PRIA Logo
Back to search
Education

FERPA — Student Privacy Rights

13 min read·Updated May 12, 2026

FERPA — Student Privacy Rights

The Family Educational Rights and Privacy Act (FERPA) — also called the Buckley Amendment, enacted in 1974 and codified at 20 U.S.C. § 1232g — is the federal law that gives parents (and students once they turn 18 or enroll in postsecondary school) the right to inspect, review, and request corrections to education records maintained by schools that receive federal funds, and restricts schools from disclosing those records to third parties without consent. FERPA applies to essentially every public and private K-12 school, college, and university in the United States, because virtually all receive some form of federal funding. The law's two core rights: access (parents/eligible students can see their education records within 45 days of a request) and privacy (schools generally cannot release records to outside parties without written consent). FERPA contains numerous exceptions that have been expanded over the years: disclosures to school officials with legitimate educational interest, to other schools upon transfer, in connection with financial aid, to state and local education authorities, for health and safety emergencies, and — controversially — to the military (under the Solomon Amendment, allowing military recruiters access to student directory information). The COVID-19 pandemic prompted additional FERPA guidance on remote learning and student data. For college students, FERPA is particularly significant: it means parents cannot receive grades, disciplinary records, or financial records without the student's written consent — a transition that surprises many families. Violations can lead to withdrawal of federal funding, though the Department of Education typically seeks compliance before imposing that sanction.

Current Law (2026)

ParameterValue
EnactedFamily Educational Rights and Privacy Act of 1974 (Buckley Amendment)
Primary enforcerStudent Privacy Policy Office (SPPO), Department of Education
Applies toAll educational agencies and institutions receiving federal education funds
Rights transferAt age 18 or enrollment in postsecondary institution, rights transfer from parents to students ("eligible students")
EnforcementComplaint to SPPO; potential withdrawal of federal funding (never actually imposed)
Consent requirementWritten consent required before disclosing personally identifiable information from education records, with specified exceptions
  • 20 U.S.C. § 1232g — Family educational and privacy rights (no federal funds to any educational institution that denies parents the right to inspect/review their children's education records; no federal funds to institutions that release personally identifiable information from education records without written consent; exceptions for school officials with legitimate educational interests, other schools to which student transfers, financial aid purposes, state/local officials under specific statutes, accrediting organizations, judicial orders/subpoenas, health/safety emergencies, directory information; annual notification of rights; right to request amendment of inaccurate records; hearing process if amendment refused)

Implementing Regulations

The Department of Education's implementing regulations for FERPA live at 34 CFR Part 99 — Family Educational Rights and Privacy (31 sections — the binding rules for all educational agencies and institutions that receive Department of Education funds, operationalizing the rights in 20 U.S.C. § 1232g):

  • § 99.1 — Applicability: Part 99 applies to any educational agency or institution that receives funds under any program administered by the Department of Education; for K-12, this is the LEA (local education agency — the school district); for higher education, this is the institution that receives federal funding; private schools that receive no federal funding are not covered — but this exception is narrow since federal lunch programs, Title I funds, and student financial aid all count
  • § 99.3Definitions (the operational foundation of FERPA): "education records" means records, files, documents, or other materials that (1) contain information directly related to a student and (2) are maintained by an educational agency or institution or by a person acting on its behalf; key exclusions: sole-possession notes, law enforcement unit records, employment records where employment is not conditioned on student status, medical/treatment records; "directory information" is defined to include name, address, phone, email, enrollment status, major, degrees, honors, awards, dates of attendance, and participation in sports — but each institution sets its own directory information policy; "eligible student" means a student who has reached 18 or is attending a postsecondary institution, at which point FERPA rights transfer from parents to the student
  • § 99.10Right of access: a parent or eligible student who requests access to education records must be allowed to inspect and review them within 45 days; schools cannot refuse access based on outstanding tuition balances or other holds; if the parent or student cannot physically visit to review records, the school must arrange for access by providing copies or by other means; while schools may charge a reasonable fee for copies, they cannot charge for search and retrieval of records (doing so would effectively discourage the access right)
  • § 99.20–99.22Right to request amendment: parents or eligible students who believe records are inaccurate, misleading, or violate privacy rights may request amendment; the school must decide within a reasonable time; if it refuses, it must notify the parent/student of the right to a hearing; hearings must be conducted by a fair and impartial official of the school; if the hearing officer determines the record is not inaccurate, the parent/student may place a statement in the record explaining their objection, which must accompany the record when it is disclosed
  • § 99.30Prior written consent requirement: generally, a school may not disclose personally identifiable information from education records without the written consent of the parent or eligible student; the consent must specify which records are disclosed, the purpose of the disclosure, and the party receiving the records; the consent requirement protects against commercial data mining, researchers obtaining student data without student knowledge, and disclosure to parents of adult students without the student's agreement
  • § 99.31Consent exceptions (the most frequently litigated provision): the following disclosures do not require prior consent: (1) school officials with legitimate educational interest (teachers, counselors, coaches, administrators, board members — but the school must define "legitimate educational interest" in its FERPA policy); (2) transfer schools — when students transfer, their records follow them; (3) financial aid officials as needed for aid determinations; (4) federal and state audit authorities; (5) accrediting organizations; (6) parents of dependent students as defined by the IRS (if the student is a dependent on parents' tax return, parents may access records even after the student turns 18 — a significant exception for college-age students); (7) parties under judicial order or lawfully issued subpoena (with a reasonable effort to notify the parent/student in advance, unless the court orders confidentiality); (8) health or safety emergencies when the information is necessary to protect the health or safety of the student or others
  • § 99.32Recordkeeping: institutions must maintain a record in the student's file of each request for access and each disclosure, including the party requesting access and the legitimate interest claimed; this log must be accessible to the parent or eligible student; the log requirement enables students to audit who has accessed their records
  • § 99.33Conditions on re-disclosure: when an institution discloses education records under a consent exception, the recipient is generally bound by the same rules — they cannot re-disclose the records to third parties without consent (with limited exceptions); this prevents a chain of unauthorized re-disclosures
  • § 99.37Directory information: schools may disclose directory information without consent unless the student or parent has opted out; to protect students from commercial solicitations and military recruiting, schools must provide annual notice of their directory information policy and allow opt-outs; an opt-out prevents all directory information disclosures, including publication of dean's list, athletic rosters, and graduation programs — students sometimes opt out without realizing these consequences; the Solomon Amendment requires schools to provide directory information to military recruiters unless the student has opted out, and schools cannot restrict recruiters' access more than they restrict civilian recruiters' access
  • § 99.60–99.67Enforcement: DOE's Student Privacy Policy Office (SPPO) investigates complaints; if a violation is found, SPPO issues a letter of findings specifying required corrective actions; institutions that fail to correct violations risk loss of DOE funding; in practice, DOE has rarely actually cut off funding — compliance notices and corrective action letters are the primary enforcement tools; private rights of action for individual FERPA violations are not available under 20 U.S.C. § 1232g (the Supreme Court held in Gonzaga University v. Doe (2002) that FERPA creates no individual enforceable right)

Recent rulemakings: 76 FR 75643 (December 2011) — comprehensive FERPA amendment implementing USA PATRIOT Act provisions, student health record clarifications, and updated directory information rules; 73 FR 74854 (December 2008) — major amendments addressing health and safety emergencies and state/local government access.

How It Works

FERPA is the primary federal law protecting the privacy of student education records. It complements the broader Privacy Act that governs federal agency records. It gives parents (and students over 18) the right to access their records, request corrections, and control who else can see them.

FERPA gives parents (and students once they turn 18 or enroll in postsecondary) two core rights: the right to inspect and review education records within 45 days of a request, and the right to control disclosure — schools generally cannot release personally identifiable information without written consent. "Education records" is broadly defined to include grades, transcripts, class schedules, student financial records, and disciplinary files maintained by the institution or its agents; it excludes teachers' personal notes kept in their sole possession, law enforcement unit records, employment records where employment isn't contingent on student status, and medical/treatment records. The consent requirement has important statutory exceptions: school officials with legitimate educational interest, schools to which a student transfers, federal and state audit officials, financial aid administrators, accrediting organizations, parents of IRS-defined dependent students, parties under judicial order or subpoena (with notice effort), and parties responding to genuine health or safety emergencies. Schools may also release "directory information" — name, address, phone, enrollment dates, degrees, honors, and sports participation — unless the student or parent opts out with a timely written request.

FERPA's enforcement mechanism is deliberately blunt. The Supreme Court held in Gonzaga University v. Doe (2002) that individuals have no private right of action — you cannot sue a school for a FERPA violation in federal court. Complaints go to the Department of Education's Student Privacy Policy Office, which investigates and can require compliance; the ultimate sanction — withdrawing all federal funding — has never been imposed. This makes FERPA compliance largely voluntary in practice. The law's 1974 origins also create ongoing tensions with modern technology: FERPA's "school official" exception has been stretched to cover EdTech vendors, cloud platforms, and learning management systems, but the Department of Education's guidance requires that vendors use shared student data only for the institutional purposes for which it was disclosed — a constraint that is inconsistently monitored and enforced.

How It Affects You

If you're a parent of a K-12 student: FERPA gives you the right to inspect and review your child's complete education records — not just grades, but discipline records, special education evaluations, health records maintained by the school, and any documented communications. Submit a written request to your school's principal or records office; the school must respond within 45 days. You can also request an amendment to records you believe are inaccurate — submit the request in writing explaining why, and if the school disagrees, you have the right to a formal hearing and to insert a statement of disagreement in the record. Critically: exercise your right to opt out of directory information disclosure. Schools often release name, grade level, address, phone number, and activities to outside parties (including military recruiters, who have statutory FERPA access rights) under the "directory information" exception unless you opt out. Ask your school for its directory information opt-out form at the start of each school year. These rights transfer entirely to your child at age 18 — after that, you need your child's written consent to access their records.

If you're a college or university student: Your FERPA rights mean you control who sees your academic records — not your parents. The common myth is that parents paying tuition get automatic access to grades; they do not, unless you've signed a FERPA release or the school can document you're claimed as a dependent on federal taxes (which few schools actually verify). If you want your parents to see your grades, sign a FERPA release with your registrar. If you want a job offer letter to not become a school record, don't submit it through an official school system. You can request and review all your own records by submitting a written request to the registrar; the school must comply within 45 days. If something in your record is wrong (a grade, a disciplinary notation, an incorrect address), you have the right to request an amendment in writing. If the school refuses and you pursue a formal hearing, you can insert a statement of disagreement that becomes part of your permanent record. If your rights were violated, file a complaint with the Department of Education's Student Privacy Policy Office at studentprivacy.ed.gov (no private lawsuit is available — Gonzaga University v. Doe, 2002, closed that door).

If you're a teacher, school counselor, or administrator: The "legitimate educational interest" standard is the key access rule: you may view student records when you need to do so to fulfill your professional responsibilities — a teacher reviewing a student's IEP before providing instruction, a counselor reviewing discipline history for a student they're advising. You may not access records out of curiosity or for purposes outside your institutional role. The most common FERPA violations in schools: posting grades publicly by identifiable student ID numbers (prohibited — use random identifiers), discussing a student's academic performance with their parents after the student turns 18 without the student's consent (prohibited without a FERPA release), sending student data to EdTech vendors without a valid FERPA school official agreement limiting the vendor's use of the data. Your district should have a FERPA compliance officer; when in doubt about a data-sharing request, route it through them rather than making the call yourself.

If you're an EdTech company or education data vendor: If you receive personally identifiable student data from a school — names, student IDs, grades, behavioral data, device activity logs — you are receiving "education records" under FERPA and are bound by the school's obligations. The school must have a written agreement designating you as a "school official" performing institutional services under the school's direct control, using the data only for specified purposes, and returning or destroying the data when the contract ends. You cannot use this data for targeted advertising, build student profiles for commercial purposes, or share it with third parties outside the agreement scope. California's SOPIPA (Student Online Personal Information Protection Act) adds additional restrictions beyond FERPA for EdTech companies serving California schools. Document your data protection practices carefully; school compliance officers are increasingly sophisticated in reviewing vendor FERPA agreements, and failure to comply can result in loss of school contracts and potential FTC action for deceptive privacy practices.

Student Rights in Federally Funded Research and Testing: A separate but related law — the Hatch Amendment (Protection of Pupil Rights Amendment, PPRA, 20 U.S.C. § 1232h) — covers student privacy in federally funded research and surveys. 34 CFR Part 98 implements these rights:

  • § 98.3 — Access to research program materials: parents have the right to inspect all instructional materials — including teachers' manuals, films, tapes, and supplementary material — used in connection with any federally funded research or experimentation program before the program is conducted with their child; the "inspect before use" right allows parents to evaluate whether they want their child to participate
  • § 98.4 — Protection from psychological examination without consent: no student may be required to submit to psychiatric, psychological, or mental health examination, testing, or treatment as part of any federally funded program without the prior written consent of the parent (for minors) or the student (for adults); the prohibition covers instruments that probe into sensitive areas including political or religious beliefs, illegal or potentially incriminating behavior, sexual behavior or attitudes, anti-social behavior, and family life; surveys that probe these areas require parental consent before students may participate
  • § 98.7 — Complaint process: only a student or the parent/guardian of a student directly affected may file a complaint under Part 98; the complaint must be submitted in writing to the Department of Education's designated office; complaints trigger a formal investigation into whether the school or grantee complied with the consent and access requirements
  • § 98.10 — Enforcement: if the recipient or contractor fails to comply, the Secretary may terminate or withhold federal funding under 34 CFR Part 78; the enforcement mechanism is the same as FERPA — fund loss rather than private right of action

Part 98's protections are narrower than modern PPRA interpretations: PPRA was expanded by the No Child Left Behind Act of 2001 to give parents the right to opt their children out of any survey probing sensitive areas, and to require annual notice of all surveys scheduled for the school year. The 2001 expansion applies directly to schools receiving ESEA funds and is enforced differently than the Part 98 regulations, which apply specifically to federally funded research and experimentation programs. Parents who believe their child was subjected to an invasive survey without proper consent should file a complaint with the Department of Education's Student Privacy Policy Office at studentprivacy.ed.gov, which handles both FERPA and PPRA complaints.

State Variations

  • FERPA sets a federal floor — states can provide additional student privacy protections. Students with disabilities have additional records protections under IDEA
  • California (SOPIPA): Student Online Personal Information Protection Act prohibits targeted advertising to students, creating student profiles for non-educational purposes, and selling student information
  • Many states have enacted student data privacy laws addressing EdTech, data breach notification, data governance, and parental access rights beyond FERPA
  • State open records laws and FERPA can conflict — FERPA generally preempts state disclosure requirements for education records
  • Some states require additional parental consent for specific data sharing (e.g., sharing with law enforcement, immigration authorities)

Pending Legislation

No directly matching 119th Congress bills targeting FERPA reform found in the database.

Recent Developments

  • Growing concern about student data privacy in the age of AI-powered educational tools, adaptive learning platforms, and proctoring software
  • Department of Education has issued updated guidance on FERPA and school safety, clarifying when health/safety emergency exceptions allow disclosure
  • Increased attention to the intersection of FERPA and data breach notification — FERPA does not require breach notification, but most states now have their own breach notification laws
  • Student privacy advocacy groups have pushed for FERPA modernization to address gaps in EdTech regulation and strengthen enforcement mechanisms

At My Address

See how FERPA — Student Privacy Rights plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address