Complete Guide to FERPA Compliance for Education Technology

Every year, K-12 schools adopt dozens of new education technology tools—from AI grading assistants to learning management systems and student analytics platforms. Each adoption brings a question that too often goes unasked until it is too late: Is this compliant with FERPA?

The Family Educational Rights and Privacy Act (FERPA) is not just another regulation to check off a list. It is a federal law with real consequences. Schools that violate FERPA can lose all federal funding. In 2024, the Department of Education investigated over 300 FERPA complaints, resulting in mandatory corrective actions for dozens of districts.

This guide is for administrators, technology directors, and teachers who need to understand FERPA compliance in the context of modern edtech. We will cover what FERPA actually requires, where schools commonly go wrong, and how to evaluate vendors before signing that contract.

What Is FERPA and Why Does It Matter?

Enacted in 1974, FERPA grants parents and eligible students (those 18 and older) specific rights regarding educational records. These rights include:

• • The right to inspect and review educational records
• • The right to request amendments to incorrect records
• • The right to consent to disclosures of personally identifiable information
• • The right to file complaints with the Department of Education

Educational records under FERPA include any records directly related to a student and maintained by an educational agency or institution. This encompasses grades, test scores, attendance records, disciplinary records, and special education documentation.

FERPA Compliance and EdTech: The Critical Connection

Here is where FERPA gets complicated for modern schools. When you adopt an education technology tool that processes student data, you are not just using software—you are creating a relationship between your school and a third party that handles protected educational records.

The School Official Exception

Most edtech vendors operate under what is called the "school official exception." This allows schools to disclose records to third parties without parental consent, provided the third party:

• • Performs an institutional service or function the school would otherwise perform
• • Is under the direct control of the school regarding the use and maintenance of education records
• • Uses the records only for authorized purposes and does not re-disclose them

The key phrase here is "under the direct control of the school." This is where many schools get into trouble. If your vendor is using student data to train AI models, sell analytics to other companies, or build profiles for marketing purposes, they are not under your control—and you may be violating FERPA.

Common FERPA Violations with EdTech Tools

Understanding what not to do is just as important as knowing the rules. Here are the most common FERPA violations schools commit when adopting education technology:

1. Using Apps Without Reviewing Privacy Policies

A teacher downloads a free app to help with classroom management. It seems harmless—just a tool for tracking attendance. But the privacy policy says the company can use data for "product improvement," which means training AI models on your students' information. Without realizing it, the teacher has authorized a FERPA violation.

2. Failing to Secure Proper Agreements

Verbal assurances from sales representatives are meaningless. If it is not in a signed contract or data privacy addendum, it does not count. Schools need written documentation that vendors will:

• • Use data only for the specific educational purposes authorized
• • Not sell or share data with third parties
• • Delete data when the contract ends
• • Maintain appropriate security measures
• • Report data breaches promptly

3. Ignoring Data Retention and Deletion

FERPA requires that educational records be maintained with reasonable methods to protect against unauthorized access. When a student graduates or leaves the district, what happens to their data in that AI tutoring platform you used? If the vendor keeps it indefinitely and uses it to improve their product, you have a compliance problem.

The FERPA Compliance Checklist for EdTech Adoption

Before adopting any education technology tool, work through this checklist. Document your findings for each item.

Vendor Evaluation Questions

• • Does the vendor have a signed Data Privacy Addendum (DPA) that specifies FERPA compliance?
• • Will the vendor specify exactly what student data they collect and how it is used?
• • Does the vendor use data for any purpose other than providing the contracted service?
• • Is data used to train AI models or machine learning systems?
• • Can the vendor delete all student data upon request or contract termination?
• • What security certifications does the vendor maintain (SOC 2, ISO 27001, etc.)?
• • How quickly will the vendor notify you of a data breach?

Internal Policy Requirements

• • Have you published an annual FERPA notification to parents?
• • Do you maintain a directory information policy that specifies what can be disclosed without consent?
• • Is there a process for parents to inspect records and request amendments?
• • Do you have an approved vendor list that has been vetted for FERPA compliance?
• • Are teachers trained on which apps and tools are approved for classroom use?

Red Flags: When to Walk Away from a Vendor

Some vendor behaviors should immediately disqualify them from consideration. Watch for these warning signs:

FERPA Compliance for AI Tools: Special Considerations

Artificial intelligence adds complexity to FERPA compliance. Here are specific questions to ask when evaluating AI-powered education tools:

AI Training and Data Usage

Many AI tools improve by learning from user data. This is acceptable under FERPA only if:

• • The vendor explicitly states they do NOT use your students' data to train general AI models
• • Any model improvements are limited to your specific instance and do not benefit other customers
• • Data is anonymized or aggregated before use in any training context

Be especially wary of vendors who claim AI training is necessary for the service but cannot explain exactly what data is used and how it is protected.

Building a District-Wide FERPA Compliance Program

One-off compliance checks are not enough. Schools need systematic programs to maintain FERPA compliance as technology evolves.

Step 1: Create a Technology Review Board

Establish a committee that reviews all new technology before adoption. Include representatives from IT, legal/compliance, curriculum, and classroom teachers. No app should be used for student data without board approval.

Step 2: Maintain a Master Vendor List

Document every vendor that handles student data, including what data they access, what agreements are in place, and when those agreements expire. Review this list annually.

Step 3: Train Staff Regularly

Teachers and staff need to understand that downloading a "helpful free app" can create compliance liability. Regular training should cover approved tools, the approval process, and the consequences of non-compliance.

Step 4: Audit and Update

Conduct annual audits of your edtech ecosystem. Are vendors still compliant? Have their privacy policies changed? Are teachers using unauthorized tools? Continuous vigilance is required.

Resources for Deeper FERPA Understanding

FERPA compliance is complex, and this guide is a starting point, not legal advice. For specific situations, consult:

• • The U.S. Department of Education Student Privacy Policy Office (SPPO)
• • Your state education agency—many have additional privacy requirements beyond FERPA
• • Legal counsel specializing in education law
• • The Student Privacy Compass by the Future of Privacy Forum