For decades, FERPA, the Family Educational Rights and Privacy Act, has served as the cornerstone of student data privacy in the United States. Originally designed to protect paper records and filing cabinets, the law now must contend with a very different reality: cloud-based platforms, machine learning algorithms, and a sprawling ecosystem of ed-tech vendors that schools rely on every single day.
The numbers are staggering. Educational institutions face an average of 2,507 cyberattack attempts per week, and breaches have impacted over 1.8 million students across the U.S. since 2020. Yet FERPA, largely unchanged in its core framework, still lacks explicit cybersecurity and AI governance requirements.
That gap is growing more dangerous by the day.
FERPA Compliance Blind Spots
As artificial intelligence becomes embedded in tools used for everything from attendance tracking to personalized learning, schools and their vendors are navigating a compliance landscape that is simultaneously high-stakes and unclear.
Most schools use the “school official” exception that allows them to share student data with vendors without parental consent, but only if those vendors have a “legitimate educational interest” and are under the school’s direct control. As AI vendors become more autonomous and their data practices more opaque, that “direct control” standard becomes harder to meet.
Another problem is that many vendor contracts are negotiated without adequate attention to FERPA requirements. Schools may sign agreements that allow vendors to:
- Use student data to improve their own AI models
- Share anonymized (but potentially re-identifiable) data with third parties
- Retain student records long after a contract ends
- Process data in ways not disclosed in their privacy policies
This is not hypothetical. Experts have repeatedly warned that vendor ecosystems represent one of the most significant FERPA blind spots in education today.
Complicating matters further is the growing patchwork of state-level student privacy laws that overlap with, and in some cases go beyond, FERPA’s requirements.
California’s Student Online Personal Information Protection Act (SOPIPA), for example, prohibits vendors from using student data for targeted advertising and limits how data can be used outside the educational context. Illinois’ Student Online Personal Protection Act (SOPPA) requires breach notification within 72 hours and mandates opt-in consent for certain data uses.
Schools operating in multiple states, or using vendors that operate nationally, must navigate these frameworks simultaneously. A contract clause that satisfies FERPA may still violate state law. An AI tool that’s FERPA-compliant in one state may be illegal in another.
Simply said, FERPA compliance now intersects with AI governance, ed-tech vendor liability, and state-specific privacy laws. As such, schools and ed-tech vendors are expected to implement strict contract clauses that address data ownership and retention, usage limitations, and AI transparency requirements. Without these clauses, schools are flying blind, and students are exposed.
Best Practices for Schools
Here are six strategic habits every school should build into their compliance culture, from vendor audits to AI transparency requirements.
- Audit Your Vendor Ecosystem
Conduct a full inventory of every ed-tech tool your institution uses. For each one, identify what student data is collected, how it is processed, whether it is used to train AI models, and who has access. This audit is not a one-time exercise; it should happen annually. - Strengthen Vendor Contracts
Every agreement with an ed-tech vendor should include explicit FERPA compliance language. Key clauses to require include data ownership (the school owns the data, always), usage limitations (data may only be used to provide the contracted service), AI transparency (vendors must disclose whether and how student data is used in AI training), and data deletion upon contract termination. - Designate Data Governance Leadership
Someone at your institution, whether a Chief Privacy Officer, Data Steward, or designated administrator, should own FERPA compliance as a formal responsibility. This person should be involved in every vendor procurement decision that touches student data. - Train Staff Regularly
FERPA violations often happen unintentionally. Common examples include sharing recommendation letters without authorization, sending confidential emails to the wrong recipient, and granting vendors access to student records without proper documentation. Ongoing FERPA training is essential to keep staff informed of best practices to avoid violations and changes in requirements. - Monitor for State Law Changes
Student privacy legislation is evolving rapidly at the state level. Establish a process to track changes in your state and in states where your vendors operate. Legal counsel with education privacy expertise is a worthwhile investment. - Require AI Transparency from Vendors
Before adopting any AI-powered tool, ask vendors directly: Does this tool use student data to train its models? If so, is that data anonymized? Can we opt out? Where is data stored and processed? Vendors who cannot or will not answer these questions clearly should be disqualified from consideration.
Actionable Steps to Take Now
Use this week-by-week, quarter-by-quarter roadmap that turns FERPA compliance from a concept into a concrete, measurable plan.
This week:
- Pull a list of every ed-tech tool your school or district is currently using.
- Review at least one vendor contract for FERPA compliance language. Look specifically for data ownership, usage limitations, and data deletion clauses.
This month:
- Schedule a FERPA training session for all staff who handle student records.
- Identify who in your organization is responsible for data governance. If no one is, make it a priority to assign one.
- Send a data practices questionnaire to your top five highest-risk vendors (those with the most student data access).
This quarter:
- Develop or update a formal vendor data agreement template that includes AI-specific language.
- Conduct a full inventory of student data flows across your organization.
- Consult with legal counsel to assess your exposure under both FERPA and applicable state privacy laws.
- Establish a process for reviewing new ed-tech tools before adoption, not after.
This year:
- Build a FERPA compliance calendar that includes annual vendor audits, staff training refreshers, and policy reviews.
- Engage your state education agency to understand what compliance documentation they require and whether your institution is current.
- Advocate internally and with peer institutions for clearer federal guidance on FERPA and AI.
Final Thoughts
FERPA remains one of the most important protections in American education. But the law was written before cloud computing, before machine learning, and before the age of ed-tech platforms that touch nearly every aspect of a student’s school experience.
The good news is that the intention behind the compliance is still achievable, but it requires intentionality. Schools that treat FERPA as a checkbox exercise are increasingly exposed. Those that build real data governance infrastructure, negotiate vendor contracts carefully, and stay ahead of the evolving legal landscape are far better positioned to protect their students and avoid costly violations.
The stakes are high. FERPA violations can result in loss of federal funding, reputational damage, and, most importantly, real harm to real students whose private information is mishandled.
Experts are urging lawmakers to modernize FERPA with explicit vendor security obligations and AI-specific requirements. Until that happens, schools cannot wait for the law to catch up. The responsibility falls on administrators, technology leaders, and legal counsel to fill the gaps that Congress has not yet addressed.
Student data is not a resource to be mined. It is a trust to be honored. Treat it accordingly.
CampusGuard helps institutions achieve and maintain FERPA compliance through comprehensive FERPA assessments and FERPA training. Contact us to learn more, request a demo, and get started!
