Family Educational Rights
and Privacy Act
FERPA is a landmark federal law that grants students and parents specific rights regarding educational records maintained by schools that receive federal funding.
Formally known as the Family Educational Rights and Privacy Act and also called the Buckley Amendment — named after its sponsor, Senator James Buckley of New York — FERPA was signed into law by President Gerald Ford on August 21, 1974. It is codified at 20 U.S.C. § 1232g, with implementing regulations published at 34 C.F.R. Part 99.
The law applies to all educational agencies and institutions that receive federal funding through any program administered by the U.S. Department of Education. This encompasses virtually every public school district, elementary and secondary school, and college or university in the United States.
FERPA establishes two principal pillars: the right of eligible students and parents to inspect and review educational records, and the right to have those records protected from unauthorized disclosure. Eligible students (those 18 or older, or attending postsecondary institutions) hold these rights themselves; parents hold them for students under 18 in elementary and secondary schools.
The Office of the Family Policy Compliance Office (FPCO), a unit of the U.S. Department of Education, is responsible for investigating complaints and providing technical assistance to schools regarding FERPA compliance.
Students and eligible parents have the right to inspect and review the student's education records maintained by the school. Schools must comply with requests within 45 days and must provide copies if the student cannot physically review records in person.
Students and parents have the right to request amendments to records believed to be inaccurate, misleading, or in violation of the student's privacy rights. If the school declines, it must inform the family of the right to a formal hearing.
Students and parents generally must provide written consent before a school discloses personally identifiable information from education records to third parties. This is the cornerstone of FERPA's privacy protection, subject to specific enumerated exceptions.
Eligible students and parents have the right to file a complaint with the U.S. Department of Education's Family Policy Compliance Office concerning alleged violations by the institution. Complaints must be filed within 180 days of the alleged violation.
Schools must provide annual notification to students and parents of their FERPA rights. This notification need not be sent individually but must be effectively communicated — via student handbook, course catalog, or the institution's website.
Students have the right to opt out of the disclosure of directory information — such as name, address, and phone number — to third parties. Schools must give students a reasonable time to exercise this opt-out right before disclosing such information.
Senator James Buckley of New York champions the legislation as an amendment to the Elementary and Secondary Education Act. President Gerald Ford signs it on August 21, 1974, responding to concerns about schools sharing student records with law enforcement, employers, and the government without parental knowledge.
The Department of Health, Education, and Welfare issues first implementing regulations. Congress amends the law multiple times in the late 1970s to clarify definitions of "education records," "directory information," and "legitimate educational interest." The newly formed Department of Education assumes enforcement authority in 1980.
Congress adds provisions clarifying when records can be shared with state and local educational authorities for audit and evaluation purposes. The amendment establishes formal requirements around written agreements, data security, and data destruction for state-authorized representatives accessing student data.
Following September 11, the USA PATRIOT Act adds a new exception allowing educational institutions to disclose records to the Attorney General (or designee) in connection with terrorism investigations, without consent and without prior judicial order under certain circumstances.
The Higher Education Opportunity Act significantly broadens the health or safety emergency exception, allowing schools to disclose PII when there is an articulable and significant threat. This change was heavily influenced by the 2007 Virginia Tech shooting and the perception that FERPA inhibited information sharing.
The Department of Education issues guidance on cloud computing, learning analytics, and ed-tech vendors. 2011 regulations expand the "school official" exception to cover contractors and service providers acting on behalf of the institution. Post-COVID guidance addresses FERPA in remote-learning environments and the use of video in virtual classrooms.
FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. Any school participating in federal student financial aid programs — including Title IV — is covered.
All public K–12 elementary schools receiving federal funds are covered. The parent holds FERPA rights until the student reaches age 18.
Public middle and high schools with federal funding are fully subject to FERPA's requirements, including annual notification obligations.
All public and private degree-granting institutions participating in federal student aid programs. Rights transfer entirely to the student at the postsecondary level.
Trade schools, technical institutes, and career colleges that accept any federal funding (Pell Grants, federal loans) are subject to FERPA.
State-level education agencies that collect and maintain education records on students are independently covered and must comply with FERPA's requirements.
School districts and their administrative offices, as recipients of federal funding, are covered educational agencies subject to FERPA's full requirements.
Under FERPA, "education records" are records, files, documents, and other materials that (1) contain information directly related to a student, and (2) are maintained by an educational agency or institution, or by a party acting on its behalf. The definition is deliberately broad.
FERPA allows disclosure of education records without prior consent in 14 specific circumstances enumerated in 34 C.F.R. § 99.31. These are narrowly construed exceptions that institutions must apply carefully.
Disclosure to school officials with a legitimate educational interest, including contractors and volunteers acting on behalf of the institution under direct control.
To officials of another school in which the student seeks or intends to enroll, subject to the student receiving notice if the sending school has a policy of doing so.
Federal and state educational authorities conducting audits, evaluations, or enforcing federal legal requirements relating to education programs.
Necessary for determining eligibility, amount, conditions, or enforcing terms and conditions of financial aid received by the student.
Pursuant to a lawfully issued court order or subpoena. The institution must make a reasonable effort to notify the student before complying unless the order prohibits notification.
In connection with an articulable and significant threat to the health or safety of the student or others. Requires case-by-case determination and documentation.
Designated directory information may be disclosed without consent, provided the institution has given annual notice and a reasonable opportunity to opt out.
Disclosure to an alleged victim of a crime of violence or non-forcible sex offense of the results of any disciplinary hearing conducted against the alleged perpetrator.
Information provided under the Jacob Wetterling Act concerning registered sex offenders may be disclosed regardless of whether the person is a student.
Directory information is a category of PII from education records that FERPA permits schools to disclose without prior written consent — provided the institution has given proper annual notice and a reasonable opportunity to opt out. Each school determines which categories it designates as directory information and must publish that designation annually.
Withdrawal of all federal education funding administered by the U.S. Department of Education
FERPA does not create a private right of action. Individuals cannot sue a school directly under FERPA for damages (per Gonzaga University v. Doe, 534 U.S. 273, 2002). The sole enforcement mechanism is the potential loss of federal funding — a significant deterrent given that most schools depend heavily on federal financial aid and grant programs.
All formal complaints must be filed with the FPCO within 180 days of the alleged violation or 180 days of when the complainant knew or should have known of the violation.
An eligible student or parent files a written complaint with the Family Policy Compliance Office within 180 days of the alleged violation, stating the specific facts and circumstances.
The FPCO notifies the institution and requests a written response. It reviews records, correspondence, and institutional policies to determine whether a violation occurred.
If no violation is found, the complaint is closed. If a violation is found, the FPCO issues written findings and provides the institution an opportunity to voluntarily comply.
If the institution fails to comply voluntarily, the FPCO may refer the matter to the Secretary of Education for enforcement proceedings, potentially leading to termination of federal funding.
| Obligation | Type | Frequency | Details |
|---|---|---|---|
| Annual Notification | Required | Annually | Inform students/parents of FERPA rights. Must be effective notice — mailing, email, or handbook inclusion all acceptable. |
| Record Inspection Response | Required | Within 45 days | Must provide access to records within 45 days of a legitimate request. Must provide copies if in-person access is not feasible. |
| Directory Information Notice | Required | Annually | If disclosing directory info, must notify students annually of what is designated and allow opt-out prior to disclosure. |
| Written Consent Process | Required | Per disclosure | Must obtain signed written consent before releasing PII that does not fall under an enumerated exception. |
| Disclosure Log | Required | Ongoing | Must maintain a record of each request for access and each disclosure of PII from student education records (with exceptions for school officials and certain others). |
| Amendment Hearing Procedures | Required | On request | Must establish procedures for students/parents to request amendments and provide hearings if the initial request is denied. |
| Written Agreements with Third Parties | Required | Per arrangement | When disclosing under state/federal authority exception or for legitimate educational interests, must have written agreements specifying use limitations, security requirements, and data destruction schedules. |
| Policy Publication | Best Practice | Ongoing | Maintain a published, publicly accessible FERPA policy that describes all institutional practices regarding education records. |
| Staff Training | Best Practice | Regularly | Regular training of all staff who handle education records on FERPA requirements, exceptions, and internal procedures. |
Collect only the student data necessary for legitimate educational purposes. Avoid retaining records beyond their necessary lifespan and establish clear data retention and destruction schedules.
Don't rely on a single notice buried in fine print. Distribute FERPA rights information through multiple channels — student portals, email, handbooks — and confirm receipt where possible.
Create mandatory FERPA training for all employees with access to education records. Include scenario-based exercises covering the 14 exceptions and directory information opt-outs.
Review all contracts with ed-tech vendors and service providers to ensure FERPA-compliant language, limited data use, adequate security requirements, and data destruction provisions.
Keep thorough, accurate logs of all education record disclosures including the date, recipient, legitimate interest claimed, and records disclosed. Logs must be maintained as part of the education record.
Develop clear institutional protocols for the health and safety emergency exception. Document the specific threat and decision-making process for each invocation. Retroactive justification is insufficient under FERPA.
Conduct periodic audits of all systems maintaining student data — SIS, LMS, email archives, cloud applications — to identify potential FERPA exposure and map data flows across the institution.
Involve institutional legal counsel in all non-routine FERPA decisions, particularly subpoenas, court orders, law enforcement requests, and disclosures in the context of disciplinary proceedings.
Establish institution-wide digital privacy policies that address FERPA compliance in the context of online learning, video recordings, discussion boards, and student use of third-party platforms integrated into LMS.