Pete Haas
Associate Editor
Loyola University Chicago School of Law, JD 2025

The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 to protect the privacy of student education records. While FERPA provides essential privacy safeguards, it also includes provisions that allow certain student information to be shared with third parties, particularly under the guise of “directory information.” With the increasing concerns surrounding personal data in the digital age, many argue that FERPA’s exceptions undermine its original intent. In an era where other U.S. privacy laws are tightening restrictions on the sharing of personal information, FERPA’s provisions are lagging, leaving students vulnerable to privacy breaches that would be impermissible in other contexts.

FERPA requirements regarding third parties and directory information

FERPA grants educational institutions the authority to disclose “directory information” without prior consent from the student or their guardians. This includes seemingly benign details such as a student’s name, address, date of birth, and even participation in extracurricular activities. While this may have been considered harmless in the 1970s, such data can easily be exploited today. It can be aggregated with other publicly available information to build detailed profiles and go well beyond the original intent for which it was collected. Furthermore, FERPA’s language allows for the sharing of student records with certain third parties, including government agencies and school officials with “legitimate educational interests.” The vagueness of what constitutes legitimate interest often leads to an overextension of who can access a student’s personal data.

These third-party provisions pose significant risks, especially when compared to stricter data privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), which have much narrower exceptions for sharing personal data. In many cases, institutions can share student information with third-party vendors that provide services such as cloud storage, educational software, or analytics tools, without explicit consent. This practice of outsourcing functions introduces another layer of risk, as third-party vendors may not be held to the same data protection standards. In contrast, under HIPAA, any sharing of health information with a third party must be carefully regulated, and there are far stricter limits on what constitutes permissible disclosures.

Working around FERPA requirements

Educational institutions have found ways to exploit FERPA’s flexibility, particularly for directory information. Many schools automatically classify students’ details as directory information unless families or students opt out, often without fully understanding the implications. This approach puts the burden on the student to protect their privacy rather than safeguarding it by default. Moreover, the process for opting out can be cumbersome and may  only be accomplished through all or nothing requests. This structure gives the appearance of complying with privacy standards while still making it easy for institutions to share student data without consent.

Furthermore, many institutions are increasingly outsourcing student services to third-party vendors, such as cloud-based systems and educational apps (e.g., Quizlet, ClassDojo, Google Classroom), under the pretext of legitimate educational interest. While FERPA requires these third parties to adhere to confidentiality agreements, enforcement is weak, and oversight is often nonexistent. These vendors can store vast amounts of student data, and in many cases, they may not be equipped to provide the level of data protection necessary to secure such sensitive information. The line between what is educationally necessary and what is a commercial interest becomes blurred, allowing for student data to be shared with parties who may not have the best interests of students in mind.

FERPA falls short of modern data privacy frameworks

Compared to modern data privacy laws, FERPA falls short in protecting students. Comparatively, the California Consumer Privacy Act (CCPA) gives individuals much more control over their personal information. This includes the right to access, delete, and opt out of the sale of their data. FERPA lacks such robust provisions, giving students and their families far less control over what happens to their personal information. Furthermore, data breaches are a growing concern, and FERPA lacks the stringent requirements for breach notifications and protections found in more recent legislation, such as the CCPA or even HIPAA’s breach notification rule. Under FERPA, institutions are not required to notify students in the event of a data breach, leaving them unaware of potential exposure of their personal information.

FERPA’s failure to evolve with modern data privacy trends reflects a broader problem in U.S. data privacy law, where sector-specific laws like FERPA and HIPAA are increasingly outpaced by comprehensive privacy frameworks like those seen in Europe with the General Data Protection Regulation (GDPR). The GDPR emphasizes data minimization, consent, and accountability—principles that FERPA only partially addresses. To bring FERPA up to grade, the law needs to be reformed to better align with the realities of today’s digital landscape. Strengthening consent requirements, limiting third-party access, and adopting breach notification rules would be necessary first steps in bridging the gap between FERPA and the more rigorous privacy protections found elsewhere in U.S. law.

FERPA’s framework may have sufficed in the analog era, but in a world where data is both valuable and vulnerable, it leaves much to be desired. To effectively protect students and their families, the law needs to be modernized to meet the demands of today’s privacy landscape. By doing so, we can ensure that students’ personal information is treated with the same respect and care afforded to data in other sectors.