What Is FERPA Compliant EdTech: 2026 Guide & Checklist

What Is FERPA Compliant EdTech: 2026 Guide & Checklist

July 3, 2026

What Is FERPA Compliant EdTech: 2026 Guide & Checklist

what is ferpa compliant edtech

TL;DR

FERPA compliant edtech refers to education technology tools whose data handling practices align with the Family Educational Rights and Privacy Act, the federal law protecting student education records. There is no official FERPA certification, so the term describes a vendor’s self-attested commitment to specific privacy practices. Schools bear legal responsibility for FERPA compliance, making it critical to evaluate any edtech tool’s data agreements, encryption standards, and AI training policies before adoption.

The Definition Every Teacher Needs to Know

The Family Educational Rights and Privacy Act (FERPA) is a 1974 federal law that protects the privacy of student education records. It applies to every school that receives funding from the U.S. Department of Education, which means virtually every public K-12 school in the country.

Under FERPA, parents (and students once they turn 18) have the right to inspect education records, request corrections to inaccurate information, and control who gets access to personally identifiable information.

So what is FERPA compliant edtech? It’s any education technology product whose data practices align with FERPA’s requirements for handling student information. That sounds straightforward, but here’s the catch that trips up most people.

There is no such thing as FERPA certification. No government body audits edtech vendors and stamps them “FERPA approved.” When a company claims to be FERPA compliant, they’re describing their own practices, not reporting the result of an official review. Any vendor that uses the phrase “FERPA certified” is either confused or misleading you.

Learn more about TeachTools’ approach to FERPA and student privacy.

This distinction matters because FERPA’s legal obligations fall on schools, not on the software companies they hire. If a vendor mishandles student data, it’s the school or district that faces consequences. That asymmetry puts the evaluation burden squarely on educators and IT coordinators.

What FERPA Actually Protects

FERPA covers “education records” containing personally identifiable information (PII) about students. The obvious examples include grades, transcripts, disciplinary records, and attendance data. But the definition goes further than most people realize.

FERPA protection extends to indirect identifiers. A birthdate by itself might seem harmless, but combined with a school name and grade level, it could identify a specific student. Unique metadata, device identifiers, or behavioral patterns that could be cross-referenced with public information all fall under FERPA’s umbrella.

Direct identifiers: Names, student ID numbers, Social Security numbers, photos

Indirect identifiers: Birthdates, zip codes, demographic combinations, behavioral data patterns, anything that could identify a student when combined with other available information

Not covered: “Directory information” (name, address, phone number) that a school has publicly designated, though parents can opt out of even this disclosure.

Understanding what counts as PII is the foundation of evaluating whether an edtech tool handles data appropriately. A tool that collects only a teacher’s topic preferences and grade-level selections is in a fundamentally different risk category than one that ingests student names, scores, and learning behavior.

How EdTech Tools Get Access to Student Data

The legal mechanism that makes all edtech possible is FERPA’s “school official” exception. Without it, schools would need written parental consent every time a student logged into Google Workspace, Canvas, or any digital platform.

Under 34 CFR § 99.31(a)(1), a school can share student PII with a third party without parental consent if the third party meets four conditions:

  1. Performs an institutional service or function the school would otherwise provide itself
  2. Has a legitimate educational interest in the education records
  3. Is under the direct control of the school regarding use and maintenance of records
  4. Uses records only for authorized purposes and does not share PII with other parties without consent

That third condition, “direct control,” is where Data Processing Agreements (DPAs) become essential. A DPA is a contract that spells out exactly how a vendor will handle student data, what they can and cannot do with it, and what happens when the relationship ends.

A generic terms-of-service agreement does not satisfy this requirement. The DPA must explicitly reference FERPA and the school official exception. Without a clearly defined data processing agreement, there is no such thing as presumed FERPA compliance. For a deeper look at what these agreements should contain, see this vendor DPA checklist.

This is also why teachers who sign up for free AI tools on their own, without district approval, create a genuine legal problem. The moment a teacher uses a product with students, the school is likely sharing education records with a vendor it has no contractual control over. Privacy consultants have flagged this “free tier trap” repeatedly: the school didn’t sign the contract, but it’s still on the hook.

What to Look For in a FERPA-Supportive EdTech Tool

This is the practical part. When you’re evaluating whether a tool qualifies as FERPA compliant edtech, here’s what to check.

1. A Signed Data Processing Agreement

The DPA should specify the educational purpose for data use, restrict re-disclosure to third parties, include breach notification timelines, and define data retention and deletion terms. Over 2,800 vendors have signed the Student Data Privacy Consortium (SDPC) National DPA, which is free and standardized. It’s a strong trust signal.

2. Data Minimization

Does the tool collect only the data it needs to function? If a worksheet generator asks for student names and ID numbers when all it needs is a topic and grade level, that’s a red flag. Document why each data field exists. If you can’t justify it, don’t collect it.

3. No Training on Student Data

This is the most important criterion for AI-powered tools in 2025 and 2026. If a tool feeds student inputs into a model’s training dataset, that data becomes nearly impossible to remove. More on this in the AI section below.

4. Encryption and Security Controls

FERPA doesn’t specify exact technical requirements the way HIPAA does. It requires “reasonable methods” to protect student data. In practice, the industry standard is AES-256 encryption at rest, TLS 1.2 or higher (ideally TLS 1.3) in transit, role-based access controls, and audit logs.

5. Subprocessor Transparency

Schools hold vendors responsible for their vendors. If an edtech company uses a third-party hosting provider, analytics platform, or support tool that touches student data, those subprocessors need to be listed and bound by the same FERPA obligations.

6. Data Deletion Capability

What happens to student data when a school stops using the tool? FERPA governs the full lifecycle, not just active use. Schools should confirm that data won’t linger in a vendor’s systems indefinitely and that deletion can be verified.

7. Breach Notification Terms

The DPA should define what counts as a breach, how quickly the vendor will notify the school, and what remediation steps follow. Vague language here is a warning sign.

For a more detailed walkthrough, the privacy checklist for AI tools covers these criteria with specific examples.

The vendors who can’t answer these questions clearly, or who won’t sign a DPA, are the ones to avoid regardless of how good their product looks in a demo.

FERPA and AI: The Biggest Shift in Student Privacy

Understanding what is FERPA compliant edtech was already complex before AI entered the picture. Now it’s a different conversation entirely.

Districts accessed an average of 2,982 distinct edtech tools in the 2024-25 school year, and 85% of teachers reported using AI tools during that period. Yet less than half (48%) received any AI training from their district, and only 17% of those trained learned how to monitor AI systems for privacy risks.

That gap between adoption and training is where FERPA violations are most likely to happen.

Consumer AI Is Not FERPA Compliant

ChatGPT Free, Plus, and Pro consumer accounts cannot satisfy the school official exception requirements. They have no written contract restricting data use, no direct-control commitment, and no FERPA-aligned terms. The same applies to consumer versions of Claude, Gemini, and other large language models.

Sending FERPA-protected education records to these tools without prior written parental consent or a properly documented school official designation violates federal law.

What Compliant AI Use Looks Like

There are three paths to using AI in education without violating FERPA:

Contracted enterprise tiers with FERPA-aligned terms, data processing agreements, and explicit commitments not to train on student data.

Redaction at the source so no education record ever leaves the school’s systems. A teacher might use AI to generate a lesson plan or worksheet by entering only the topic and grade level, never inputting student-specific information.

Dedicated edtech platforms built from the ground up with FERPA, COPPA, and state-law-aligned data agreements.

That second approach, building tools that simply don’t require student PII to function, is the cleanest solution. A worksheet generator that takes “fractions, grade 4, medium difficulty” as inputs creates zero FERPA risk because no student data enters the system in the first place.

Read more about how to use AI in the classroom without violating FERPA.

The LA Unified Cautionary Tale

Chalkbeat reported that the Los Angeles Unified School District rolled out “Ed,” an AI-powered assistant for students, which was quickly discontinued after the company behind it went into financial trouble. The abrupt shutdown left parents and advocates without answers about what happened to the student data the platform held. It’s a concrete example of why data deletion terms and subprocessor transparency matter before a tool is adopted, not after it collapses.

Teachers Are Navigating This Alone

A teacher quoted by Chalkbeat captured the tension well: “I don’t put any student information into it, I just use it to perform mundane tasks. As teachers, our biggest resources are time and energy. And we never have enough of them.” That instinct, using AI for content generation rather than student data processing, is actually the right approach. It just needs to be backed by policy and training rather than left to individual judgment.

FERPA vs. COPPA vs. State Privacy Laws

Explore 23+ free AI tools for teachers

Browse All Tools →

FERPA doesn’t exist in isolation. Several overlapping frameworks create a patchwork that schools and vendors need to navigate.

Framework Scope Key Requirement Who It Applies To
FERPA Student education records Consent before disclosure of PII (with exceptions) Schools receiving federal funding
COPPA Children under 13 online Verifiable parental consent before collecting data Websites and apps directed at children
State laws (130+) Varies by state Often stricter than federal law Schools and/or vendors, depending on state
SOC 2 Type II Security controls Independent audit of data handling practices Voluntary, but increasingly expected

COPPA Overlap

If an edtech platform serves students under 13, it likely needs to comply with both FERPA and COPPA. The 2024 COPPA amendments shifted children’s online privacy from an opt-out to an opt-in consent framework, raising the bar significantly. For a full breakdown, see this COPPA compliance guide for AI tools in the classroom.

State Laws Go Further

As of 2024, more than 130 state-level student data privacy laws have been passed across the U.S., many of which impose stricter requirements than FERPA. California’s SOPIPA, New York’s Education Law 2-d, Illinois’s SOPPA, and Colorado’s student data transparency laws are among the most significant. Smart edtech developers build to the strictest state standard, a “highest common denominator” strategy that ensures nationwide scalability.

SOC 2 Type II as Baseline

By 2026, regulatory compliance in edtech is no longer a competitive differentiator. It’s a baseline requirement for participating in the education market. The CoSN 2026 State of EdTech report ranks cybersecurity as the top priority for ed-tech leaders (a position it’s held since 2018), with data privacy at number two and generative AI at number three. Schools and districts increasingly screen out vendors that can’t demonstrate security maturity, most commonly through a SOC 2 audit.

The Architecture That Simplifies Everything

Most FERPA complexity comes from tools that ingest student data: grades, behavior records, attendance, learning analytics. The more student PII a platform touches, the more contractual, technical, and organizational safeguards it needs.

Tools that generate content based on topic, grade, and difficulty inputs rather than student records sidestep the highest-risk FERPA scenarios entirely. A quiz generator that produces a standards-aligned assessment from a subject description doesn’t need to know which students will take it. An AI-powered lesson planner that works from curriculum objectives doesn’t require access to any education records.

This isn’t a workaround. It’s a design philosophy called privacy-by-design, and it’s the most effective way to stay on the right side of FERPA while still getting the time-saving benefits of AI.

Explore TeachTools’ full suite of classroom-ready tools built with this approach.

FERPA Compliance Is Ongoing, Not One-Time

One final point that too many glossary entries skip: FERPA compliance isn’t a box you check once. It’s an ongoing practice of evaluating tools, executing agreements, and verifying that vendors do what they said they’d do. Districts should review DPAs annually, monitor vendor subprocessor changes, and confirm that data deletion requests are actually honored.

With 88% of districts planning to implement AI initiatives in 2025-26, according to CoSN, the volume of vendor evaluations is only going to increase. Having a clear understanding of what FERPA compliant edtech actually means, and what it doesn’t, is the foundation for making those decisions well.

For a broader framework on evaluating tools at the district level, the edtech security questions guide walks through the procurement process step by step.

Frequently Asked Questions

Is there a FERPA certification for edtech tools?

No. There is no government-issued FERPA certification, audit, or seal of approval. When a vendor says they are “FERPA compliant,” they mean their practices align with FERPA requirements, but no federal body has verified that claim. The SDPC National DPA, signed by over 2,800 vendors, is the closest thing to a standardized trust signal.

Can a teacher use an AI tool without school approval?

Technically, a teacher can sign up for any tool. But the moment students are involved, student data may be flowing to a vendor the school has no agreement with, which creates FERPA liability for the school. The safe approach is to get district approval and confirm a DPA is in place before using any tool with students. Read a full breakdown of this question.

What happens if a vendor violates FERPA?

FERPA’s enforcement mechanism targets schools, not vendors. If a school shares student records with a vendor that mishandles them, the school faces potential loss of federal funding (though no institution has ever actually lost funding for a FERPA violation). The real consequences tend to be reputational damage, parent backlash, and state-level enforcement actions under stricter local laws.

Does FERPA apply to AI-generated content?

FERPA applies to education records containing student PII, not to all content a school produces. If a teacher uses an AI tool to generate a generic worksheet about the American Revolution, no education record is involved and FERPA isn’t triggered. If a teacher pastes student names, grades, or behavioral notes into an AI chatbot, that’s a potential FERPA violation because education records are being disclosed to a third party.

What is the SDPC National DPA?

The Student Data Privacy Consortium National Data Privacy Agreement is a standardized, free contract framework that schools and vendors can sign to establish FERPA-aligned data handling terms. It saves both sides from negotiating custom agreements from scratch and provides a recognized baseline for privacy expectations.

How is FERPA different from COPPA?

FERPA protects student education records and applies to schools. COPPA protects children under 13 online and applies to websites and app operators. If an edtech tool serves elementary-age students, both laws likely apply. COPPA’s 2024 amendments now require opt-in parental consent, making it stricter than before on data collection from young children.

Can student data be used to train AI models?

Technically, nothing in FERPA explicitly prohibits it if proper consent or school official terms are in place. Practically, it’s a terrible idea. Once student PII enters a model’s training dataset, removing it is extraordinarily difficult and expensive. The safest edtech vendors commit in writing that they will never use student data or inputs for model training.

What security standards should FERPA-compliant edtech meet?

FERPA requires “reasonable methods” without specifying exact technical standards. The current industry baseline is AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, audit logging, and hosting on SOC 2 Type II certified infrastructure. If a vendor can’t describe their security posture in these terms, ask why.

Free Tool

Explore 23+ free AI tools for teachers

Worksheets, quizzes, lesson plans, rubrics — all free, all private, all built for educators.

Browse All Tools →

Try TeachTools Free

Create worksheets, quizzes, and lesson plans in seconds with AI.

Explore All Tools →

Tools Mentioned in This Article

📝
AI Worksheet Generator
Create differentiated worksheets for any subject and grade level in seconds.
Try it free →
AI Quiz Generator
Build formative assessments with multiple question types — auto-graded and printable.
Try it free →
🧰
All 25 Free AI Tools
Explore every generator — worksheets, quizzes, lesson plans, rubrics, and more.
Try it free →

More from the TeachTools Blog

View all articles →

Try TeachTools Free
Browse Tools →