The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student educational records, granting parents and eligible students (those 18 or older) specific rights to access, amend, and control the disclosure of those records. Enforced by the US Department of Education’s Family Policy Compliance Office (FPCO), FERPA applies to all educational agencies and institutions that receive federal funds under any program administered by the Secretary of Education.
Key takeaways: FERPA applies to all K-12 schools, school districts, and postsecondary institutions that receive US federal education funds. It grants parents and eligible students the right to access records, request amendments, and control disclosures. Violations can result in the loss of federal funding. FERPA intersects with other US privacy laws like HIPAA, state student data laws, and the growing patchwork of state privacy statutes.
What Is FERPA? A Comprehensive Definition
FERPA, codified at 20 U.S.C. § 1232g and implemented by 34 CFR Part 99, establishes a baseline of privacy protections for student educational records. The law has three core pillars:
- Access rights: Parents and eligible students have the right to inspect and review the student’s educational records within 45 days of a request (34 CFR § 99.10).
- Amendment rights: If a parent or eligible student believes information in the record is inaccurate, misleading, or violates privacy rights, they may request an amendment (34 CFR § 99.20). If the school denies the request, the individual is entitled to a formal hearing.
- Consent to disclose: Schools must have written permission from the parent or eligible student to release personally identifiable information (PII) from educational records, with specific exceptions (34 CFR § 99.30).
FERPA applies broadly to any educational institution — including K-12 public schools, private schools, school districts, vocational schools, and colleges — that receives federal funding. The law does not cover private schools that do not participate in federal student aid programs, though many adopt FERPA-like policies voluntarily.
Who Must Comply with FERPA?
FERPA applies to any educational agency or institution that receives funds under any program administered by the US Secretary of Education. This includes virtually all public K-12 schools, school districts, state education agencies, and most postsecondary institutions (public and private) that participate in federal student financial aid programs (Title IV). The law also covers contractors, consultants, and volunteers to whom a school has outsourced institutional services or functions — these third parties must comply with FERPA requirements just as the school itself would (34 CFR § 99.31(a)(1)(i)(B)).
Organizations that receive FERPA-protected information from a school — for example, a research partner performing a study for the school — must also comply with FERPA privacy obligations. Failure to protect FERPA data properly can jeopardize the school’s federal funding eligibility.
What Educational Records Are Protected Under FERPA?
FERPA defines “educational records” broadly as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution (34 CFR § 99.3). This encompasses:
- Academic records: transcripts, grades, class schedules, GPA, and academic evaluations
- Disciplinary records: discipline files, suspension/expulsion records, and behavioral reports
- Health and counseling records: school nurse records and counselor notes (with important exemptions for treatment records)
- Admissions records: applications, transcripts from prior schools, and admission decisions
- Financial aid records: FAFSA data, loan records, scholarship documentation
- Special education records: IEP (Individualized Education Program) documents, evaluation reports, and related service records
FERPA explicitly excludes certain types of records: sole possession notes (personal memory aids kept by school officials that are not shared), law enforcement unit records, employment records (unless the employment depends on student status), and medical treatment records from a health care provider acting in a treatment capacity (these are governed by HIPAA).
What Rights Do Parents and Eligible Students Have?
FERPA grants parents of minor students (under 18) and eligible students (18 or older or attending a postsecondary institution) the following core rights:
Right to Inspect and Review Records
Under 34 CFR § 99.10, schools must allow parents or eligible students to inspect and review educational records within 45 days of a request. Schools may not destroy records while a request is pending. The school must provide access in a reasonable time and place, and may not charge a fee for the inspection itself (though copying fees may apply).
Right to Request Amendment
If records are inaccurate, misleading, or violate privacy, individuals may submit a written request to amend the record (34 CFR § 99.20). The school must decide within a reasonable time. If the request is denied, the school must notify the individual of their right to a formal hearing under 34 CFR § 99.21.
Right to Consent to Disclosure
With limited exceptions, schools must obtain written consent from the parent or eligible student before disclosing PII from educational records (34 CFR § 99.30). The consent must specify the records to be disclosed, the purpose of the disclosure, and the party receiving the information.
Right to File a Complaint
Individuals may file a complaint with the FPCO if they believe their FERPA rights have been violated. The office investigates and can require schools to take corrective action or risk losing federal funding.
What Are the Exceptions to FERPA’s Consent Requirement?
FERPA provides several important exceptions to the consent requirement. The most commonly invoked exceptions under 34 CFR § 99.31 include:
- School officials with legitimate educational interest: This includes teachers, administrators, counselors, and contractors performing institutional services. Schools must define “legitimate educational interest” in their annual notification and include contractors as school officials if they meet the criteria (e.g., online learning platforms, assessment providers, data storage vendors).
- Disclosure to other schools: Records may be transferred to a school the student is transferring to or enrolling in, provided the receiving school notifies the parent.
- Health and safety emergencies: To protect the health or safety of the student or others, schools may disclose records without consent (34 CFR § 99.36). This exception is narrowly interpreted and must be based on a genuine emergency.
- Judicial orders and subpoenas: Schools may comply with lawfully issued subpoenas or court orders, though they must make a reasonable effort to notify the parent or eligible student before compliance (unless the subpoena prohibits prior notification).
- Directory information: Schools may disclose “directory information” — such as name, address, phone number, email, date of birth, major, and participation in activities — unless a parent or eligible student opts out. Schools must provide clear notice of what constitutes directory information and the opt-out procedure (34 CFR § 99.37).
- Audits and evaluations: Authorized representatives of audit, evaluation, and enforcement authorities may access records for federal program monitoring.
- Studies by authorized representatives: Organizations conducting studies to improve instruction or for predictive tests may access records under a written agreement that protects PII.
How Does FERPA Intersect with Other US Privacy Laws?
FERPA does not exist in a vacuum. Educational institutions increasingly must navigate overlapping privacy obligations from multiple state and federal regimes.
FERPA and HIPAA
FERPA and the Health Insurance Portability and Accountability Act (HIPAA) have a carefully defined relationship. Generally speaking, most health records maintained by a K-12 school are covered by FERPA as “educational records,” not HIPAA. HIPAA’s “treatment records” exception under 45 CFR § 160.103 carves out records held by a treating health care provider — such as a school-employed nurse or psychologist — from FERPA’s definition, but these are still often protected under state law and FERPA’s general framework. When a school contracts with a third-party health provider, the records may fall under HIPAA, creating a dual-compliance scenario.
FERPA and State Student Data Privacy Laws
Many US states have enacted student data privacy laws that supplement FERPA. Examples include:
- California AB 1584: Requires all contracts between schools and third-party ed-tech vendors to include specific privacy protections, including prohibitions on selling student data and requirements for data security.
- New York Education Law § 2-d: Imposes detailed data privacy and security requirements on educational agencies and their third-party contractors, including breach notification obligations.
- Illinois Student Online Personal Protection Act (SOPPA): Regulates the collection and use of student data by online service providers.
- Texas H.B. 1738: Prohibits the sale of student data and requires parental notification of data breaches.
Federal law (FERPA) provides baseline protections, but state laws may impose stricter requirements — institutions must comply with both.
FERPA and State Privacy Laws (CCPA and CPRA)
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), specifically exempts information collected as part of an educational record from its definition of “personal information” when that collection is subject to FERPA (CCPA § 1798.145(d)(1)). This means CCPA does not apply to FERPA-protected data. However, other school-related data not covered by FERPA — such as non-educational website tracking — may still fall under CCPA.
What Are the Penalties for Violating FERPA?
FERPA has a unique enforcement mechanism: violations do not result in fines or private lawsuits but instead trigger the potential loss of federal funding. If the FPCO determines that a school has violated FERPA, it may issue a notice of noncompliance and, after a hearing, direct the Secretary of Education to withhold all or part of the school’s federal education funds. The FPCO can also issue corrective action orders, such as requiring the school to provide access to records, amend policies, or conduct staff training.
While FERPA itself does not create a private right of action — meaning individuals cannot sue schools directly under FERPA — violations can be evidence in lawsuits under other federal or state laws, including constitutional claims (e.g., Fourteenth Amendment due process) or state tort claims (e.g., invasion of privacy, negligence).
How Can Schools and Third-Party Vendors Achieve FERPA Compliance?
FERPA compliance is an ongoing process of policy, technology, and contractual controls. At its core, compliance requires the following:
- Annual notification: Schools must notify parents and eligible students annually of their FERPA rights, including how to access records, request amendments, and opt out of directory information disclosures (34 CFR § 99.7).
- Defined legitimate educational interest: Schools must clearly document and communicate who qualifies as a school official and under what circumstances access is permitted. Third-party vendors and contractors should be designated as school officials in written agreements that specify permissible uses and require data safeguards.
- Data security for electronic records: Since educational records are increasingly digital, schools must implement technical safeguards: access controls (role-based permissions), audit logs, encryption in transit (TLS 1.2+) and at rest (AES-256), and multi-factor authentication for systems containing PII.
- Vendor contract management: Every contract with a cloud service provider, learning management system (LMS), assessment platform, or analytics vendor that will access student data must include clear FERPA-compliant provisions: limits on data use (only for the contracted service), prohibitions on secondary use or data sale, security requirements, breach notification timelines, and data deletion commitments.
- Breach response plan: While FERPA does not have a specific breach notification requirement (other than state laws that may apply), schools must still document and report unauthorized disclosures to the FPCO and affected individuals as a matter of best practice.
- Training and auditing: Regular training for all staff who handle student records, and periodic internal audits of access logs and disclosure records, are essential for maintaining compliance.
Take Control of FERPA Compliance
Educational institutions across the US are facing increasing scrutiny over student data privacy. CyberSilo’s Compliance Standards Automation platform helps schools and third-party vendors manage FERPA obligations alongside other regulatory requirements — with automated policy enforcement, contract management, and real-time compliance monitoring.
How Does FERPA Apply to Third-Party Vendors and Cloud Services?
Modern educational institutions rely heavily on third-party vendors for services ranging from online learning platforms (Canvas, Blackboard, Google Classroom) to assessment tools, data analytics, and cloud storage. FERPA permits schools to disclose educational records to vendors — provided the vendor qualifies as a “school official” with a “legitimate educational interest” (34 CFR § 99.31(a)(1)). The US Department of Education’s guidance mandates that schools must use “reasonable methods” to ensure that vendors with access to PII protect that information (34 CFR § 99.31(a)(1)(i)(B)).
Key requirements for vendor compliance under FERPA include:
- Written agreement: The school and vendor must have a contract that designates the vendor as a school official, specifies the records being disclosed, limits the vendor’s use of data to the contracted service, and prohibits further disclosure by the vendor.
- Direct control: The vendor must be under the “direct control” of the school. The Department of Education’s 2014 guidance clarified that the vendor’s use of student data must be limited to the purpose for which it was disclosed, and the school must retain oversight and termination rights.
- Data protection: The vendor must implement administrative, technical, and physical safeguards to protect PII from unauthorized access or disclosure. Industry-standard encryption (AES-256 for storage, TLS 1.2+ for transit), access controls, and incident response capabilities are essential.
- Breach notification: While FERPA does not prescribe a specific notification timeline, schools should contractually require vendors to notify the school immediately — and in any event within 24-48 hours — of any confirmed data breach or unauthorized disclosure of student PII.
- Audit rights: Schools should retain the right to audit the vendor’s data handling practices, including through third-party assessments (SOC 2 Type II, ISO 27001 certification, or equivalent).
The Department of Education’s FERPA and Virtual Learning (March 2020) guidance also notes that schools using video conferencing tools for remote instruction must ensure those tools do not inadvertently disclose student PII, and must follow the same school-official designation process for the video platform provider.
Frequently Asked Questions About FERPA
Below are the most common questions raised by educational institutions, compliance officers, and third-party vendors working under FERPA.
Does FERPA apply to online schools and virtual academies?
Yes. FERPA applies to any educational institution that receives federal funds, regardless of whether instruction is delivered in person or online. Virtual schools, online charter academies, and fully remote programs must comply with all FERPA requirements — including annual notification, access rights, and consent for disclosure.
Can a school disclose student records to law enforcement?
Yes, under the health and safety emergency exception (34 CFR § 99.36), schools may disclose PII to law enforcement when there is an articulable and significant threat to the health or safety of the student or others. This is a case-by-case determination and must be documented. Schools may also comply with a lawfully issued subpoena or court order, provided they make a reasonable effort to notify the parent or eligible student in advance (unless prohibited).
What is the difference between FERPA and HIPAA?
The primary difference is scope. FERPA applies to educational records maintained by schools, including health records kept by school nurses, counselors, and psychologists. HIPAA applies to protected health information maintained by covered entities (healthcare providers, health plans, clearinghouses) engaged in standard electronic transactions. Most school health records are governed by FERPA, not HIPAA. The crossover occurs when a school contracts with a third-party healthcare provider — those records may be covered by HIPAA. Schools operating health clinics or employing healthcare professionals independently should consult with legal counsel to determine which framework applies.
How long must schools retain educational records?
FERPA does not prescribe specific retention periods. Schools must adopt a records retention policy in compliance with state and federal recordkeeping requirements (such as the General Education Provisions Act retention rules). Typically, records must be kept for at least the period during which the student is enrolled and for a reasonable period thereafter. The Department of Education recommends that schools retain records for five years after a student graduates, transfers, or withdraws, though some records (e.g., special education records) may have longer retention requirements under state or federal law.
Does FERPA apply to research studies conducted by universities?
Yes. Under the “studies exception” (34 CFR § 99.31(a)(6)), schools may disclose PII to organizations conducting studies for the purposes of developing, validating, or administering predictive tests; administering student aid programs; or improving instruction. The researcher must enter into a written agreement that limits data use to the study, requires data destruction or return when the study ends, and prohibits re-identification or further disclosure. This exception is commonly used by university research offices and institutional review boards (IRBs) for education research.
What happens if a school violates FERPA?
The FPCO investigates complaints. If it finds a violation, it may issue a notice of noncompliance, require corrective action (e.g., record access, policy revision, staff training), and ultimately withhold federal funding. While the loss of funding is a rare enforcement outcome, the FPCO has the authority to impose it. Additionally, violations can harm the institution’s reputation, expose it to state law claims, and affect its eligibility for federal student aid programs.
Simplify FERPA Compliance with Automated Controls
Achieving FERPA compliance across multiple systems, vendor contracts, and varied access controls is a significant challenge for any educational institution. CyberSilo’s Compliance Standards Automation solution provides centralized policy management, automated vendor due diligence, and continuous compliance monitoring — purpose-built for the education sector’s privacy obligations.
Our Conclusion & Recommendation
FERPA remains a foundational privacy law for the US education sector, but its application has grown increasingly complex in an era of digital learning, third-party cloud services, and state-level student data privacy regulations. Schools, school districts, and postsecondary institutions must take a structured, risk-based approach to FERPA compliance — one that encompasses policy, contract management, technical controls, and ongoing training. Third-party vendors that process student data must be designated as school officials under written agreements that include robust data security requirements, audit rights, and breach notification commitments.
For educational organizations that need to manage FERPA alongside other US privacy obligations — including state student data laws, CCPA/CPRA, HIPAA intersections, and sector-specific requirements — the most efficient path is to adopt a compliance automation platform that centralizes policy enforcement, vendor management, and real-time monitoring. CyberSilo’s Compliance Standards Automation solution is designed to meet this need, helping schools and districts maintain FERPA compliance while reducing administrative burden and minimizing data breach risk.
Ready to Strengthen Your Student Data Privacy Program?
CyberSilo provides FERPA compliance services, including baseline assessments, vendor contract reviews, and implementation of automated compliance controls. Our team works with K-12 districts, colleges, universities, and education technology providers across the US.
