FERPA: Educational Records Data Protection
The Family Educational Rights and Privacy Act (FERPA) governs how educational institutions receiving federal funding collect, maintain, and disclose student records. Administered by the U.S. Department of Education, FERPA establishes enforceable rights for students and parents while setting firm boundaries on institutional disclosure practices. Understanding where FERPA applies — and where its protections end — is essential for compliance professionals, school administrators, and researchers working across the K–12 and postsecondary education sectors.
Definition and Scope
FERPA, codified at 20 U.S.C. § 1232g and implemented through regulations at 34 C.F.R. Part 99, applies to all educational agencies and institutions that receive funds under programs administered by the U.S. Department of Education. This coverage extends to virtually every public K–12 school district and accredited postsecondary institution in the United States.
The statute protects education records — defined as records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency or institution. This definition is broad, encompassing transcripts, disciplinary records, financial aid files, health records held by the school, and even certain email communications. FERPA does not cover records held solely by individual faculty members or law enforcement records maintained exclusively for law enforcement purposes.
Eligibility rights transfer automatically at age 18 or upon enrollment in postsecondary education, at which point the student — not the parent — holds the primary consent rights. This transition point creates distinct operational obligations across K–12 and higher education environments. For a broader map of federal data protection frameworks, see U.S. Data Protection Laws Overview.
How It Works
FERPA operates through two primary mechanisms: access rights and disclosure restrictions.
Access rights grant eligible students (or parents of minor students) the right to:
- Inspect and review their education records within 45 days of a request
- Request amendment of records they believe are inaccurate or misleading
- Receive a formal hearing if the institution denies an amendment request
Disclosure restrictions prohibit institutions from releasing personally identifiable information from education records without prior written consent, subject to enumerated exceptions. The U.S. Department of Education's FERPA guidance lists 14 categories of exceptions, including disclosures to school officials with legitimate educational interest, disclosures to other schools in which the student seeks to enroll, and disclosures pursuant to judicial orders or subpoenas.
The directory information exception allows institutions to designate certain record categories — such as name, enrollment status, and dates of attendance — as releasable without consent, provided the institution has notified students annually and allowed opt-out. Institutions must define their directory information categories in published annual notices.
Enforcement authority rests with the Family Policy Compliance Office (FPCO) within the Department of Education. Substantiated violations can result in withdrawal of federal funding, though the Department has historically pursued compliance through corrective action plans rather than funding termination. Institutions handling overlapping health data should cross-reference obligations under HIPAA Data Protection Requirements, as the two frameworks interact when school-based health clinics are involved.
Common Scenarios
FERPA compliance questions arise most frequently in the following operational contexts:
- Third-party vendor contracts: When institutions engage software vendors, cloud storage providers, or analytics platforms that access student records, those vendors must operate under agreements designating them as "school officials" with legitimate educational interest. Failure to structure these contracts correctly converts the vendor into an unauthorized third-party recipient. See Third-Party Vendor Data Security for compliance framework considerations.
- Research disclosures: FERPA permits release of student data for research purposes without consent under specific conditions, including institutional agreement, data destruction requirements, and prohibition on re-identification. Researchers working under IRB protocols must align those protocols with FERPA's de-identification standards.
- Law enforcement access: Institutions may disclose records without consent in response to a lawfully issued subpoena, but must make a reasonable effort to notify the student in advance unless the subpoena prohibits such notice.
- Parent access at the postsecondary level: Once a student reaches 18 or enrolls in college, parental access requires either the student's written consent or proof that the student is a dependent under IRS tax definitions (26 U.S.C. § 152).
- Data breach notification: FERPA does not contain a standalone breach notification requirement, but Data Breach Notification Requirements at the state level frequently apply to education records containing personally identifiable information.
Decision Boundaries
FERPA intersects and diverges from other federal privacy frameworks in structurally important ways:
| Dimension | FERPA | HIPAA (as applied to schools) | COPPA |
|---|---|---|---|
| Governing body | Dept. of Education (FPCO) | HHS Office for Civil Rights | FTC |
| Primary covered entity | Educational institutions receiving federal funds | Covered health entities | Operators of websites/services directed at children under 13 |
| Consent holder (minor) | Parent until age 18 | Parent (healthcare context) | Parent |
| Enforcement mechanism | Federal funding conditions | Civil monetary penalties up to $1.9M per violation category (HHS, 2023 penalty tiers) | Civil penalties up to $51,744 per violation (FTC Act, 16 C.F.R. Part 312) |
When a postsecondary institution maintains student health records through a campus clinic that operates as a covered entity under HIPAA, those records fall outside FERPA's scope and are governed exclusively by HIPAA. When COPPA applies to an ed-tech platform serving K–12 students, FERPA compliance by the district does not substitute for the platform's independent COPPA obligations. For children's data protections outside the school context, see COPPA Children's Data Protection.
The data subject rights framework under FERPA is narrower than emerging state-level consumer privacy rights — FERPA provides inspection and amendment rights but does not include deletion rights comparable to those in the California Consumer Privacy Act. Institutions operating in states with comprehensive privacy statutes must layer state obligations on top of FERPA's baseline. For state-level comparisons, see State Data Privacy Laws Comparison.
References
- Family Educational Rights and Privacy Act — 20 U.S.C. § 1232g
- 34 C.F.R. Part 99 — FERPA Implementing Regulations (eCFR)
- U.S. Department of Education — Student Privacy Policy Office (studentprivacy.ed.gov)
- Family Policy Compliance Office (FPCO) — U.S. Department of Education
- HHS Office for Civil Rights — HIPAA Enforcement
- FTC — Children's Online Privacy Protection Rule, 16 C.F.R. Part 312
- NIST Privacy Framework (csrc.nist.gov)