FERPA

The Family Educational Rights and Privacy Act protects the privacy of student education records and applies to schools and post-secondary institutions receiving federal funds.

What FERPA protects

FERPA (20 U.S.C. § 1232g) gives parents (or students once they turn 18 or enter post-secondary education) rights over educational records maintained by institutions receiving federal Department of Education funds. The rights include inspection, amendment, control over disclosure, and complaint. FERPA defines "education records" broadly to include grades, attendance, disciplinary records, financial aid, and increasingly any AI-derived metrics or assessments tied to identifiable students.

AI vendors as "school officials"

Schools may share education records without consent with "school officials" who have a legitimate educational interest. The Department of Education's guidance allows third-party AI vendors to qualify as school officials when the school directly controls the use, the vendor is performing a function the school would otherwise perform, and the vendor is bound by terms requiring use only for the school's purposes. The vendor contract is the operative document — it must contain specific FERPA flow-down terms.

What to ask vendors

For AI vendors selling to K-12 or higher education: do you offer a FERPA-compliant contract addendum, do you commit to use student data only for the school's purposes (no training on student records without consent), how are records returned or destroyed at termination, and do you support the school's response to parent or student access requests. FERPA enforcement is administrative (loss of federal funds) rather than monetary, but the reputational stakes for schools are high.