7 Common FERPA Violations to Avoid

Editor’s note: This article was originally published in October 2024 and updated in March 2026 to reflect the latest U.S. Department of Education FERPA guidance, enforcement activity, and emerging compliance considerations related to AI, cybersecurity, and third-party education technology.

The Family Educational Rights and Privacy Act (FERPA) was designed to ensure that adult students have control over educational records and help protect the privacy of sensitive information.

The primary goal of FERPA is to safeguard the privacy of students by ensuring that education records are handled with care and that unauthorized individuals do not access or misuse personal information. While FERPA’s core requirements remain the same, recent guidance and enforcement activity from the U.S. Department of Education show that institutions should pay closer attention to records access, third-party data sharing, ed-tech vetting, AI-related risks, and secure handling of student information.

FERPA applies to all educational institutions that receive funding from the U.S. Department of Education, including public and private schools, colleges, and universities. Non-compliance with FERPA can result in schools losing federal funding.

Today’s institutions are navigating:

• AI Powered tools
• Expanding ed-tech ecosystems
• Increased cybersecurity threats
• More third-party data sharing than ever before

That means the same FERPA rules now apply in more complex, higher-risk environments.

In partnership with CampusGuard, we’ve compiled a list of seven common FERPA violations and how to avoid them.

1. Unauthorized Disclosure of Student Information
   • Where This Happens Today:
     • Sharing student data in third-party vendors or platforms without proper agreements
     • Uploading student lists into tools not vetted for FERPA compliance
     • Participating in external studies or partnerships without reviewing data-sharing terms
     • 2026 Update: Institutions are increasingly working with analytics tools, engagement platforms, and AI systems. If those tools access student data, they must meet FERPA requirements.
   • How to Avoid: Ensure that any disclosure of student information is only made to authorized individuals (e.g., teachers, administrators) and that they have a legitimate need to know. Obtain written consent from students or parents before sharing information with third parties.
2. Improper Posting of Student Grades or Personal Information
   • Where This Happens Today:
     • Screensharing during Zoom or Teams meetings
     • Posting screenshots in internal chats (Slack, Teams)
     • Displaying dashboards in classrooms or offices
     • 2026 Update: Even internal tools can become public if screens are shared or messages are forwarded.
   • How to Avoid: Use a system that conceals student information, such as a code known only to the student, when posting grades. Avoid sharing any personally identifiable information (PII) in public forums.
3. Leaving Student Records Unsecured
   • Where This Happens Today:
     • Open laptops in shared spaces
     • Unsecured cloud folders
     • Weak password practices
     • Shared logins across teams
     • 2026 Update: Cybersecurity is now a FERPA issue, not just an IT issue. Data breaches can expose student records and trigger compliance risks.
   • How to Avoid: Store student records in secure, locked locations (physical files) or use password-protected systems for digital records. Consider implementing–and enforcing—so-called Clean Desk and Clean Screen policies that prohibit staff and faculty from leaving sensitive information unsupervised and in plain sight. Regularly audit and update security protocols.
4. Inappropriate Use of Email or Other Communication Channels
   • Where This Happens Today:
     • Emailing spreadsheets with student data
     • Sending PII through text messages or chat apps
     • Using AI tools to summarize or process student information
     • 2026 Update: AI note-taking tools, email assistants, and chatbots may store or process student data externally.
   • How to Avoid: Ensure that communications about sensitive information are conducted through secure, FERPA-compliant channels.
5. Failure to Provide Access to Student Records
   • Where This Happens Today:
     • Lack of clear internal processes
     • Delayed responses between departments
     • Confusion over what qualified as an education record
     • 2026 Update: Recent enforcement activity shows this is still a common issue. Students have the right to access their records and institutions must be prepared to respond.
   • How to Avoid: Establish clear procedures for handling requests for records and ensure they are processed promptly. Staff should be trained on students’ and parents’ rights under FERPA.
6. Incorrectly Handling Directory Information
   • Where This Happens Today:
     • Assuming all student data qualifies as directory information
     • Failing to honor student opt-outs
     • Not clearly defining directory information categories
     • 2026 Update: With more systems and integrations, directory information can spread across platforms quickly.
   • How to Avoid: Maintain an updated list of students who have opted out and ensure all staff are aware of these preferences. Only share directory information following established policies and opt-out requests.
7. Improper Disposal of Student Records
   • Where This Happens Today:
     • Old files left in shared drives
     • Exported reports saved locally
     • Data retained in third-party platforms
     • Improper disposal of devices
     • 2026 Update: Data doesn’t just live in filing cabinets anymore. It exists across cloud systems, backups, and vendor platforms.
   • How to Avoid: Implement a secure disposal process for student records, such as shredding paper documents and securely deleting electronic files. Be especially careful when disposing of storage devices (hard drives, thumb drives, etc.). Consider physically destroying components that contain (or ever contained) sensitive information.

To protect sensitive data and ensure FERPA compliance, CampusGuard recommends these general guidelines to help you remain compliant.

While FERPA itself hasn’t changed, these areas are driving new compliance risks:

• AI and Student Data: AI tools can process, store, or learn from student information. Institutions must understand where the data is going, who has access and the duration that information is being retained.
• Third-Party Platforms: From payment systems to learning tools, vendors are deeply embedded in campus operations. Every integration is a potential compliance risk and needs to have an audit trail.
• Cybersecurity and Data Breaches: A data breach involving higher education student records isn’t just an IT issue, it’s a FERPA concern with reputational and regulatory impact.
• Data Sharing for Research or Engagement: Partnerships and studies using student data require careful review to ensure compliance.

General Tips for Avoiding FERPA Violations

• Training and Awareness: Regularly train all staff on FERPA regulations, emphasizing the importance of maintaining student privacy. Learn more about CampusGuard’s FERPA online course, updated annually to meet ongoing compliance requirements.
• Regular Assessments: Partner with CampusGuard to conduct a FERPA assessment to determine any gaps in your organization’s operational policies and practices to ensure compliance with FERPA.
• Clear Policies: Develop and enforce clear policies regarding the handling, sharing, and disposal of student information.
• Use Technology Wisely: Ensure that all electronic systems used to store and transmit student data are secure and FERPA-compliant.
• Monitor Access: Restrict access to student records to those with a legitimate educational interest and monitor who accesses these records.
• Record Retention: Create, publish, and enforce a Record Retention policy that describes how long the organization retains different types of data.

Annual FERPA Compliance Checklist

Use this quick checklist to stay on track with FERPA:

• Review annual notification language
• Confirm directory-information categories
• Recheck opt-out workflows
• Retrain staff
• Audit who has access to records
• Review third-party/vendor agreements
• Test incident-response procedures

Understanding and adhering to FERPA guidelines can significantly reduce the risk of violations, protecting your organization and students’ privacy rights.

For more information on FERPA, our partner CampusGuard offers a FERPA course that covers laws governing the acceptable use and release of student records, discusses individual staff and faculty responsibilities, provides guidance on how to protect students’ right to privacy, and explains the potential consequences of non-compliance.