FERPA and Education Privacy Requirements

The Family Educational Rights and Privacy Act (FERPA) governs access to and disclosure of student education records held by institutions receiving federal funding from the U.S. Department of Education. This page covers the law's scope, enforcement structure, operational mechanisms, and the boundary conditions that determine when disclosure is permissible without consent. Professionals navigating school data governance, institutional compliance programs, or third-party vendor relationships with educational institutions will encounter FERPA as the foundational federal framework in this sector.

Definition and scope

FERPA (20 U.S.C. § 1232g; implemented at 34 CFR Part 99) applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This encompasses virtually all public K–12 school districts and accredited colleges and universities. Private elementary and secondary schools that do not receive federal funds fall outside FERPA's direct reach.

FERPA defines education records broadly as records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency, institution, or a party acting for or on behalf of the institution (34 CFR § 99.3). Excluded categories include:

1. Sole-possession records created by one staff member and not shared
2. Law enforcement unit records maintained exclusively for that purpose
3. Records of employees who are not also current students
4. Records of students 18 or older created after they are no longer enrolled
5. Grades on peer-graded papers before an instructor collects and records them

FERPA grants eligible students — or parents of students under age 18 — three core rights: the right to inspect and review education records, the right to request amendment of inaccurate records, and the right to consent to disclosures with limited statutory exceptions. At age 18 or upon enrollment in a postsecondary institution, rights transfer from parent to student. This framework is distinct from HIPAA's privacy rule, which covers health records held by covered healthcare entities rather than school-maintained health records. FERPA similarly differs from COPPA's children's online privacy protections, which apply to commercial operators of websites directed to children rather than to educational institutions themselves.

How it works

FERPA compliance operates through three procedural pillars: notice, access, and controlled disclosure.

Annual notification. Institutions must annually notify eligible students and parents of their FERPA rights. The U.S. Department of Education (FERPA guidance page) does not prescribe a specific notice format, but the notification must be reasonably likely to inform students and parents of their rights.

Record inspection. Eligible parties have the right to inspect education records within 45 days of submitting a written request (34 CFR § 99.10). Institutions may charge reasonable fees for copies but cannot charge fees that effectively prevent access.

Consent requirement and exceptions. Written consent is required before disclosing personally identifiable information (PII) from education records. Consent must specify the records to be disclosed, the purpose of disclosure, and the identity of the recipient. The 14 statutory exceptions that permit non-consensual disclosure include:

1. School officials with legitimate educational interest
2. Officials of schools to which a student seeks to transfer
3. Authorized federal and state education authorities conducting audits
4. Financial aid determinations
5. State and local officials authorized by state statute prior to November 19, 1974
6. Accrediting organizations
7. Parents of dependent students (as defined by IRS criteria)
8. Judicial orders or lawfully issued subpoenas
9. Health and safety emergencies
10. Directory information (subject to opt-out rights)
11. State and local authorities in juvenile justice systems
12. Victims of crimes of violence (under limited conditions)
13. Results of institutional disciplinary proceedings involving violent crimes
14. Sex offender registration information required by other federal laws

Directory information is a distinct FERPA category — fields such as name, address, telephone number, date of enrollment, and degrees awarded that institutions may disclose without consent unless a student has exercised the right to opt out. Institutions must designate which fields constitute directory information and publish that designation.

Common scenarios

Third-party vendor access. When a school contracts a cloud platform, learning management system, or analytics provider, that vendor functions as a "school official" under FERPA only if the contract establishes direct control over the use and maintenance of education records and limits use to the educational purpose specified. This is a formal legal determination, not merely a contractual label. Vendor privacy management frameworks within institutional compliance programs must document this designation.

Redisclosure restrictions. A party receiving FERPA-protected records under an exception is generally prohibited from redisclosing PII without the student's consent (34 CFR § 99.33). Research institutions receiving de-identified data must comply with de-identification and anonymization standards to ensure records cannot be re-linked to individual students.

Deceased students. FERPA rights do not automatically transfer to next of kin upon a student's death, though institutions retain discretion to release records to parents or surviving family. No statutory provision mandates disclosure.

Law enforcement records. Campus police records maintained solely by a law enforcement unit for law enforcement purposes are excluded from FERPA entirely, even when the subject is a student.

Decision boundaries

The central compliance question in FERPA is whether a record is an "education record" and whether a proposed disclosure falls within a statutory exception. The Student Privacy Policy Office (SPPO) within the U.S. Department of Education administers FERPA enforcement. Complaints must be filed with SPPO within 180 days of the alleged violation (34 CFR § 99.64).

FERPA does not carry a private right of action — the Supreme Court confirmed this in Gonzaga University v. Doe, 536 U.S. 273 (2002). Enforcement is administrative: substantiated violations can result in termination of federal funding, making institutional compliance a financial risk management issue.

FERPA intersects with state student privacy statutes — more than 40 states have enacted supplemental student data privacy laws as of NCSL's 2023 tracking, some imposing stricter vendor contracting requirements and breach notification timelines than FERPA alone. Professionals mapping the full compliance landscape should cross-reference data breach notification requirements and the broader federal privacy framework governing education sector data flows.

The distinction between FERPA and HIPAA presents a recurring boundary issue. When a K–12 school employs a nurse or counselor and maintains health records, those records are education records under FERPA — not covered medical records under HIPAA — because the school is not a HIPAA-covered entity with respect to its own student health files. This distinction affects which access and disclosure rules apply and which federal office holds enforcement jurisdiction.

References

• FERPA, 20 U.S.C. § 1232g — Cornell Law School Legal Information Institute
• 34 CFR Part 99 — Electronic Code of Federal Regulations, U.S. Department of Education
• Student Privacy Policy Office (SPPO) — U.S. Department of Education
• FERPA Exception Summary — U.S. Department of Education FERPA Exceptions Chart
• Gonzaga University v. Doe, 536 U.S. 273 (2002) — Supreme Court of the United States
• National Conference of State Legislatures — Student Data Privacy Laws Tracker