Get Demo

What Is FERPA? Student Data Privacy Explained

FERPA explained for US organizations — clear, practical guidance to respect consumer privacy rights. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • US Privacy • USA ⏱️ 2,200 words

The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student educational records, granting parents and eligible students (those 18 or older) specific rights to access, amend, and control the disclosure of those records. Enforced by the US Department of Education’s Family Policy Compliance Office (FPCO), FERPA applies to all educational agencies and institutions that receive federal funds under any program administered by the Secretary of Education.

Key takeaways: FERPA applies to all K-12 schools, school districts, and postsecondary institutions that receive US federal education funds. It grants parents and eligible students the right to access records, request amendments, and control disclosures. Violations can result in the loss of federal funding. FERPA intersects with other US privacy laws like HIPAA, state student data laws, and the growing patchwork of state privacy statutes.

What Is FERPA? A Comprehensive Definition

FERPA, codified at 20 U.S.C. § 1232g and implemented by 34 CFR Part 99, establishes a baseline of privacy protections for student educational records. The law has three core pillars:

FERPA applies broadly to any educational institution — including K-12 public schools, private schools, school districts, vocational schools, and colleges — that receives federal funding. The law does not cover private schools that do not participate in federal student aid programs, though many adopt FERPA-like policies voluntarily.

Who Must Comply with FERPA?

FERPA applies to any educational agency or institution that receives funds under any program administered by the US Secretary of Education. This includes virtually all public K-12 schools, school districts, state education agencies, and most postsecondary institutions (public and private) that participate in federal student financial aid programs (Title IV). The law also covers contractors, consultants, and volunteers to whom a school has outsourced institutional services or functions — these third parties must comply with FERPA requirements just as the school itself would (34 CFR § 99.31(a)(1)(i)(B)).

Organizations that receive FERPA-protected information from a school — for example, a research partner performing a study for the school — must also comply with FERPA privacy obligations. Failure to protect FERPA data properly can jeopardize the school’s federal funding eligibility.

What Educational Records Are Protected Under FERPA?

FERPA defines “educational records” broadly as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution (34 CFR § 99.3). This encompasses:

FERPA explicitly excludes certain types of records: sole possession notes (personal memory aids kept by school officials that are not shared), law enforcement unit records, employment records (unless the employment depends on student status), and medical treatment records from a health care provider acting in a treatment capacity (these are governed by HIPAA).

What Rights Do Parents and Eligible Students Have?

FERPA grants parents of minor students (under 18) and eligible students (18 or older or attending a postsecondary institution) the following core rights:

Right to Inspect and Review Records

Under 34 CFR § 99.10, schools must allow parents or eligible students to inspect and review educational records within 45 days of a request. Schools may not destroy records while a request is pending. The school must provide access in a reasonable time and place, and may not charge a fee for the inspection itself (though copying fees may apply).

Right to Request Amendment

If records are inaccurate, misleading, or violate privacy, individuals may submit a written request to amend the record (34 CFR § 99.20). The school must decide within a reasonable time. If the request is denied, the school must notify the individual of their right to a formal hearing under 34 CFR § 99.21.

With limited exceptions, schools must obtain written consent from the parent or eligible student before disclosing PII from educational records (34 CFR § 99.30). The consent must specify the records to be disclosed, the purpose of the disclosure, and the party receiving the information.

Right to File a Complaint

Individuals may file a complaint with the FPCO if they believe their FERPA rights have been violated. The office investigates and can require schools to take corrective action or risk losing federal funding.

FERPA provides several important exceptions to the consent requirement. The most commonly invoked exceptions under 34 CFR § 99.31 include:

How Does FERPA Intersect with Other US Privacy Laws?

FERPA does not exist in a vacuum. Educational institutions increasingly must navigate overlapping privacy obligations from multiple state and federal regimes.

FERPA and HIPAA

FERPA and the Health Insurance Portability and Accountability Act (HIPAA) have a carefully defined relationship. Generally speaking, most health records maintained by a K-12 school are covered by FERPA as “educational records,” not HIPAA. HIPAA’s “treatment records” exception under 45 CFR § 160.103 carves out records held by a treating health care provider — such as a school-employed nurse or psychologist — from FERPA’s definition, but these are still often protected under state law and FERPA’s general framework. When a school contracts with a third-party health provider, the records may fall under HIPAA, creating a dual-compliance scenario.

FERPA and State Student Data Privacy Laws

Many US states have enacted student data privacy laws that supplement FERPA. Examples include:

Federal law (FERPA) provides baseline protections, but state laws may impose stricter requirements — institutions must comply with both.

FERPA and State Privacy Laws (CCPA and CPRA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), specifically exempts information collected as part of an educational record from its definition of “personal information” when that collection is subject to FERPA (CCPA § 1798.145(d)(1)). This means CCPA does not apply to FERPA-protected data. However, other school-related data not covered by FERPA — such as non-educational website tracking — may still fall under CCPA.

What Are the Penalties for Violating FERPA?

FERPA has a unique enforcement mechanism: violations do not result in fines or private lawsuits but instead trigger the potential loss of federal funding. If the FPCO determines that a school has violated FERPA, it may issue a notice of noncompliance and, after a hearing, direct the Secretary of Education to withhold all or part of the school’s federal education funds. The FPCO can also issue corrective action orders, such as requiring the school to provide access to records, amend policies, or conduct staff training.

While FERPA itself does not create a private right of action — meaning individuals cannot sue schools directly under FERPA — violations can be evidence in lawsuits under other federal or state laws, including constitutional claims (e.g., Fourteenth Amendment due process) or state tort claims (e.g., invasion of privacy, negligence).

How Can Schools and Third-Party Vendors Achieve FERPA Compliance?

FERPA compliance is an ongoing process of policy, technology, and contractual controls. At its core, compliance requires the following:

Take Control of FERPA Compliance

Educational institutions across the US are facing increasing scrutiny over student data privacy. CyberSilo’s Compliance Standards Automation platform helps schools and third-party vendors manage FERPA obligations alongside other regulatory requirements — with automated policy enforcement, contract management, and real-time compliance monitoring.

How Does FERPA Apply to Third-Party Vendors and Cloud Services?

Modern educational institutions rely heavily on third-party vendors for services ranging from online learning platforms (Canvas, Blackboard, Google Classroom) to assessment tools, data analytics, and cloud storage. FERPA permits schools to disclose educational records to vendors — provided the vendor qualifies as a “school official” with a “legitimate educational interest” (34 CFR § 99.31(a)(1)). The US Department of Education’s guidance mandates that schools must use “reasonable methods” to ensure that vendors with access to PII protect that information (34 CFR § 99.31(a)(1)(i)(B)).

Key requirements for vendor compliance under FERPA include:

The Department of Education’s FERPA and Virtual Learning (March 2020) guidance also notes that schools using video conferencing tools for remote instruction must ensure those tools do not inadvertently disclose student PII, and must follow the same school-official designation process for the video platform provider.

Frequently Asked Questions About FERPA

Below are the most common questions raised by educational institutions, compliance officers, and third-party vendors working under FERPA.

Does FERPA apply to online schools and virtual academies?

Yes. FERPA applies to any educational institution that receives federal funds, regardless of whether instruction is delivered in person or online. Virtual schools, online charter academies, and fully remote programs must comply with all FERPA requirements — including annual notification, access rights, and consent for disclosure.

Can a school disclose student records to law enforcement?

Yes, under the health and safety emergency exception (34 CFR § 99.36), schools may disclose PII to law enforcement when there is an articulable and significant threat to the health or safety of the student or others. This is a case-by-case determination and must be documented. Schools may also comply with a lawfully issued subpoena or court order, provided they make a reasonable effort to notify the parent or eligible student in advance (unless prohibited).

What is the difference between FERPA and HIPAA?

The primary difference is scope. FERPA applies to educational records maintained by schools, including health records kept by school nurses, counselors, and psychologists. HIPAA applies to protected health information maintained by covered entities (healthcare providers, health plans, clearinghouses) engaged in standard electronic transactions. Most school health records are governed by FERPA, not HIPAA. The crossover occurs when a school contracts with a third-party healthcare provider — those records may be covered by HIPAA. Schools operating health clinics or employing healthcare professionals independently should consult with legal counsel to determine which framework applies.

How long must schools retain educational records?

FERPA does not prescribe specific retention periods. Schools must adopt a records retention policy in compliance with state and federal recordkeeping requirements (such as the General Education Provisions Act retention rules). Typically, records must be kept for at least the period during which the student is enrolled and for a reasonable period thereafter. The Department of Education recommends that schools retain records for five years after a student graduates, transfers, or withdraws, though some records (e.g., special education records) may have longer retention requirements under state or federal law.

Does FERPA apply to research studies conducted by universities?

Yes. Under the “studies exception” (34 CFR § 99.31(a)(6)), schools may disclose PII to organizations conducting studies for the purposes of developing, validating, or administering predictive tests; administering student aid programs; or improving instruction. The researcher must enter into a written agreement that limits data use to the study, requires data destruction or return when the study ends, and prohibits re-identification or further disclosure. This exception is commonly used by university research offices and institutional review boards (IRBs) for education research.

What happens if a school violates FERPA?

The FPCO investigates complaints. If it finds a violation, it may issue a notice of noncompliance, require corrective action (e.g., record access, policy revision, staff training), and ultimately withhold federal funding. While the loss of funding is a rare enforcement outcome, the FPCO has the authority to impose it. Additionally, violations can harm the institution’s reputation, expose it to state law claims, and affect its eligibility for federal student aid programs.

Simplify FERPA Compliance with Automated Controls

Achieving FERPA compliance across multiple systems, vendor contracts, and varied access controls is a significant challenge for any educational institution. CyberSilo’s Compliance Standards Automation solution provides centralized policy management, automated vendor due diligence, and continuous compliance monitoring — purpose-built for the education sector’s privacy obligations.

Our Conclusion & Recommendation

FERPA remains a foundational privacy law for the US education sector, but its application has grown increasingly complex in an era of digital learning, third-party cloud services, and state-level student data privacy regulations. Schools, school districts, and postsecondary institutions must take a structured, risk-based approach to FERPA compliance — one that encompasses policy, contract management, technical controls, and ongoing training. Third-party vendors that process student data must be designated as school officials under written agreements that include robust data security requirements, audit rights, and breach notification commitments.

For educational organizations that need to manage FERPA alongside other US privacy obligations — including state student data laws, CCPA/CPRA, HIPAA intersections, and sector-specific requirements — the most efficient path is to adopt a compliance automation platform that centralizes policy enforcement, vendor management, and real-time monitoring. CyberSilo’s Compliance Standards Automation solution is designed to meet this need, helping schools and districts maintain FERPA compliance while reducing administrative burden and minimizing data breach risk.

Ready to Strengthen Your Student Data Privacy Program?

CyberSilo provides FERPA compliance services, including baseline assessments, vendor contract reviews, and implementation of automated compliance controls. Our team works with K-12 districts, colleges, universities, and education technology providers across the US.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!