpret boundaries differently, creating inconsistent application.
Legitimate educational interest determination varies by institution. Schools determine who qualifies as "school official" with legitimate educational interest, leading to significant variation. Some schools define it narrowly (direct teachers and administrators); others define it broadly (any employee with potential student contact). This discretion creates inconsistency in access controls across institutions.
Directory information provisions are overly broad. Schools can classify student name, address, email, and photograph as directory information releasable without consent if schools provide notice and opt-out opportunity. However, many parents don't understand directory information notices or exercise opt-out rights, resulting in disclosure of information many consider private. Some view name plus address as too much directory information for public release.
Third-party compliance verification is difficult. Schools remain responsible for FERPA compliance by contractors and vendors, but many lack resources or expertise to verify vendor practices. Service agreements often include FERPA compliance language without accompanying security assessments or audits. Schools rarely conduct on-site vendor reviews, relying on contractual promises without validation.
FAQs
What qualifies as education records under FERPA?
Education records are documents directly related to students maintained by educational institutions or parties acting on schools' behalf. This includes grades, transcripts, attendance records, test scores, health and immunization records, special education records, disciplinary records, and counseling notes maintained in student files. However, teachers' personal notes or records kept in teachers' private possession are not education records. Records maintained by law enforcement or security offices for law enforcement purposes are excluded. Treatment records maintained by school health professionals solely for treatment purposes are not education records. Sole possession records (personal notes not shared with others) are not education records.
At what age do FERPA rights transfer from parents to students?
FERPA rights transfer to students when they turn 18 OR when they enroll in post-secondary institutions at any age. Once students become eligible students, parents no longer have automatic access to education records. Parents can only access records if the eligible student provides written consent authorizing disclosure. However, eligible students can authorize parental access at any time through signed authorization. Schools can disclose education records to parents of eligible students without consent if students are dependents for tax purposes, but this exception doesn't grant automatic access rights; it only permits disclosure at school discretion.
Can schools disclose student records without consent in emergencies?
Yes. Schools can disclose education records without consent if necessary to protect the health or safety of students or other individuals during emergencies. Schools must act in good faith and use judgment to determine that emergency exists requiring urgent action. The emergency must be an immediate threat; schools cannot use the emergency exception for routine disclosures or non-urgent situations. Schools' emergency determinations are subject to FPCO review; overly broad interpretations can result in FERPA violations. Schools should document emergency disclosure decisions, including the threat identified, why disclosure was necessary, and who received information.
What can individuals do if they believe schools violated FERPA?
Individuals can file complaints with the Department of Education's Family Policy Compliance Office (FPCO) by mail, email, or online form, describing the alleged violation and providing supporting documentation. FPCO investigates complaints and determines if violations occurred. If violations are found, FPCO issues compliance orders requiring schools to fix procedures and practices. However, there is no private right of action; individuals cannot sue schools for monetary damages under FERPA (Supreme Court ruled in Gonzaga v. Doe, 2002). The only remedies are correction of education records and FPCO compliance orders. No compensation exists for privacy harms resulting from FERPA violations.
Can schools use student data for research without consent?
Schools may disclose education records for research, audits, and evaluations without consent if personally identifiable information is not disclosed or if researchers sign agreements not to further disclose personally identifiable information. However, if research would identify individual students from results, written consent is required. Schools should obtain approval from Institutional Review Boards (IRBs) when required by research oversight policies. De-identified data (information from which all personally identifiable information has been removed and reasonable determination made that students cannot be re-identified) is not subject to FERPA restrictions and can be disclosed for research without consent. Schools should maintain documentation of de-identification procedures and researcher agreements.
