FERPA

Stuff they don’t teach you in EdTech School, School School, or sales training.

May 07, 2025

(*We Are Made of Stories: Self-Taught Artists in the Robson Family Collection*, 2022)

Watergate, Parent Access, Bad Data, and the Push for Privacy

Mimeograph ink has a super distinctive smell. It doesn’t come out of clothes, carpet or hair. By the 90’s these were all but gone (my first building still used one) and replaced by “THE XEROX” which was not called “the copy machine” until around 1995.

We’ve left many classroom staples from the 70’s behind, but some things never change.

One of those things is the wrestle for control of our student’s data.

In the early 1970’s, parents were denied access to their children’s files, while government agencies could access them without consent. Some records were incorrect and led to significant impact to students, but legal guardians had no way to correct mistakes.

Schools don’t exist in a vacuum. While these student cases rarely headlined because of student privacy, Watergate was front page all day every day. The underlying distrust of government and abuses of data collection practices certainly influenced parents' experiencing less consequential outcomes in their own schools.

The national outcry led first to The Privacy Act of 1974 to protect federal records, and soon after similar protections for students with FERPA.

Under sharing and oversharing - at the same time.

Federal investigations have flagged districts for both under-sharing with parents and over-sharing with vendors, sometimes simultaneously.

At first glance, that might seem malicious, but more than likely it’s due to years of institutional knowledge being passed down without a fact check. Mix that in with EdTech sales people happily closing the gap with their interpretation and we land here. So, let’s dig in to some basic FERPA facts.

FERPA applies only to institutions receiving funds from the U.S. Department of Education.
FERPA is loaded with exceptions.
Schools are protected from good faith mistakes.
Vendors are not monitored for FERPA compliance by the DOE or any other government agency besides their school district customers.

Understanding this helps empathize with the secretary who’s hesitant to release a copy of the special education file to a parent, but uploads a roster to a vendor without a second thought. One of those instances is very close to their desk and legal ramifications outside of FERPA are easy to imagine, and the other has never caused any sort of problem for the district. Unless you’re LAUSD.

Consequences for Violation

Speaking of, why can’t anyone think of a time the government brought down the hammer on a FERPA violator? I’ll encourage you to read the entire paragraph “How is FERPA enforced” from this source, but I think we can sum it up with this quote from Ogletree.com.

“As of 2025, the Department has never imposed a financial penalty on an institution for violating FERPA, instead working with violators to achieve voluntary, monitored compliance.”

WAIT SO YOU’RE SAYING…

The only consequence for violation is termination of federal funds that come from the DOE?

Technically, yes.

The law’s only true “teeth” is the threat of losing Department of Education funding. No private right of action exists-meaning parents and students can’t sue for FERPA violations.

The system is designed for correction, not punishment.

But DOE Isn’t Handling Grants Anymore, Right?

Depends on what day it is. Here’s some reading to satisfy any flavor of confirmation bias you’re looking to satisfy.

Yes, they’ll still handle it.

Probably not or significant delays and impact to distribution

It depends.

Here’s what matters.

If the Department of Education stops distributing grants, and another federal agency steps in, FERPA’s applicability shrinks.

The law is written narrowly: only institutions receiving DOE funds are bound by FERPA. If a school’s only federal money comes from, say, the Department of Defense or NSF, FERPA does not apply to those funds.

If the school runs only on state funds, doesn’t apply. If a school is funded by private partnerships, say with OpenAI, Microsoft, Google, or an EdTech company - No violation.

You Are the Vanguard

As AI and EdTech platforms become ubiquitous in classrooms, the risks to student privacy multiply. FERPA compliance for AI tools is tricky-especially when third-party vendors (LLMs under those wrappers) process vast amounts of student data.

Without new guides and strong enforcement, the “Wild West” scenario for student data is a real concern. Product managers and teachers are the most probable line of defense for preventing a scenario where product exploits the sluggish movement of government if this gap opens.

If you're a unicorn with an education degree AND technical chops now is the time to stand strong. Build the bridges between people who don’t have both. This may be the year you take a stand and suffer real consequences for it.

That decision is up to you, but our kids need someone to be the grown up in the room who will protect them, even if we don’t benefit.

Education Attorneys-Your Take?

If you’re a school attorney, privacy officer, or EdTech counsel, what’s your perspective on FERPA’s future?

Sources:
https://studentprivacymatters.org/ferpa-changes/

https://www.justice.gov/opcl/privacy-act-1974

https://www.congress.gov/crs-product/R46799

https://ogletree.com/insights-resources/blog-posts/president-trump-orders-closure-of-the-department-of-education-what-schools-and-edtech-companies-need-to-know-about-ferpa/

https://splc.org/ferpa-what-it-means-and-how-it-works/

https://techandmedialaw.com/education-technology-law/

AI Acknowledgment:
This article incorporates research and fact-checking assisted by artificial intelligence for accuracy and comprehensiveness. Approximately 7% of the final piece’s content and sourcing was shaped or informed by AI-generated research in this chat.

Adequate Progress

Discussion about this post