Who must comply with FERPA?

FERPA applies to all educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education. This includes virtually all public K-12 schools, school districts, and most colleges and universities. Private schools at the K-12 level that do not receive federal funds are generally not covered, but nearly all institutions of higher education are because their students receive federal financial aid.

What are the penalties for FERPA violations?

FERPA enforcement is handled by the Student Privacy Policy Office (SPPO) within the Department of Education. The ultimate penalty is the withdrawal of federal funding, though this has never been imposed. In practice, SPPO investigates complaints, issues findings of noncompliance, and requires corrective action plans. The real risk for most institutions is reputational damage, state attorney general action under state privacy laws, and litigation from parents or students under state tort theories.

When do FERPA rights transfer from parents to students?

FERPA rights transfer from parents to the student when the student turns 18 or enrolls in a postsecondary institution at any age. At that point, the student becomes an 'eligible student' under 34 CFR § 99.3, and the institution must obtain the student's consent — not the parent's — before disclosing education records. Parents of dependent students may still access records under the IRS dependency exception in 34 CFR § 99.31(a)(8), but this is a permissive exception, not a requirement.

April 8, 2026·8 min read

FERPA Compliance Checklist for Schools and Universities (2026)

The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) has been law since 1974. The core obligations have not changed much. What has changed is how schools handle data — cloud platforms, SIS integrations, EdTech apps — and that is where compliance breaks down.

Annual notification requirement

Under 34 CFR § 99.7, schools must notify parents (or eligible students in postsecondary) annually of their FERPA rights. The notification must explain the right to inspect and review education records, the right to request amendment, the right to consent to disclosures, and the right to file a complaint with the Department of Education.

There is no required format. Most schools include the notice in a student handbook, enrollment packet, or back-to-school mailing. What matters is that it goes out every year and covers all four rights. Posting it only on a website is risky — the Department of Education has not confirmed that web-only notification satisfies the requirement for K-12.

Directory information opt-out

If your school designates any information as "directory information" under 34 CFR § 99.37, you must give parents or eligible students a reasonable period to opt out of its disclosure. Directory information typically includes name, address, phone number, dates of attendance, grade level, and participation in activities.

Common mistakes: not defining what your institution considers directory information in your annual notice, not providing a clear opt-out mechanism, and continuing to disclose information for students who have opted out. Yearbook photos, honor roll listings in local newspapers, and graduation programs all count as disclosures.

Access and amendment requests

Parents and eligible students have the right to inspect and review education records within 45 days of a request (34 CFR § 99.10). You need a documented procedure for handling these requests — who receives them, how they are tracked, and how records are made available. If a parent requests amendment of a record they believe is inaccurate, you must respond. If you decline, the parent has the right to a hearing under 34 CFR § 99.21-22.

Consent before disclosure

FERPA requires prior written consent before disclosing personally identifiable information from education records, with specific exceptions listed in 34 CFR § 99.31. The consent must specify the records to be disclosed, the purpose, and the party receiving them.

The exceptions that matter most in daily operations: the school official exception (staff with legitimate educational interest), the transfer exception (sending records to a school where the student is enrolling), and the health or safety emergency exception. Each has conditions. The school official exception, in particular, is the basis for most EdTech vendor arrangements — and it requires a contract with specific terms.

Vendor agreements

Every platform that accesses student education records needs a contract or agreement that satisfies 34 CFR § 99.31(a)(1)(i)(B). The vendor must be under the direct control of the institution, use records only for the purposes specified, and meet the same conditions governing use and redisclosure that apply to other school officials.

This is where many educational institutions fall behind. Teachers sign up for free apps, paste student data into AI tools, or share rosters via personal cloud accounts. Without a compliant agreement in place, each of these is an unauthorized disclosure.

Staff training

FERPA does not explicitly require training, but the Department of Education expects institutions to have safeguards in place to protect education records. Training is the most basic safeguard. Staff should understand what constitutes an education record, when they can and cannot share student information, and how to handle requests from parents, law enforcement, and other schools.

Focus training on the situations that actually cause problems: responding to phone calls from divorced parents (both have rights unless there is a court order), handling subpoenas (you must make a reasonable effort to notify the parent or student before complying under 34 CFR § 99.31(a)(9)), and using technology platforms without approved agreements.

Records retention

FERPA itself does not set retention periods, but 34 CFR § 99.32 requires schools to maintain a record of each disclosure for as long as the education records are maintained. State laws typically set the actual retention schedules — and they vary widely. Check your state's records retention schedule and make sure your EdTech vendor contracts include deletion or return of data provisions.

Putting it together

BlackSheep's FERPA compliance tools help schools track each of these obligations: annual notices, vendor agreements, access request logs, and training completion. The goal is documentation that holds up when the Department of Education comes asking — not a binder that sits on a shelf.

Get your FERPA compliance documented and organized.

Start with BlackSheep