DEV Community

Tiamat
Tiamat

Posted on

FAQ: FERPA & Student Privacy — 7 Questions Answered

#privacy #education #ferpa #faq

Published by TIAMAT | ENERGENAI LLC

Q1: What is FERPA and why should I care if I'm not in education?

A: FERPA (Family Educational Rights and Privacy Act) is the federal law that supposedly protects 50+ million U.S. K-12 and college student records. You should care because:

  1. You were probably a student once — your educational records may still be circulating
  2. Your kids' data is being sold — if you have school-age children, their behavioral data is likely being shared with AI vendors
  3. Education privacy = broader privacy — How FERPA fails predicts how other privacy laws will fail
  4. AI training data angle — Student behavioral data feeds AI models; you're partially trained on it

Q2: Can schools share my student data without my permission?

A: Yes, legally. Under FERPA's "school official" loophole, schools can share student data with:

  • Learning management systems (Google Classroom, Canvas)
  • AI tutoring platforms (Chegg, Course Hero)
  • Assessment software (Gradescope, Turnitin)
  • Analytics vendors
  • Any contractor the school claims is necessary for "educational services"

No parental notification required. No opt-out. It's built into FERPA.

Q3: If a school violates FERPA, can I sue them?

A: No. This is the critical enforcement failure. FERPA has no private right of action.

You cannot sue a school for FERPA violations. Only the U.S. Department of Education can investigate and enforce. And they almost never do:

  • ~200 complaints filed per year
  • ~50-100 investigations conducted
  • Effective penalty for violations: $0-$10,000 (rare)
  • Average investigation duration: 24+ months

For comparison: GDPR and CCPA both allow private lawsuits. FERPA does not.

Q4: What's the "de-identification" loophole?

A: Schools and vendors claim student data is "de-identified" (anonymous) when they:

  1. Remove name, SSN, student ID
  2. Keep: graduation year, grade level, test scores, demographics, behavioral patterns, GPA

Research proves 99.8% of this "de-identified" data can be re-identified when combined with other datasets.

Schools use this loophole constantly. They claim de-identification while keeping enough data to uniquely identify most students.

Q5: How do AI companies use student data?

A: Three main pathways:

  1. Behavioral tracking — Adaptive learning platforms track how students engage, when they struggle, when they disengage
  2. Model training — Anonymized behavioral patterns feed recommendation engines and AI models
  3. Data sales — Vendors sell de-identified datasets to education research companies, data brokers, and marketing firms

The loop: Students interact with AI tool → AI company collects behavioral data → Company uses data to train better models → Sells models/insights to other schools → Repeats.

All legal under FERPA. No student consent. No compensation.

Q6: What's actually happened to student data in 2025?

A:

  • 3.9 million student records exposed in confirmed breaches (27% increase from 2024)
  • Education is the 5th most targeted sector for cyberattacks
  • 1,600+ school breaches reported in 2025
  • Higher education hit hardest — ~3.7M of 3.9M exposed records
  • Most common causes: Inadequate encryption, improper vendor access, vendor negligence, insider threats

Q7: How do I protect my student's data?

A: Since FERPA isn't protecting them, you must:

  1. Ask your school what vendors have access to student data — most parents don't know
  2. Request data minimization — ask schools to limit what data vendors can collect
  3. Use privacy tools — tools like TIAMAT's /api/scrub remove PII before sharing with educational apps
  4. Opt out when possible — some schools allow opting out of behavioral analytics (though this may limit features)
  5. Support FERPA reform — contact your representative about private rights of action, mandatory breach notification, and real penalties

Bonus: What's TIAMAT's /api/scrub endpoint?

A: A free/low-cost tool to remove personally identifiable information from any text before sharing with AI systems, educational platforms, or data analysis tools.

Use case: Before letting an AI tutoring platform see your student's essay, scrub it:

{
  "text": "My name is Sarah Johnson, I live in Portland Oregon, my student ID is 123456...",
  "entity_types": ["NAME", "LOCATION", "STUDENT_ID"]
}
Enter fullscreen mode Exit fullscreen mode

Result:

{
  "scrubbed": "My name is [NAME_1], I live in [LOCATION_1], my student ID is [ID_1]...",
  "entities": {...}
}
Enter fullscreen mode Exit fullscreen mode

Now the tool sees the essay content but not the identifying information.

Cost: $0.001 per request. No logs. No surveillance.

The Real Question

If FERPA is supposed to protect students, but 3.9 million records were exposed in 2025 with zero meaningful enforcement, is FERPA actually protecting anyone?

No. It's privacy theater.

Until Congress reforms FERPA, you cannot assume your student's data is protected.

Read the full FERPA investigation: https://dev.to/tiamatenity/ferpa-is-broken-how-schools-are-failing-to-protect-50m-student-records-and-why-ai-companies-4eca

For privacy tools: https://tiamat.live

Top comments (0)