Student Data Privacy & FERPA Guide: School Records Rights (2026)

Schools collect an enormous volume of data about students: grades, attendance records, disciplinary actions, health information, special education evaluations, standardized test scores, and increasingly, digital activity through learning management systems and ed-tech platforms. The Family Educational Rights and Privacy Act, known as FERPA, is the primary federal law governing who can access this information and under what circumstances.

This guide covers FERPA's core requirements, the exceptions that allow disclosure without consent, the growing role of state student privacy laws, and how ed-tech vendors fit into the picture. For related children's privacy topics, see our COPPA Compliance Guide and Children's Online Privacy by State.

What Is FERPA?

Congress enacted the Family Educational Rights and Privacy Act in 1974 (20 U.S.C. § 1232g), also known as the Buckley Amendment. The law applies to all educational agencies and institutions that receive funding from programs administered by the U.S. Department of Education.

FERPA grants two fundamental rights:

1. The right to inspect and review education records maintained by the school
2. The right to request amendment of records the parent or student believes are inaccurate or misleading

The law also restricts schools from disclosing personally identifiable information (PII) from education records without written consent, subject to specific exceptions.

The U.S. Department of Education's Family Policy Compliance Office (FPCO) administers and enforces FERPA. Unlike COPPA, which carries civil monetary penalties, FERPA enforcement works through the funding mechanism: schools that violate FERPA risk losing federal funding, though the Department has never actually terminated funding over a FERPA violation. Instead, FPCO investigates complaints and issues findings and corrective actions.

Who Is Protected Under FERPA?

FERPA protects "education records" of students at institutions that receive federal education funding. This covers:

• Virtually every public elementary and secondary school in the United States
• Most public and private colleges and universities (those accepting federal financial aid, Pell Grants, or other DOE-administered funds)
• Some vocational and technical schools
• State education agencies

A small number of private schools that receive no federal funding at any level are not subject to FERPA. Religious schools that decline federal funding may also fall outside FERPA's scope, though they may still be subject to state student privacy laws.

What Are Education Records?

Under 34 C.F.R. § 99.3, "education records" are records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution.

Education records include:

• Transcripts, grades, and GPA
• Class schedules and enrollment information
• Financial aid records
• Disciplinary records
• Special education records (IEPs, 504 plans)
• Attendance records
• Student ID numbers and Social Security numbers
• Email and digital records maintained by the school or its vendors

Records specifically excluded from FERPA's definition include:

• Sole possession records: Notes kept by a school official that are not shared with anyone else (a teacher's personal notes about a student's behavior)
• Law enforcement unit records: Records created and maintained by a school's campus police unit for law enforcement purposes
• Employment records: Records of a student who is employed by the school (unless employment is contingent on student status)
• Medical/treatment records: Records made by physicians, psychiatrists, or psychologists for treatment purposes (these are governed by HIPAA or state medical privacy laws)
• Alumni records: Information collected after the individual is no longer a student

Parent Rights vs. Student Rights

FERPA rights initially belong to the parent or guardian. These rights transfer to the student when the student turns 18 or enrolls in a postsecondary institution at any age. The student then becomes an "eligible student" under FERPA.

Once rights transfer, the school must obtain the student's consent before disclosing education records, even to the student's parents. However, FERPA includes an exception allowing schools to disclose records to parents of a dependent student as defined under Section 152 of the Internal Revenue Code (26 U.S.C. § 152). Most traditional-aged college students qualify as dependents on their parents' tax returns.

Schools can also disclose records to parents if the student has violated a law or school policy regarding alcohol or controlled substances and the student is under 21. This exception, added by the Higher Education Amendments of 1998, was designed to address binge drinking on college campuses.

The Right to Inspect and Review

Parents or eligible students have the right to inspect and review education records within 45 days of making a request. Schools are not required to provide copies of records (and may charge for copies) but must provide access. Schools cannot destroy records if a pending request to inspect them exists.

The Right to Request Amendment

If a parent or eligible student believes a record is inaccurate, misleading, or in violation of the student's privacy rights, they can request that the school amend the record. If the school refuses, the parent or student has the right to a formal hearing. If the hearing does not resolve the dispute, the parent or student can place a statement in the record explaining their objection.

This right does not extend to grade challenges. FERPA does not give parents or students the right to challenge a grade on substantive grounds; it only addresses whether the record accurately reflects the grade that was given.

Directory Information

Directory information is a category of education records that schools may disclose without consent. Under 34 C.F.R. § 99.3, directory information can include:

• Student's name
• Address and telephone number
• Email address
• Date and place of birth
• Dates of attendance
• Grade level and enrollment status
• Degrees, honors, and awards received
• Most recent previous school attended
• Participation in officially recognized activities and sports
• Weight and height of athletic team members
• Photograph

Schools must notify parents annually of what information the school designates as directory information and provide a reasonable period for parents to opt out of disclosure. If a parent opts out, the school must suppress that student's information from all directory disclosures, including yearbooks, graduation programs, and sports rosters.

Schools set their own directory information policies. A school could designate only the student's name and grade level as directory information, or it could include all categories permitted under FERPA.

Exceptions to Consent Requirements

FERPA's general rule requires written consent before disclosing education records. The exceptions listed in 34 C.F.R. § 99.31 are specific and enumerated:

School Officials with Legitimate Educational Interest

Schools can disclose records to other school officials (teachers, administrators, counselors, school nurses) within the institution who have a legitimate educational interest. Schools must define "legitimate educational interest" in their annual FERPA notification. This exception also covers contractors, consultants, and volunteers performing services the school would otherwise use its own employees to perform, which is the primary basis for sharing data with ed-tech vendors.

Transfer to Another School

Schools can disclose records to officials at another school where the student seeks to enroll or is already enrolled, as long as the disclosure is for enrollment or transfer purposes. The school must make a reasonable attempt to notify the parent or eligible student.

Financial Aid

Records can be disclosed to determine eligibility for financial aid, determine the amount, determine conditions, or enforce the terms of the aid.

Accreditation Organizations

Disclosure to accrediting organizations for accreditation purposes is permitted.

Judicial Order or Subpoena

Schools can disclose records in response to a judicial order or lawfully issued subpoena. The school must make a reasonable effort to notify the parent or eligible student before complying, unless the court order specifically prohibits notification (as with certain grand jury or law enforcement subpoenas).

Health or Safety Emergency

In connection with an emergency, schools can disclose records to appropriate parties (law enforcement, public health officials, medical personnel) if the information is necessary to protect the health or safety of the student or other individuals. This exception is strictly construed: the threat must be articulable and significant, and the disclosure must be limited to the period of the emergency.

State and Local Education Authorities

State and local education officials can access records for auditing, evaluating, or enforcing federal or state education programs. These officials must maintain the data in compliance with FERPA.

Studies and Research

Schools can disclose records to organizations conducting studies for or on behalf of the school for purposes of developing or administering predictive tests, administering student aid programs, or improving instruction. The receiving organization must maintain data security, destroy information when it is no longer needed, and refrain from disclosing PII.

Ed-Tech Vendor Obligations

The expansion of digital learning has created a significant FERPA compliance challenge. When schools adopt learning management systems, student information systems, assessment platforms, and classroom tools, the vendors operating those platforms access student education records.

Under FERPA, ed-tech vendors can receive student data through the "school official" exception if:

• The vendor performs a service that the school would otherwise perform itself
• The vendor is under the school's direct control regarding the use and maintenance of education records
• The vendor uses the records only for the purposes for which the disclosure was made
• The vendor does not re-disclose the information without consent

The Department of Education's Privacy Technical Assistance Center (PTAC) provides guidance on vendor agreements. PTAC recommends that schools execute written agreements specifying the data to be disclosed, the purposes for use, data security requirements, and breach notification obligations.

The critical distinction: a vendor receiving data under the school official exception cannot use that data for its own commercial purposes (advertising, product development outside the contract, building user profiles). The FTC's 2023 enforcement action against Edmodo illustrated this principle, as the FTC banned Edmodo from using student data for advertising.

The Protection of Pupil Rights Amendment (PPRA)

The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. § 1232h) is a separate federal law often discussed alongside FERPA. PPRA governs surveys, analyses, and evaluations funded by the U.S. Department of Education.

PPRA requires schools to:

• Obtain written parental consent before administering surveys that reveal information about political affiliations, mental health, sexual behavior, illegal conduct, religious practices, income, or other sensitive topics
• Notify parents of any survey collecting sensitive information and provide the opportunity to opt out
• Allow parents to inspect survey materials before administration
• Notify parents of the school's policies regarding surveys and physical examinations

PPRA was amended by the No Child Left Behind Act in 2002 to expand its scope to include activities funded by any source, not just federal programs. The Department of Education enforces PPRA through the same complaint process used for FERPA.

State Student Privacy Laws

Recognizing that FERPA's enforcement mechanism (potential loss of federal funding) rarely results in consequences, many states have enacted their own student privacy laws with stronger teeth.

California: SOPIPA

California's Student Online Personal Information Protection Act (SOPIPA) (SB 1177, 2014) was the first major state student privacy law. SOPIPA applies directly to operators of websites, online services, and apps used for K-12 school purposes.

Under SOPIPA, covered operators cannot:

• Use student information for targeted advertising
• Sell student information
• Create advertising profiles of students
• Use student data for non-educational commercial purposes

SOPIPA applies to the vendor, not to the school, which distinguishes it from FERPA. A vendor that violates SOPIPA faces enforcement by the California Attorney General. For California's broader data privacy framework, see our California Data Privacy Laws guide.

New York: Education Law 2-d

New York's Education Law § 2-d (enacted 2014, regulations finalized 2020) requires educational agencies to adopt data security and privacy policies, ensure that third-party contractors protect student data, and report data breaches within specified timeframes.

Key requirements include:

• Schools and districts must adopt a Parents' Bill of Rights for Data Privacy and Security
• Third-party contractors must adopt data security and privacy plans
• Unauthorized release of student data can result in penalties and contract termination
• The Chief Privacy Officer at the New York State Education Department oversees compliance

See New York Data Privacy Laws for additional context.

Colorado: Student Data Transparency and Security Act (SB 16-068)

Colorado's Student Data Transparency and Security Act (SB 16-068, 2016) requires schools to adopt data governance policies, restricts commercial use of student data by third-party service providers, and mandates transparency about what data is collected and how it is used.

Colorado's approach emphasizes data governance: schools must maintain a public list of all data elements collected and the third-party services that access student data.

Other State Laws

Multiple states have adopted versions of the Student Privacy Pledge, originally coordinated by the Future of Privacy Forum and the Software and Information Industry Association, which commits vendors to specific data use restrictions.

Illinois, Louisiana, Maryland, Oregon, and Virginia have all enacted student data privacy laws that impose obligations on ed-tech vendors, restrict commercial use of student data, and require breach notification. The Student Privacy Compass maintained by the Department of Education tracks state legislation.

How FERPA Connects to Recording Laws and Family Law

Recording policies in schools intersect with FERPA when recordings capture student education records. A parent recording an IEP meeting, a school recording a disciplinary hearing, or a security camera capturing student behavior all raise FERPA questions about who can access the resulting recordings and under what circumstances.

For state-specific recording laws that apply in school settings, explore our state recording law pages. For family law context covering custody, child support, and parental rights, see our United States Child Support Laws hub.

• California Child Support Laws
• New York Child Support Laws
• Colorado Child Support Laws
• Texas Child Support Laws

This article provides general legal information about FERPA and student data privacy. It does not constitute legal advice. Consult an attorney for advice specific to your situation.