Most edtech founders assume FERPA applies to schools, not to them. That assumption is wrong — and it's the kind of wrong that stalls procurement deals and exposes you to legal risk you didn't see coming.
If your product touches student data in any form, FERPA applies to you. Here's what it actually requires.
What FERPA is
FERPA — the Family Educational Rights and Privacy Act — is a US federal law that protects the privacy of student education records. It applies directly to schools and institutions that receive federal funding. It applies indirectly to any third-party vendor those schools share student data with.
That includes you.
When a school uses your edtech product, they're sharing education records with you under what's called the "school official exception." This exception allows schools to share student data with outside vendors — but only under specific conditions, and with strict expectations about how you handle that data.
What counts as an education record
This is where most edtech teams underestimate their exposure. Education records under FERPA aren't just grades and transcripts. They include any data that is directly related to a student and maintained by the school or a party acting on the school's behalf.
In practice, that means: grades, course schedules, attendance records, login timestamps, assessment scores, behavioral data, and anything else your product collects that can be linked back to a specific student.
If your product collects it and it's connected to an identifiable student — it's an education record.
What the school official exception requires from you
To legally receive student data from a school under FERPA, you need to meet three conditions:
1. You perform a service the school would otherwise handle with its own employees. Your product needs to serve an educational function — tutoring, assessment, learning management, and so on. You can't receive student data to build a general-purpose product that happens to be used in schools.
2. You operate under the school's direct control regarding how you use and maintain that data. The school defines the purpose for which you can use student data. You cannot repurpose it for your own analytics, advertising, product improvement, or any other use outside of what the school contracted you for.
3. You are subject to the same use and disclosure restrictions as the school itself. You cannot share student data with other parties without the school's authorization. That includes your own sub-processors — third-party services that touch student data need to be disclosed and contractually bound to the same standards.
What FERPA actually prohibits
The line you cannot cross: using student data for any commercial purpose outside of the educational service you were contracted to provide.
You cannot use student data to build user profiles. You cannot use it to target advertising. You cannot sell it. You cannot use it to train AI models without explicit authorization. You cannot share it with partners without the school's knowledge.
This isn't theoretical. The FTC took enforcement action against Illuminate Education after a breach affecting 10.1 million students — the company stored student data in plain text and delayed notifying districts. The reputational and financial cost was severe.
What you need to have in place
A Data Processing Agreement — before a school shares any student data with you, you need a signed DPA. This document defines what data you receive, how you use it, how long you retain it, and what happens in a breach. Without it, the school is not legally covered for sharing data with you and won't do it.
A data retention policy — FERPA doesn't specify exact retention periods but requires that you don't hold data longer than necessary. Define when you delete student data after a school relationship ends and put it in writing.
Access controls — only people at your company who need student data to perform the contracted service should have access to it. Document who has access and why.
A breach notification process — if student data is compromised, you need to notify the affected institution promptly. Have a written plan before you need it.
FAQ
Does FERPA apply to me if I'm not based in the US?
If you're selling to US schools that receive federal funding — yes. FERPA is tied to the school's federal funding status, not your company's location. If US schools are using your product, FERPA applies to how you handle their students' data.
What's the difference between FERPA and COPPA?
FERPA protects education records held by schools. COPPA protects personal data collected directly from children under 13 online. Both can apply to the same product at the same time. A separate post covers COPPA specifically.
Do I need a lawyer to become FERPA compliant?
For the DPA and your privacy policy — yes. These are legal documents that schools will review carefully. A lawyer who understands edtech and student privacy is worth the cost. For the technical and operational side — access controls, data handling, retention — you can implement those without legal help once you understand the requirements.
What happens if I violate FERPA?
FERPA enforcement runs through the US Department of Education, which can pull federal funding from institutions found to be in violation. As a vendor, your risk is losing school contracts, reputational damage, and in serious cases, FTC enforcement action if the violation also touches COPPA or consumer protection laws.
Top comments (0)