The Family Educational Rights and Privacy Act (FERPA) is the primary federal law protecting the privacy of student education records in the United States. Whether you are a parent of a school-age child or a college student managing your own records, FERPA gives you specific rights over how schools collect, store, and share your personal information. With massive education-sector data breaches making headlines in 2026, understanding these rights has never been more important.
What Is FERPA?
FERPA is a federal law enacted in 1974 that applies to all educational institutions receiving federal funding — which includes virtually every public school, school district, and college or university in the country. The law gives parents and eligible students (those 18 or older, or enrolled in postsecondary education) the right to:
- Access and review education records within 45 days of a request
- Request amendments to inaccurate or misleading records
- Control disclosure of personally identifiable information from education records
- Opt out of directory information sharing
Schools that violate FERPA risk losing all federal funding, including Title I grants, IDEA funding, Pell Grants, federal student loans, and federal research grants.
What Records Does FERPA Protect?
FERPA covers "education records" — any records that contain information directly related to a student and are maintained by an educational institution. This includes:
- Grades, transcripts, and standardized test scores
- Student contact information and emergency contacts
- Disciplinary records
- Special education and disability accommodation records
- Mental health and counseling records maintained by the school
- Financial aid applications and records
- Enrollment and attendance data
What FERPA does not cover
FERPA does not protect records made by school officials for personal use (sole possession records), law enforcement unit records, employment records (unless employment is based on student status), or medical records maintained by a school's health clinic that are covered under HIPAA instead.
When Do Rights Transfer From Parents to Students?
Under FERPA, parents hold privacy rights over their child's education records until the student turns 18 or enrolls in a postsecondary institution at any age. At that point, the student becomes an "eligible student" and gains full control over their records. Parents of college students do not have automatic access to grades, disciplinary records, or financial information unless the student provides written consent.
Directory Information: The Opt-Out You Need to Know About
Schools are allowed to share certain "directory information" without consent, including:
- Student name
- Address and phone number
- Date and place of birth
- Dates of attendance and enrollment status
- Degrees and honors received
- Most recent school attended
- Participation in officially recognized activities and sports
This is the information that ends up in school directories, alumni lists, and even data broker databases. However, FERPA requires schools to give parents and eligible students an annual opportunity to opt out of directory information sharing.
Always opt out of directory information
If privacy is important to you, opt out of directory information sharing at the start of every school year. This is one of the most common ways student personal information leaks into public databases and data broker networks.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanHow to Exercise Your FERPA Rights
Requesting Access to Records
Submit a written request to your school's registrar or records office specifying which records you want to review. The school must respond within 45 days. They cannot charge a fee just to inspect the records, though they may charge for copies.
Requesting Amendments
If you find inaccurate, misleading, or privacy-violating information in education records, submit a written request for amendment to the school. If the school refuses, you have the right to a formal hearing. If the school still refuses after the hearing, you can place a statement in the record explaining your objection.
Filing a Complaint
If you believe a school has violated FERPA, you can file a complaint with the U.S. Department of Education's Student Privacy Policy Office. Complaints must be filed within 180 days of the alleged violation. The Department investigates and can require corrective action from the school.
FERPA in the Age of EdTech and Data Breaches
Modern schools use dozens of technology platforms — learning management systems, student information systems, assessment tools, and communication apps. Under FERPA, schools can share student data with these third-party service providers under the "school official" exception, as long as the provider is performing a service the school would otherwise perform and has been designated as a school official with a "legitimate educational interest."
The problem is that these third-party vendors become targets for hackers. The 2026 breach of Canvas by Instructure, which exposed records of over 30 million students and staff across thousands of institutions, is a stark example. Schools remain responsible for ensuring that their technology partners maintain adequate security, but enforcement has been uneven.
To protect your child's education data, ask your school:
- Which third-party platforms have access to student records?
- What data security standards do those vendors meet?
- How is student data handled when a vendor contract ends?
FERPA vs. Other Privacy Laws
FERPA is not the only law protecting students. Here is how it relates to other key regulations:
- COPPA (Children's Online Privacy Protection Act): Protects children under 13 in online contexts. FERPA and COPPA can overlap when schools direct students to use online tools.
- State privacy laws: Many states have enacted student privacy laws that go beyond FERPA. California's Student Online Personal Information Protection Act (SOPIPA), for example, restricts how edtech companies can use student data.
- HIPAA: Generally does not apply to school health records, which are covered by FERPA instead. However, records at a university health clinic treating non-students may fall under HIPAA.
Frequently Asked Questions
Does FERPA apply to private schools?
FERPA applies to schools that receive federal funding. Most private K–12 schools do not receive direct federal funding and therefore are not subject to FERPA. However, virtually all colleges and universities — including private ones — participate in federal financial aid programs and must comply.
Can my school share records with the police?
FERPA permits disclosure without consent in response to a lawfully issued subpoena or court order, and in health or safety emergencies. Schools must generally attempt to notify the parent or eligible student before complying with a subpoena.
Does FERPA protect homeschool students?
Generally no, because homeschools do not typically receive federal funding. However, if a homeschooled student takes classes at a public school or participates in federally funded programs, those specific records are protected.
Protect Your Student Data Beyond FERPA
FERPA sets important baselines, but it cannot prevent every data exposure. Student information frequently ends up on data broker sites through directory sharing, public records, and breaches of edtech platforms. PrivacyOn monitors 100+ data broker sites and removes personal information — for the whole family, with plans covering up to 5 people. Combined with FERPA opt-outs and good digital hygiene, PrivacyOn helps keep your family's information off the internet.