FERPA is the federal statute protecting the privacy of student education records (20 U.S.C. §1232g). It grants parents and eligible students (18+) rights to inspect, amend, and control disclosure of education records.

What is directory information under FERPA?

Directory information is data in an education record that would not generally be considered harmful or an invasion of privacy if disclosed — such as name, address, grade level, and participation in activities. Schools must notify parents of what they designate as directory information and allow opt-out.

Privacy Law

FERPA — Family Educational Rights and Privacy Act

Q: Who enforces FERPA?

The U.S. Department of Education Student Privacy Policy Office (SPPO). FERPA does not create a private right of action (Gonzaga Univ. v. Doe, 536 U.S. 273 (2002)); remedies are limited to ED enforcement including potential loss of federal funds.

FERPA (20 U.S.C. §1232g; 34 CFR Part 99) is the federal statute protecting the privacy of student education records. It applies to every educational institution that receives federal funds and grants parents (and students age 18+ — "eligible students") rights to inspect, request amendment of, and control the disclosure of personally identifiable information from education records. Districts must maintain a record of disclosures (34 CFR §99.32) and provide annual notice of rights (§99.7). FERPA does not create a private right of action (Gonzaga Univ. v. Doe, 536 U.S. 273 (2002)).

Who does FERPA apply to?

FERPA applies to any educational agency or institution that receives federal funds under any program administered by the U.S. Secretary of Education. In K-12, this includes virtually every public school and most private schools. It does not apply to non-recipient institutions. Rights transfer from parent to student at age 18 or upon enrollment in a postsecondary institution (the "eligible student").

What rights does FERPA grant?

Inspect and review education records within 45 days of request (§99.10).
Request amendment of records believed to be inaccurate or misleading (§99.20).
Consent to disclosure of personally identifiable information, with exceptions (§99.30-§99.31).
File complaint with the U.S. Department of Education Student Privacy Policy Office (§99.63).
Receive annual notice of FERPA rights in a form reasonably likely to reach parents (§99.7).

Disclosure without consent — key exceptions

Section 99.31 permits disclosure without parental consent in defined circumstances: school officials with legitimate educational interest; other schools to which a student transfers; specified auditors; in connection with financial aid; accrediting organizations; to comply with a judicial order; appropriate officials in health and safety emergencies; state and local authorities under juvenile-justice systems specified by state statute; and directory information (for which districts must give annual notice and opt-out opportunity).

Key Deadlines

45 days from request — provide access to inspect records (§99.10(b)).
Annually — deliver FERPA rights notice (§99.7).
Upon each disclosure — update the record-of-disclosures log (§99.32).

Penalties for Non-Compliance

The sole federal remedy for FERPA violations is U.S. Department of Education enforcement, which in extreme cases can include withdrawal of federal funds (20 U.S.C. §1232g(f)). In practice, ED typically works with institutions to resolve violations through corrective action plans. There is no private right of action under FERPA (Gonzaga Univ. v. Doe, 536 U.S. 273 (2002)); state tort or contract claims may still be available depending on jurisdiction.

How IncluShift supports FERPA compliance

IncluShift's architecture is designed for FERPA alignment: students are identified by UUID only (zero direct PII in telemetry), the data_access_audit_log table is append-only to support §99.32 disclosure records, an annual ferpa_notifications table tracks delivery of §99.7 notices, and FERPA-aligned RBAC (role-based access control) limits disclosures to school officials with legitimate educational interest. Supporting peer-reviewed architecture: Zeide (2019, Big Data & Society 6(1)). See Privacy Policy.

Official Sources

studentprivacy.ed.gov — ED Student Privacy Policy Office
34 CFR Part 99 (eCFR)

COPPA 2025 IDEA Part B FERPA (glossary) COPPA

Educational information, not legal advice. Consult a qualified attorney for FERPA compliance guidance.