FERPA
FERPA (Family Educational Rights and Privacy Act) is a federal law that protects the privacy of student education records and governs how vendors can access and use student data.
What Is FERPA?
FERPA (the Family Educational Rights and Privacy Act) is a federal law enacted in 1974 that protects the privacy of student education records. It applies to all educational institutions that receive federal funding, which is virtually every public K-12 school and university in the United States.
For EdTech vendors, FERPA is the foundational compliance requirement. Any product or service that accesses, stores, or processes student data must comply with FERPA. Non-compliance can result in the school district losing federal funding, making it a deal-breaking concern for procurement officers.
What FERPA Protects
FERPA protects "education records," which include any records directly related to a student that are maintained by the school or a party acting on its behalf. This includes:
- Personal identifiers: Name, address, date of birth, student ID number
- Academic records: Grades, transcripts, test scores, class schedules
- Behavioral records: Discipline records, attendance, counseling notes
- Special education records: IEPs, evaluations, accommodations
- Digital activity: When collected by school-provided technology or platforms
How FERPA Affects Vendors
FERPA allows schools to share student records with vendors under the "school official" exception, but only when:
- The vendor performs a service the school would otherwise use employees for
- The vendor is under the direct control of the school regarding use of education records
- The vendor does not share records with unauthorized third parties
- A Data Privacy Agreement is in place defining these terms
FERPA Compliance Checklist for Vendors
| Requirement | What to Do |
|---|---|
| Data minimization | Only collect student data necessary for the service |
| No secondary use | Do not use student data for advertising, profiling, or sale |
| Security controls | Encrypt data, control access, audit logs |
| Data retention | Delete or return data when the contract ends |
| Breach notification | Notify the district promptly if data is compromised |
| DPA execution | Sign the district's Data Privacy Agreement |
FERPA in the Sales Process
Districts will ask about FERPA compliance early in the evaluation process. Be prepared with:
- A FERPA compliance statement on your website and in your proposals
- Pre-signed DPA templates (many states have standardized forms)
- Security documentation (SOC 2, penetration testing results, data flow diagrams)
- Data governance policies describing how student data is collected, used, stored, and deleted
Frequently Asked Questions
What is FERPA?
FERPA is the Family Educational Rights and Privacy Act, a federal law that protects the privacy of student education records. It applies to all schools that receive federal funding and governs how student data can be shared with vendors.
Do EdTech vendors need to comply with FERPA?
Yes. Any vendor that accesses, stores, or processes student education records must comply with FERPA. Districts require vendors to sign Data Privacy Agreements and demonstrate compliance before sharing student data.
What happens if a vendor violates FERPA?
The school district can lose federal funding if it shares student data with a non-compliant vendor. Practically, this means districts will not work with vendors who cannot demonstrate FERPA compliance.
What is a FERPA school official exception?
FERPA allows schools to share records with vendors who qualify as 'school officials' performing services the school would otherwise do itself, under the school's direct control, with a Data Privacy Agreement in place.
How do vendors demonstrate FERPA compliance?
Through FERPA compliance statements, pre-signed Data Privacy Agreements, SOC 2 certification, data governance documentation, and security controls including encryption, access controls, and breach notification procedures.