What is FERPA and who does it apply to?

FERPA (Family Educational Rights and Privacy Act) protects student education records at any school receiving federal funding. It applies to K-12 schools, colleges, universities, and any EdTech vendor acting as a "school official" with access to student data. It covers names, grades, attendance, disciplinary records, and any PII linked to educational records.

What is the difference between FERPA and COPPA?

FERPA protects student education records at schools receiving federal funding and is enforced by the Department of Education. COPPA protects personal information of children under 13 collected by websites and apps, enforced by the FTC. If your EdTech platform serves students under 13, you likely need to comply with both.

What technical controls are required for FERPA compliance?

Key technical requirements include: role-based access control (RBAC) limiting data access by role, encryption at rest (AES-256) and in transit (TLS 1.3), comprehensive audit logging with 5+ year retention, data minimization (collect only what's educationally necessary), automated data deletion when contracts end, and parental data export capabilities.

FERPA Compliance in EdTech Software: What Developers Actually Need to Know

If you build software for schools, you need to understand FERPA. Not the vague "we take student privacy seriously" version — the actual technical and operational requirements that determine whether your platform protects students or puts their data at risk.

I've built EdTech platforms for K-12 districts and higher education institutions, and I've seen how confusing FERPA can be for development teams that are more familiar with HIPAA or general data privacy regulations. Here's what you actually need to know.

What FERPA Protects (And What It Doesn't)

FERPA — the Family Educational Rights and Privacy Act — protects "education records," which the Department of Education defines as records directly related to a student that are maintained by an educational agency or a party acting on its behalf.

This includes:

Student names, addresses, and contact information
Grades, transcripts, and academic records
Disciplinary records
Attendance data
Special education records (IEPs, 504 plans)
Financial aid information
Any personally identifiable information (PII) linked to the above

What it does NOT typically cover:

De-identified or aggregate data (no student can be identified)
Directory information (if the school has properly designated it and given parents opt-out notice)
Records created by school law enforcement units
Alumni records (once the student is no longer enrolled)

FERPA vs HIPAA vs COPPA: Know the Difference

I work with healthcare organizations under HIPAA and schools under FERPA, and teams mix these up constantly. Here's the quick breakdown:

Regulation	Applies To	Protects	Enforced By
FERPA	Schools receiving federal funding	Student education records	Dept. of Education
HIPAA	Healthcare providers, insurers, business associates	Protected health information (PHI)	HHS / OCR
COPPA	Websites/apps collecting data from children under 13	Children's personal information	FTC

Critical overlap: If your EdTech platform serves students under 13, you likely need to comply with both FERPA and COPPA. If your platform handles student health records (school nurse data, for example), FERPA typically takes precedence in educational settings, but consult with legal counsel on edge cases.

Technical Requirements for FERPA-Compliant Software

Let me break down what this means for your actual codebase and infrastructure.

1. Access Controls

FERPA requires that only authorized individuals can access student records. In practice, this means:

Role-based access control (RBAC) — Teachers see their students, admins see their school, district admins see everything. No exceptions.
Principle of least privilege — Default to no access, then grant specific permissions.
Session management — Automatic timeout after inactivity (we typically set 30 minutes for staff portals).
Multi-factor authentication for administrative accounts accessing bulk student data.

// Example RBAC hierarchy
District Admin → All schools, all students
School Admin → Single school, all students in that school
Teacher → Assigned classes and students only
Parent → Their children only
Student → Their own records only

2. Data Encryption

While FERPA doesn't explicitly mandate encryption (unlike HIPAA), the Department of Education strongly recommends it, and any modern platform should implement:

Encryption at rest — AES-256 for stored student data.
Encryption in transit — TLS 1.3 for all API calls and web traffic.
Database-level encryption — Column-level encryption for sensitive fields (SSN, disability status).
Key management — Use AWS KMS, GCP KMS, or HashiCorp Vault. Never hardcode keys.

3. Audit Logging

You need to track who accessed what student data and when. Our standard implementation includes:

User ID, timestamp, action performed, records accessed
IP address and device information
Success and failure events (failed login attempts matter)
Log retention for at least 5 years (aligned with most state requirements)
Tamper-proof log storage (write-once, append-only)

This isn't just a compliance requirement — it's your evidence trail if a breach occurs or a parent requests an access audit.

4. Data Minimization

This is where I see most EdTech companies get it wrong. FERPA's "legitimate educational interest" standard means you should only collect and store data that's necessary for your platform's educational purpose.

Don't collect Social Security numbers unless absolutely required
Don't store biometric data without explicit consent
Don't retain data beyond its useful life
Don't share student data with third-party analytics unless the school has authorized it

5. Parental Rights Implementation

FERPA gives parents (and eligible students over 18) specific rights that your platform must support:

Right to inspect records — Parents must be able to view all data your platform holds about their child. Build an export feature.
Right to request amendments — You need a workflow for parents to dispute and correct inaccurate records.
Right to consent to disclosure — Before sharing records with third parties, you need documented consent (with exceptions for legitimate educational interests).

Vendor Agreements and the "School Official" Exception

Here's where FERPA gets practically important for software companies. Schools can share student data with EdTech vendors under the "school official" exception — but only if:

The vendor performs a function the school would otherwise do itself
The vendor is under the school's direct control regarding data use
The vendor agrees to comply with FERPA requirements
The vendor doesn't re-disclose data except as authorized

In practice, this means you need a Data Privacy Agreement (DPA) or Student Data Privacy Addendum with every school or district you serve. Many states have standardized DPA templates (look for the Student Data Privacy Consortium's National DPA).

Your DPA should address:

What data you collect and why
Where data is stored (geographic location)
Who at your company can access it
How long you retain it
What happens to data when the contract ends (deletion, return, or both)
Breach notification procedures and timelines
Sub-processor disclosures (every third-party service that touches student data)

State-Level Student Privacy Laws

FERPA is the federal baseline, but many states have stricter requirements. Here are the ones that catch teams off guard:

California (SOPIPA/CalOPPA): Prohibits targeted advertising based on student data. Requires prominent privacy policies.
New York (Education Law 2-d): Requires data privacy and security plans, breach notification within 10 days, and annual third-party contract reviews.
Colorado (Student Data Transparency & Security Act): Mandates data inventories and vendor contract transparency.
Illinois (SOPPA): Requires schools to list all EdTech vendors on their websites. Breach notification requirements.
Connecticut (Student Data Privacy Act): Prohibits selling student data, requires operator agreements.

If you serve schools across multiple states, build to the strictest standard. It's easier than maintaining 50 different compliance configurations.

Breach Response Planning

FERPA doesn't have a specific breach notification requirement (unlike HIPAA's 60-day rule), but most state laws do. Our recommendation:

Detect within 24 hours — Implement monitoring for unauthorized access patterns
Contain within 48 hours — Isolate affected systems, revoke compromised credentials
Notify the school within 72 hours — Even if your state allows more time, faster notification builds trust
Notify affected families — Work with the school to communicate appropriately
Document everything — Root cause analysis, remediation steps, prevention measures

Building FERPA Compliance Into Your Development Process

Here's how we approach compliance at Of Ash and Fire — not as an afterthought, but as a foundational design constraint:

During Discovery

Map all student data flows (collection, storage, processing, sharing, deletion)
Identify which FERPA category each data element falls under
Review state-specific requirements for target markets
Draft DPA template for school/district review

During Development

Implement RBAC before building features that access student data
Add audit logging from sprint one, not sprint ten
Build data export and deletion features into the core platform
Use static analysis tools to catch data exposure risks
Conduct code reviews with a privacy lens

During Testing

Penetration testing focused on authorization bypass
Data isolation testing (can teacher A see teacher B's students?)
Privacy regression testing (does new feature X expose data it shouldn't?)
Accessibility testing (WCAG 2.1 AA — often required alongside FERPA for federally-funded institutions)

During Operations

Annual security assessments
Regular access reviews (remove inactive accounts)
Incident response drills
DPA renewal tracking

Common FERPA Violations in EdTech

Learn from others' mistakes:

Displaying student information in URLs — /students/john-smith-12345 leaks PII. Use opaque IDs.
Exposing student data in API responses — Return only the fields the requesting user is authorized to see.
Sharing analytics with third parties without authorization — Google Analytics on student-facing pages can capture student browsing behavior. Be intentional about what you track.
Retaining data after contract termination — When a school ends their contract, their student data must be deleted or returned. Automate this.
Inadequate sub-processor controls — If you use AWS, Twilio, or SendGrid, they're sub-processors. Your DPA must account for them.

Explore Our EdTech Expertise

Education Technology Development — Custom EdTech platforms built for compliance
Custom LMS Development: Build vs Buy — When to build your own learning platform
Software Discovery Process — How we plan compliant software projects
HIPAA Security Rule 2026 Overhaul — Compliance lessons from healthcare that apply to EdTech

The Bottom Line

FERPA compliance isn't optional, and it's not something you bolt on after launch. The technical controls — access management, encryption, audit logging, data minimization — need to be architectural decisions, not afterthoughts.

The good news? If you build these practices into your development process from the start, compliance becomes a natural outcome of good engineering, not a burden. And your school and district customers will notice the difference between a vendor who takes student privacy seriously and one who just checks boxes.

Need help building a FERPA-compliant EdTech platform? Let's talk about your project. We've navigated compliance requirements in healthcare (HIPAA) and education (FERPA/COPPA), and we can help you get it right from the start.