Education Privacy: FERPA and Student Data

Education privacy centers on FERPA, the Family Educational Rights and Privacy Act, twenty U.S.C.

twelve thirty-two-g. It applies to schools and school districts that receive funding from the U.S.

Department of Education, which is nearly all public schools and many private colleges. FERPA protects education records, the records directly related to a student that the school maintains. A key, frequently tested point is who holds the rights: for K-through-twelve students they belong to the parents, but they transfer to the student when the student turns eighteen or enrolls in a postsecondary institution, at which point that student is an eligible student.

FERPA has no private lawsuit; the Department enforces it through its funding leverage, the threat of withholding federal money.

Not everything at a school is an education record, and the exam tests the line. Education records are those maintained by the institution and directly tied to a student. Excluded are a teacher's sole-possession notes kept only as a personal memory aid, records of the school's law-enforcement unit, and certain employment and treatment records.

The most-tested carve-out is directory information: basic items like a student's name, address, enrollment dates, and honors that a school may designate and disclose without consent, unless the parent or eligible student has opted out after notice. So a question that asks whether a school can publish the honor roll usually turns on whether that's properly designated directory information and whether anyone opted out.

The default rule is that a school needs written consent to disclose personally identifiable information from education records. But FERPA has a set of exceptions the exam loves to test. The biggest is the school-official exception: the school may share records internally with officials, including contractors acting as officials, who have a legitimate educational interest.

Others include disclosure to a school the student is transferring to, to comply with a judicial order or subpoena with notice, in a health or safety emergency, and for certain audits and studies. And re-disclosure is restricted, a recipient under an exception generally can't pass the data on freely. So map the scenario to a named exception; if none fits, you need consent.

Modern education runs on ed-tech, and that pulls two more laws in. When a school uses an online learning tool, it typically relies on the school-official exception so the vendor can process student records, with a contract controlling the vendor's use. Layered on top is COPPA, which we'll cover next lecture: it governs operators of online services directed to children under thirteen and normally requires verifiable parental consent, but in the school context, the school can provide that consent on the parents' behalf for educational purposes.

Also watch the Protection of Pupil Rights Amendment, PPRA, which gives parents rights over surveys that probe sensitive topics like political beliefs or family income. So an ed-tech scenario may blend FERPA, COPPA, and PPRA at once.

Two practical points round out education privacy. First, enforcement: FERPA has no private right of action, a student or parent can't sue the school for damages. Instead, the Department of Education enforces it, and its ultimate lever is the power to withhold federal funding, which in practice means schools take compliance seriously even without lawsuits.

Second, the modern reality of ed-tech and state law. When a school uses an online vendor under the school-official exception, the vendor must be bound by contract to use the data only for the school's purposes and not for its own commercial gain. And many states have layered their own student-data-privacy laws on top of FERPA, often going further by flatly prohibiting ed-tech companies from selling student data or using it for targeted advertising.

So a complete answer to a student-data question may involve FERPA, COPPA, and a state student-privacy law all at once.

Let's make FERPA a decision path. First, is the actor a school that receives Department of Education funding? If not, FERPA doesn't apply.

Second, is the information from an education record, or is it a carve-out like sole-possession notes? Third, for a disclosure, do you have consent, or does a named exception cover it, most often the school-official exception with a legitimate educational interest? A favorite distractor claims a school needs consent to publish directory information, it doesn't, as long as the item was designated directory information and the family didn't opt out.

Another forgets that the rights transfer at eighteen or at college enrollment, so a college can't simply hand records to a parent. Recap: funded school, education record, consent-or-exception, with directory and ed-tech as the trap zones. Now go test yourself, then on to children's online privacy.