FERPA

Family Educational Rights and Privacy Act

Flag of US
United States (Federal)Opt-inSector-specific
Back to Regulations Guide

Key Facts

Effective Date
November 19, 1974
Enacted
August 21, 1974
Enforcing Authority
Family Policy Compliance Office (FPCO), US Department of Education
Consent Model
Opt-in
Applies To
Educational institutions and agencies receiving federal funding from the US Department of Education

Overview

FERPA protects the privacy of student education records at institutions receiving federal funding. Written consent is required before disclosing personally identifiable information from education records. The sole enforcement remedy — withdrawal of all federal education funding — is so severe it has never been imposed.

What This Means for Your Website

  • Written consent from parents or eligible students is required before disclosing education records
  • Directory information may be disclosed but only with prior opt-out notice
  • Rights transfer from parents to students at age 18 or upon postsecondary enrollment
  • No private right of action exists — individuals cannot sue under FERPA
  • Cookie-based tracking that collects education record information requires consent

Key Requirements

The FPCO (Family Policy Compliance Office) enforces FERPA through the DOE. There are no monetary fines — the sole enforcement mechanism is withdrawal of all federal education funding. This nuclear-option penalty has never been imposed, but the threat ensures institutional compliance. Educational institutions must provide annual notification of rights.

How ConsentStack Handles This

ConsentStack supports education websites by managing consent for data collection that may involve education records, ensuring that personally identifiable information is not disclosed without proper authorization.

Penalties

Withdrawal of ALL federal education funding (never imposed in practice). No monetary fines.

Key Requirements

  • Written parental/student consent before disclosing education records
  • Annual notification of rights to parents/eligible students
  • Right to inspect and review education records
  • Right to request amendment of inaccurate records
  • Directory information may be disclosed with opt-out notice

Notable Provisions

  • No private right of action — Supreme Court ruling
  • Sole remedy is loss of all federal education funding — never imposed
  • Rights transfer from parents to students at age 18

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Does FERPA apply to website cookies?

Indirectly. FERPA applies to personally identifiable information from education records regardless of collection method. Cookies collecting student data at educational institutions may be subject to FERPA.

Can students sue under FERPA?

No. The Supreme Court held there is no private right of action under FERPA. Enforcement is solely through DOE administrative action.

What is the FERPA penalty?

Withdrawal of all federal education funding — so severe it has never been imposed in practice.

Stay compliant with FERPA

ConsentStack helps you implement Opt-in consent for United States (Federal) automatically.

Get started free