United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- FERPA is a federal law that sets out a number of requirements educational institutions that receive federal funding must meet for the protection of student educational records.
- A recent Executive Order diminishes the federal government’s power to enforce FERPA, heightening concerns that EdTech vendors could use student education data in prohibited ways.
- However, vendors would do so at their own risk, as the legal landscape surrounding student education records requires compliance with more than just FERPA.
What Is FERPA?
FERPA requires educational institutions that receive federal funding to protect student educational records. FERPA applies to all public and private K-12 schools, as well as post-secondary educational institutions, that receive federal funding. Specifically, FERPA requires such educational institutions to: (i) obtain consent prior to releasing education records, (ii) permit parents and eligible students to access and correct their records, (iii) provide annual notice of rights, (iv) maintain reasonable measures to keep education records secure, and more.
While FERPA does not apply directly to EdTech companies, vendors are typically required by their contracts with individual educational institutions to comply fully with FERPA’s obligations and restrictions. FERPA does not contain a private right of action. Instead, aggrieved parents and eligible students can file complaints with the U.S. Department of Education, which investigates and enforces alleged violations. If the Department finds a FERPA violation, the relevant educational institution can be disciplined, up to and including the loss of federal funding.
A Student Data Gold Mine …
The Department has long been criticized for failing to adequately enforce FERPA. As of 2025, the Department has never imposed a financial penalty on an institution for violating FERPA, instead working with violators to achieve voluntary, monitored compliance. Many have expressed concerns that abolishing or substantially changing the structure of the Department could further erode the likelihood of strong FERPA enforcement at the federal level.
The prospect of a “Wild West” environment in the absence of the Department of Education may have schools and EdTech vendors salivating at the prospect of buying, selling, sharing, using, or otherwise processing the data of the millions of students (and former students) in the United States. Student data is a treasure trove. According to a report issued by the International Trade Administration in 2020, the EdTech market was estimated to be worth $89.49 billion, and it is projected to grow at a compound annual growth rate of 19.9 percent until 2028.
A FERPA exception already permits school officials to disclose education records to EdTech vendors if the vendor has a legitimate educational interest, the vendor is subject to the school’s supervision, and the school contractually prohibits the vendor from further disclosure. However, a federal enforcement vacuum may encourage such vendors to think they can ignore the FERPA obligations to which they have agreed when processing student data. It may also encourage third parties, contractors, consultants, and other organizations that do not fit within this exception to think they can bypass FERPA entirely.
… or a Regulatory Minefield?
Despite the potential decrease in enforcement at the federal level, (1) the existence of other FERPA regulators, (2) bipartisan interest in reform, and (3) uncertainty regarding the extent of the Department’s closure cut against any argument that FERPA compliance will be less important in the coming days.
First, FERPA does not preempt state or local laws. The Executive Order even emphasizes returning “authority over education to the States and local communities.” Nearly all states have enacted at least one state-level student privacy law that supplements FERPA with additional privacy safeguards. These will persist regardless of what happens federally. In California, for example, the Student Online Personal Information Protection Act prohibits the use of student data for targeted advertising. Many states, like Illinois, have transposed FERPA into state statutes. Other states, like Virginia, incorporate FERPA by reference, essentially making compliance a state requirement as well as a federal requirement. Keeping aware of state-level obligations is of paramount importance for both educational institutions and EdTech providers, especially because in some states, like Wyoming, civil actions for damages may be permitted under public records laws if parents or students are knowingly or intentionally denied the right to inspect public school records.
Moreover, there appears to be a strong bipartisan interest in FERPA reform, with commentators associated with the current administration indicating that they support amending FERPA to facilitate enforcement in the Department’s absence. These commentators have taken the position that “[r]ather than preserving a failing federal system, a potential reorganization of the Department of Education presents a critical opportunity to … protect student data[.]” Some interested parties have proposed a private right of action for FERPA violations, while others want to explore other avenues to fill in regulatory gaps in student privacy, including by transferring many of the Department of Education’s responsibilities to other agencies.
Finally, the true extent to which the Department will be shuttered remains to be seen, as full closure may require an act of Congress. And, it is vital to remember that FERPA is a federal law, not a Department of Education regulation. Therefore, even if the Department were to close entirely, that would not make FERPA liability vanish forever. FERPA would remain in effect, and a future administration may reinitiate enforcement.
Next Steps
Despite the potential closure of the Department of Education, schools and EdTech vendors that ignore FERPA’s obligations regarding student data nevertheless face a number of continued risks. The Department has traditionally pursued only patterns of noncompliance and egregious violations, and ignoring FERPA over the next three and a half years could be construed as just that. Moreover, for EdTech vendors, FERPA noncompliance could give rise to breach of contract claims, while enforcement by other regulators may cause the school with which the EdTech vendor is working to lose funding—and, by extension, risk the vendor missing payday. Businesses operating in the education space may want to remain mindful of the full breadth of their obligations and act accordingly, even as changes take place within the federal education (and EdTech) landscape.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Higher Education Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy and Higher Education blogs as additional information becomes available.
Follow and Subscribe
