🛡️ STATUS BADGE: 🟢 ELIGIBLE (Self-Hosted)
Executive Summary: What is it?
The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student education records. It applies to all educational institutions that receive federal funding — effectively all US public K-12 schools and universities. FERPA grants parents and eligible students the right to inspect, amend, and control the disclosure of education records, placing a strict legal obligation on any software system that stores or transmits that data.
CFO / Business Impact: What does it cost/risk?
- EdTech Market Access: Non-eligible tools are barred from deployment in any US federally funded educational institution — a market covering 130,000+ K-12 schools and 6,000+ colleges.
- Liability Exposure: Unauthorized disclosure of student records (grades, disciplinary history, financial aid data) can trigger federal funding loss and civil liability for the deploying institution, not just the vendor.
Technical Reality: How does it work?
- Data Minimization: Collect and retain only the minimum student data necessary for the defined educational purpose. Broad telemetry collection is a common FERPA violation vector.
- RBAC — "Legitimate Educational Interest": Access controls must strictly limit student record visibility to authorized school officials with a documented, legitimate educational interest. Role-based access is mandatory.
- Third-Party Disclosure Logging: Any data sharing with third parties (integrations, analytics, AI features) must be logged and, in most cases, requires explicit written consent from the parent or eligible student.