Family Educational Rights and Privacy Act (FERPA)
FERPA is the Family Educational Rights and Privacy Act of 1974 (20 USC 1232g) implemented by 34 CFR Part 99 + administered by the US Department of Education Student Privacy Policy Office (SPPO) + Privacy Technical Assistance Center (PTAC). FERPA protects the privacy of student education records held by educational agencies + institutions receiving funds from any program administered by the Secretary of Education + applies to virtually all US K-12 + postsecondary educational institutions. FERPA confers four core rights on parents (transferred to eligible students at age 18 or upon postsecondary enrollment): (a) the right to INSPECT AND REVIEW education records; (b) the right to REQUEST AMENDMENT of records believed to be inaccurate or misleading; (c) the right to CONSENT to disclosures of personally identifiable information (PII) from education records subject to specified exceptions; (d) the right to FILE A COMPLAINT with the Department of Education for FERPA violations. Educational institutions must provide ANNUAL NOTIFICATION of these rights + the criteria for designating school officials with legitimate educational interest. Disclosures without consent are limited to specific exceptions: school officials + other educational institutions for enrolment + financial aid + accrediting organizations + parents of dependent students + court orders + health/safety emergencies + studies for or on behalf of the institution + audit + evaluation by authorised representatives + directory information after public notice. DIRECTORY INFORMATION (typically name + address + phone + email + photograph + dates of attendance + grade level + sport participation + degrees + honors) may be disclosed without consent if the institution provides annual public notice + a reasonable opportunity to opt-out. DATA SECURITY SAFEGUARDS for PII in education records are required under the studies + audit + evaluation exceptions + the SPPO/PTAC Best Practices Guidance. ENFORCEMENT is by the SPPO (within DoE) + may result in loss of federal funding (the sole statutory remedy). FERPA is coordinated with the Children Online Privacy Protection Act (COPPA) + the Protection of Pupil Rights Amendment (PPRA) + state student privacy laws (SOPIPA + Connecticut + New York + California + ~20 other states). FERPA Final Rule revisions: 1988 + 1995 + 2008 + 2011 (audit + evaluation + studies exceptions clarified) + 2011 directory information + 2020 study by SPPO + ongoing 2024-2025 PTAC guidance updates on AI + cloud + edtech vendor agreements + data breach notification standards.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FERPA: Annual Notification, Right to Inspect and Review (Subpart B)
| Code | Title |
|---|---|
| FERPA-Part99.10_11_12 | Right to Inspect and Review (34 CFR 99.10, 99.11, 99.12) |
| FERPA-Part99.7 | Annual Notification of Rights (34 CFR 99.7) |
FERPA: Data Security Safeguards (PTAC Best Practices and SPPO Guidance)
| Code | Title |
|---|---|
| FERPA-Safeguards-PTAC | Data Security Safeguards for PII in Education Records (PTAC Best Practices, SPPO Guidance) |
FERPA: Directory Information, Recordkeeping and Redisclosure (Subpart D)
| Code | Title |
|---|---|
| FERPA-Part99.32-Recordkeeping-99.33-Redisclosure | Recordkeeping of Disclosures + Limitations on Redisclosure (34 CFR 99.32, 99.33) |
| FERPA-Part99.37-Directory | Directory Information (34 CFR 99.31(a)(11), 99.37) |
FERPA: Disclosure Restrictions, Consent and Exceptions (Subpart D)
| Code | Title |
|---|---|
| FERPA-99.31a1-School-Officials | School Officials with Legitimate Educational Interest (34 CFR 99.31(a)(1)) |
| FERPA-99.31a3-Audit-99.31a6-Studies | Audit and Evaluation Exception + Studies Exception (34 CFR 99.31(a)(3), 99.31(a)(6), 99.35) |
| FERPA-99.31a9-Judicial-99.31a10-Emergency-99.31a13-14 | Judicial Disclosure + Health and Safety Emergency + Sex Offense Disclosures (34 CFR 99.31(a)(9), (10), (13), (14), 99.36) |
| FERPA-Part99.30_31 | Prior Consent Required for Disclosure + Exceptions (34 CFR 99.30, 99.31) |
FERPA: Enforcement, Complaints and Coordination (Subpart E)
| Code | Title |
|---|---|
| FERPA-99.60-99.67-Enforcement | Enforcement and Complaint Procedures (34 CFR 99.60 to 99.67) |
| FERPA-Coord-COPPA-PPRA-State | Coordination with COPPA, PPRA, State Student Privacy Laws and Sectoral Laws |
| FERPA-Status | FERPA Implementation Status, 2024-2025 Guidance and AI/Cloud Trends |
FERPA: Right to Request Amendment + Hearing (Subpart C)
| Code | Title |
|---|---|
| FERPA-Part99.20_21_22 | Right to Request Amendment + Hearing (34 CFR 99.20, 99.21, 99.22) |
FERPA: Scope, Applicability, Definitions and Rights Transfer (Subpart A)
| Code | Title |
|---|---|
| FERPA-Part99.1_3 | Applicability and Definitions (34 CFR 99.1, 99.3) |
| FERPA-Part99.4_5 | Rights Transfer (34 CFR 99.4, 99.5) |
Your Compliance Coverage
If you comply with Family Educational Rights and Privacy Act (FERPA), you already cover:
Maps to 96 other frameworks
Frequently Asked Questions
What is Family Educational Rights and Privacy Act (FERPA)?
Family Educational Rights and Privacy Act (FERPA) is a compliance framework from United States with 7 domains and 15 controls. FERPA is the Family Educational Rights and Privacy Act of 1974 (20 USC 1232g) implemented by 34 CFR Part 99 + administered by the US Department of Education Student Privacy Policy Office (SPPO) + Privacy Technical Assistance Center (PTAC). FERPA protects the privacy of student education records held by educational agencies + institutions receiving funds from any program administered by the Secretary of Education + applies to virtually all US K-12 + postsecondary educational institutions. FERPA confers four core rights on parents (transferred to eligible students at age 18 or upon postsecondary enrollment): (a) the right to INSPECT AND REVIEW education records; (b) the right to REQUEST AMENDMENT of records believed to be inaccurate or misleading; (c) the right to CONSENT to disclosures of personally identifiable information (PII) from education records subject to specified exceptions; (d) the right to FILE A COMPLAINT with the Department of Education for FERPA violations. Educational institutions must provide ANNUAL NOTIFICATION of these rights + the criteria for designating school officials with legitimate educational interest. Disclosures without consent are limited to specific exceptions: school officials + other educational institutions for enrolment + financial aid + accrediting organizations + parents of dependent students + court orders + health/safety emergencies + studies for or on behalf of the institution + audit + evaluation by authorised representatives + directory information after public notice. DIRECTORY INFORMATION (typically name + address + phone + email + photograph + dates of attendance + grade level + sport participation + degrees + honors) may be disclosed without consent if the institution provides annual public notice + a reasonable opportunity to opt-out. DATA SECURITY SAFEGUARDS for PII in education records are required under the studies + audit + evaluation exceptions + the SPPO/PTAC Best Practices Guidance. ENFORCEMENT is by the SPPO (within DoE) + may result in loss of federal funding (the sole statutory remedy). FERPA is coordinated with the Children Online Privacy Protection Act (COPPA) + the Protection of Pupil Rights Amendment (PPRA) + state student privacy laws (SOPIPA + Connecticut + New York + California + ~20 other states). FERPA Final Rule revisions: 1988 + 1995 + 2008 + 2011 (audit + evaluation + studies exceptions clarified) + 2011 directory information + 2020 study by SPPO + ongoing 2024-2025 PTAC guidance updates on AI + cloud + edtech vendor agreements + data breach notification standards. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Family Educational Rights and Privacy Act (FERPA) have?
Family Educational Rights and Privacy Act (FERPA) has 15 controls organised across 7 domains. The largest domains are FERPA: Disclosure Restrictions, Consent and Exceptions (Subpart D) (4 controls), FERPA: Enforcement, Complaints and Coordination (Subpart E) (3 controls), FERPA: Annual Notification, Right to Inspect and Review (Subpart B) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Family Educational Rights and Privacy Act (FERPA) map to?
Family Educational Rights and Privacy Act (FERPA) maps to 96 other compliance frameworks. The top mapping partners are Ley Orgánica de Protección de Datos Personales (LOPDP) (53% coverage), Privacy Act 1988 (Australia) (53% coverage), Law No. 172-13 on the Protection of Personal Data (53% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Family Educational Rights and Privacy Act (FERPA) compliance?
Start your Family Educational Rights and Privacy Act (FERPA) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Family Educational Rights and Privacy Act (FERPA) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required