FERPA Update
April 23, 2025
Author
In recent weeks, USED has leveraged the Family Educational Rights and Privacy Act (FERPA) as a policy tool to incentivize state compliance with other administration policy priorities. This blog post summarizes two sets of actions: specific communications with Maine and California, related to parent rights to access education records, and a broader ‘Dear Colleague’ letter about FERPA and students’ gender identity.
Before the update, a quick recap (courtesy of our friends at ):
Quick FERPA Recap
- Who has FERPA rights? FERPA gives privacy rights to the parents or guardians of students who are under the age of 18 and enrolled in K-12 education. These rights transfer to the students themselves when they reach the age of 18 or are attending a postsecondary institution.
- What are the rights that FERPA provides? Rights conveyed by FERPA include the rights to:
- Annual notification of the school’s FERPA policy;
- Access the student's PII in educational records;
- Seek to amend and/or correct the student's PII in educational records;
- Confidentiality of the student’s PII in educational records; and
- File a complaint with the U.S. Department of Education for an alleged FERPA violation.
- FERPA also gives the right to consent before student PII in education records is disclosed. However, there are many exceptions to this right, and the vast majority of FERPA-protected information is disclosed through a FERPA exception.
- What data is protected under FERPA? FERPA protects PII in education records. In general, PII is any information about a student that can reasonably be linked back to them. Under FERPA, PII includes both direct identifiers (such as first and last name) and indirect identifiers (such as grade level or year of birth). Vague descriptions like “the freshman student in the yearbook club” can constitute PII under FERPA in the right circumstances, such as when there is only one freshman in the yearbook club. The test for when information is PII under FERPA is if it would allow a reasonable person in the school community to identify a specific student with reasonable certainty. Essentially, if the information can be linked back to an individual fairly easily, it falls under FERPA’s PII definition. To be protected by FERPA, the PII must be located in education records. “Education records” are records that are: 1) directly related to a student; and 2) maintained by an educational agency or institution, or by a party acting for the agency or institution (). This includes a wide variety of formats, regardless of whether information is physically kept in the school filing cabinet or virtually stored in the cloud.
Happening Now
California and Maine: USED launched two statewide FERPA investigations in California and Maine. The investigations primarily relate to parent rights to access education records related to the gender identity of their children. In both letters, it is unclear if any districts denied a parent access to their child’s education records in an effort to follow California’s law or the Maine districts’ policy.
USED issues Dear Colleague Letter about FERPA and students’ gender identity information (Thank you, ): At the end of March, USED’s Student Privacy Policy Office (SPPO) a new (DCL) to state chiefs and district superintendents notifying them of their obligations under FERPA and the Protection of Pupil Rights Amendment (PPRA) in the context of K-12 schools’ policies and practices related to information about students’ gender identity at school. Secretary McMahon’s cover letter to the DCL references “pervasive” “ideological indoctrination” in public schools and points to schools’ approach to parent engagement on these issues as an illustration of educators treating parents as “enemies.” The DCL gives SEAs until April 30 to document their (And their LEAs’) compliance with both FERPA and PPRA. In detailing their compliance, the DCL indicates they should focus particularly on a set of five “priority” concerns, including “[e]nsuring parental rights to inspect and review education records” (especially “gender plans” that the letter says are subject to FERPA) and “[e]nsuring parents receive annual notification of rights” under FERPA. Secretary McMahon’s letter also “reminds” SEAs and LEAs that they are “obligated to abide by FERPA and PPRA if they expect federal funding to continue.”
Next Steps? We are continuing to monitor USED’s engagement on FERPA. Our advocacy team and privacy center counsel met with USED staff to better understand their intent and what it could mean for how they proceed with reclaiming any funding. We are watching closely to see how/when/if USED would exercise its authority to reclaim federal funds via FERPA non-compliance. That process, in and of itself, is pretty clearly established; at the same time, we want to stay ahead of any reclaiming so we can be best positioned to support any districts who should see their funds reclaimed. In the mean time, you can check out this (scroll to FERPA Enforcement) outlining the process USED would have to follow.
