Charter Data PrivacyJurisdictional Research
Home/Federal Baseline/FERPA

FERPA

Family Educational Rights and Privacy Act

Statute
20 U.S.C. § 1232g
Regulations
34 C.F.R. Part 99
Enacted / Last Major Amendment
1974 (amended multiple times)
Jurisdictional Layer
Federal Baseline (federal)

Summary

The foundational federal student-records privacy statute. Defines 'education record,' 'personally identifiable information,' and governs how schools may disclose student data to third parties including vendors.

Key Terms

Education record
Records directly related to a student and maintained by an educational agency or institution, or by a party acting on its behalf.
Personally Identifiable Information (PII)
Name, address, parent name, SSN, biometric record, plus any information linkable to a specific student.
School official exception
Disclosure to a school official with legitimate educational interest is permitted without consent. Vendors can qualify under 34 C.F.R. § 99.31(a)(1)(i)(B).
Directory information
Categories of PII (name, grade level) the school may disclose absent parent opt-out.

School-side obligations

  • Designate a Records Officer
  • Provide annual FERPA notice to parents and eligible students
  • Maintain a record of PII disclosures (with limited exceptions)
  • Permit parent inspection of records within 45 days of request
  • Obtain written consent before disclosing PII (with limited exceptions)
  • Train staff on FERPA compliance

Vendor-side obligations

  • Qualify as 'school official' with 'legitimate educational interest' under § 99.31(a)(1)(i)(B)
  • Be under the school's direct control with respect to use and maintenance of records
  • Use student data only for the contracted educational purpose
  • Comply with re-disclosure restrictions under § 99.33(a)
  • Maintain the confidentiality requirements as if the vendor were the school itself

Breach notification

FERPA itself does not impose a breach-notification timeline. Disclosure restrictions are the operative compliance regime.

Enforcement

No private right of action (Gonzaga v. Doe, 536 U.S. 273 (2002)). Enforcement is by US Department of Education through investigation and ultimately withholding federal funds. Rare and remedial in practice.

NCSC AI Toolkit — Scanner Fields

These fields in the NCSC AI Toolkit derive from this statute:

requires_school_official_designation_for_vendorsrequires_annual_ferpa_noticerequires_records_disclosure_log

Case Law — Verified

Cases verified against vLex primary source. Citable.

  • Owasso Independent School District v. Falvo
    534 U.S. 426 (2002) · U.S. Supreme Court
    Holding: Peer-graded student work is not an 'education record' under FERPA because such records are not 'maintained' by the school until they are collected and entered into the teacher's grade book. The Court read 'maintained' narrowly, finding peer grading does not violate FERPA.
    Why it matters: Limits the scope of what counts as a FERPA-protected record. Transient student work in classroom flow is not covered. Useful when arguing that vendor-handled ephemeral data (chat transcripts, draft responses) is not 'maintained' under FERPA.
    Verified 2026-05-21 via vLex Fastcase. PDF: 01-Federal-Baseline/Primary-Source-PDFs/Case-Law/Owasso-Isd-No-I-011-v-Falvo-886919768.pdf
  • Gonzaga University v. Doe
    536 U.S. 273 (2002) · U.S. Supreme Court
    Holding: FERPA does not create individually enforceable rights under 42 U.S.C. § 1983. There is no private right of action under FERPA itself; enforcement lies exclusively with the U.S. Department of Education.
    Why it matters: Forecloses private suits to enforce FERPA. Practical compliance pressure comes from contract and reputational risk, not litigation. Vendor agreements that promise 'FERPA compliance' are not directly suable by parents under FERPA, though state-law and contract theories may apply.
    Verified 2026-05-21 via vLex Fastcase. PDF: 01-Federal-Baseline/Primary-Source-PDFs/Case-Law/Gonzaga-Univ-V-Doe-890305699.pdf

Open Questions / Unsettled Law

  • AI-generated student profiles: when does an AI-generated profile become a FERPA education record?
  • Biometric data: technically PII but enforcement guidance is thin
  • Re-disclosure by vendor sub-processors: § 99.33 governs but creative vendor structures not directly addressed