10 Common FERPA Violation Examples and How to Avoid Them

Key Takeaways

• FERPA violations are most often unintentional and caused by process gaps.
• Digital platforms, AI tools, and third-party vendors are the fastest-growing sources of FERPA risk.
• The Department of Education has never revoked federal funding for a FERPA violation, but corrective actions, state-level lawsuits, and reputational damage are real consequences.
• Prevention depends on retention policies, role-based access, staff training, and compliant technology, not just awareness.

Introduction

Most FERPA violations aren’t deliberate. They happen when a teacher replies to all with a grade report attached, when an administrator emails a transcript to the wrong address, or when a school publishes an honor roll list without checking opt-out records.

These are exactly the kinds of FERPA violation examples that show up in audits and parent complaints, and they’re almost always small process failures rather than conscious decisions.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records in the United States, and any institution receiving federal funding is required to comply. But the gap between knowing the law exists and consistently following it in daily operations is where violations occur.

In this article, we’ll explore:

• The basics of FERPA
• 10 FERPA violation examples
• Potential consequences of these breaches
• 5 steps to avoid them

And if you’re here just for a quick list of FERPA violation examples, here are the 10 most common ones:

• Unauthorized disclosure of grades
• Letters of recommendation containing PII
• Group emails to multiple recipients
• Discussing a student’s information publicly
• Explaining a student’s absence without consent
• Mishandling records on digital platforms
• Improper release of directory information
• Leaving student records unsecured
• Failure to provide access to student records
• Improper disposal of records

What Is FERPA?

FERPA is a federal law that protects student education records and grants rights to parents and eligible students (those 18 or older, or attending postsecondary institutions).

FERPA applies to all educational institutions receiving U.S. Department of Education funding. This includes public K-12 schools, school districts, community colleges, and state-funded universities.

Private schools and universities are generally exempt from FERPA unless they receive federal funding. For example, many Ivy League universities must comply with FERPA because they participate in federal financial aid programs like Pell Grants or federal student loans.

Such institutions also may still adhere to other privacy laws or internal policies designed to protect student records.

Key rights under FERPA include:

• The right to access and review education records
• The right to request corrections of inaccuracies
• The right to consent before the disclosure of personally identifiable information (PII), with certain exceptions

FERPA’s core purpose is straightforward: to protect student data privacy and give parents and eligible students control over their personal information. Violations occur when these rights are disregarded, often unintentionally, resulting in unauthorized disclosure of student information.

The reason for this is that FERPA contains ambiguous definitions, multiple exceptions, and broad interpretations of key terms like “personally identifiable information” and “legitimate educational interest.”

This complexity, combined with the increasing reliance on digital tools and third-party vendors, creates confusion and increases the likelihood of unintentional violations.

What Student Records Are Protected Under FERPA?

FERPA protects education records, that is, any records directly related to a student and maintained by an educational institution or a party acting on its behalf. These records can exist in any format, including paper, digital, audio, or video.

Examples of protected student records include:

• Academic information — Grades, test scores, transcripts, class schedules, and enrollment status
• Disciplinary records — Documentation of behavioral issues, suspensions, or expulsions
• Health and counseling records — Records maintained by the school nurse, counselor, or mental health services, unless governed by other laws like HIPAA
• Financial records — Information related to scholarships, loans, and other forms of financial assistance
• Contact information — Names, addresses, phone numbers, and email addresses
• Other Personally Identifiable Information (PII) — Social Security numbers, student ID numbers, and biometric data such as fingerprints or facial recognition records

FERPA also protects “indirect identifiers” that could be combined with other data to identify a student. These include birthdates, places of birth, or the mother’s maiden name.

Schools must ensure that these records are kept secure and not disclosed without appropriate consent. There are exceptions permitted by law in specific situations, such as emergencies or compliance with subpoenas.

What Student Records Are Not Protected Under FERPA?

Records that are not protected under FERPA include records that fall outside the definition of “education records” or are covered by other laws.

Below are the main categories of records that FERPA does not protect:

• Personal notes (sole possession records) — Notes kept solely by the creator as a memory aid, like a teacher’s classroom observations or a counselor’s private reference notes. They lose this protection the moment they’re shared or added to a student’s file.
• Law enforcement unit records — Incident reports and surveillance footage created and maintained by campus police or security for law enforcement purposes. They become FERPA-protected if shared with school administrators or added to a student’s education file.
• Employment records — Job performance evaluations, payroll information, and similar records for school employees who aren’t also students. Records for student workers (e.g., work-study participants) remain FERPA-protected.
• Medical records governed by HIPAA — Records from external healthcare providers or care received outside the school. Health records created by school personnel, like a school nurse’s notes, are still FERPA-protected.
• Alumni records — Records about post-enrollment activities, like fundraising or career achievements. Records created while the student was enrolled remain protected.
• Aggregate or de-identified data — Reports on overall school performance or anonymous survey responses, provided the de-identification is thorough enough to prevent re-identification of individual students.

How FERPA Overlaps with HIPAA and State Privacy Laws

Because the line between FERPA and HIPAA is one of the most common points of confusion in K-12 and higher education, here’s how the two laws compare side by side, along with the state privacy laws schools often need to consider.

State laws vary, so institutions should consult counsel for jurisdiction-specific requirements. With the scope of FERPA established, here’s what the law actually requires institutions to do.

What Are FERPA Compliance Requirements?

FERPA compliance requirements center on two main principles:

• Student and parent rights — Granting students (and their parents, in most cases) the right to access, review, and request amendments to their education records
• Privacy of records — Protecting the privacy of personally identifiable information (PII) within those records and controlling its disclosure

Here are the key compliance requirements:

Annual notification of rights

Educational institutions must annually inform students and their parents of their rights under FERPA. This notification must be provided through accessible channels like student handbooks, websites, or emails.

Right to access and review records

• Access — Parents or eligible students have the right to inspect and review the student’s education records.
• Timeline — Schools must comply with a request for access within a “reasonable time,” not to exceed 45 days.
• Copies — Schools aren’t required to provide copies of records unless it is impossible for the parent or eligible student to review the originals (e.g., they live far away).

Right to request amendment of records

• Process — If a parent or eligible student believes an education record is inaccurate, misleading, or in violation of their privacy rights, they can request that the school amend the record.
• Formal hearing — If the school decides not to amend the record, the parent or eligible student has the right to a formal hearing to challenge the decision. If the school still doesn’t change the record after the hearing, they have the right to add a statement to the record explaining their viewpoint.

Consent for disclosure

General rule — Schools must obtain a parent’s or eligible student’s written consent before releasing any personally identifiable information from their education record.

The written consent must:

• Specify the records to be disclosed
• State the purpose of the disclosure
• Identify the party or class of parties to whom the disclosure can be made

There are several exceptions to the consent rule, meaning that FERPA allows for the disclosure of education records without consent in certain circumstances, including:

• School officials with “legitimate educational interest.” This refers to internal staff who need access to the records to perform their professional duties.
• Other schools where a student is transferring or seeking to enroll
• Financial aid officials, when determining eligibility or the conditions of aid
• Health and safety emergencies
• Organizations conducting studies on behalf of the school
• Accrediting organizations
• Compliance with a judicial order or lawfully issued subpoena

“Legitimate educational interest” means a school official needs access to a student’s record to perform their job duties. Each institution must define this term in its annual FERPA notification and explain when a school official qualifies for access.

Directory information

Schools can designate certain information as “directory information” and disclose it without consent. This typically includes a student’s name, address, telephone number, email, date and place of birth, major, dates of attendance, and degrees and awards received.

A key requirement is that schools must inform students and parents about what information is considered “directory information.” They must also provide students with an opportunity to “opt out” and prevent the release of their information.

Staff training and policies

Institutions need to run regular FERPA training for any faculty or staff who handle student records. They also need clear, accessible policies and procedures that cover recordkeeping, data security, and breach response.

Data security

FERPA does not specify particular technological requirements, but institutions are responsible for implementing robust security measures to protect student data, including:

• Secure storage for both electronic and physical records
• Encryption for data at rest and in transit
• Access controls and role-based access restrictions to limit who can view sensitive information
• Incident response plans to handle potential data breaches

Why FERPA Violations Are Hard to Avoid

A key challenge is determining what counts as PII and when it can be shared without consent. FERPA defines PII broadly, including names, student IDs, and “other information that, alone or in combination, is linkable to a student.” This vague language creates confusion and increases the risk of errors.

The law also includes numerous exceptions that allow PII to be disclosed without consent. Among them are the “directory information” rule, health or safety emergencies, and disclosures for legitimate educational interests.

The directory information exception, for instance, varies by institution, and improperly managing opt-outs can result in violations.

Similarly, vague definitions of “legitimate educational interest” make it difficult to determine who should have access to student records and under what circumstances.

Digital learning tools, third-party vendors, and cloud add another layer of risk: many aren’t built with FERPA compliance in mind.

Schools also need to safeguard against cybersecurity threats and data breaches, which can expose PII and violate privacy laws.

Limited resources, insufficient staff training, and overlapping legal requirements only make the problem worse.

10 Common FERPA Violation Examples

Below are some of the most common scenarios where FERPA violations occur.

Unauthorized disclosure of grades

Posting grades publicly with identifiable information or sharing them with unauthorized individuals counts as a FERPA violation. Any disclosure of a student’s grades without consent breaks the law.

For example, this can happen when a professor posts a list of student grades on a bulletin board using names or ID numbers. Even partial identifiers that can be linked to specific students constitute a violation.

💡 Prevention tip: Use password-protected systems to share grades securely and ensure that only the student can access their information.

Letters of recommendation containing PII

Letters of recommendation are routine in education, but they’re also a surprisingly common source of FERPA violations. The issue isn’t the letter itself, but including protected information like grades, GPA, or class rank without the student’s written consent is.

Even a well-intentioned letter that mentions a student’s GPA or class rank to help them get into college counts as a FERPA violation if there’s no consent on file. GPA is part of the education record, and any disclosure to a third party requires written authorization first.

💡 Prevention tip: Before writing a letter of recommendation, get the student’s written consent to include any education record details and keep the consent on file.

Group emails to multiple recipients

Group emails are one of the easiest ways to trigger a FERPA violation. Student email addresses are protected contact information, and putting them in the To or CC field exposes them to every other recipient on the message.

It usually happens with routine communications: a teacher sending an assignment reminder, a coach updating the team on practice times, or an administrator notifying parents about an event. The intent is harmless, but the disclosure is real.

💡 Prevention tip: Always use the BCC field for group emails to prevent recipients from seeing each other’s email addresses.

Discussing a student’s information publicly

Conversations about a student’s performance, behavior, or personal circumstances can lead to a FERPA violation when they happen in public spaces. The setting matters as much as the content.

A teacher discussing a student’s failing grades or disciplinary issues in the teacher’s lounge or a hallway, where others might overhear, has technically disclosed protected information to unauthorized individuals. Intent doesn’t change the outcome: the student’s privacy has still been compromised.

💡 Prevention tip: Keep discussions about student records private and limit them to authorized personnel who have a legitimate educational interest.

Explaining a student’s absence without consent

Sharing the reason for a student’s absence, especially if it involves medical or personal details, is a violation unless the parent or eligible student has provided consent.

For example, an administrator who tells another parent that a student is absent due to a family emergency or medical condition violates FERPA without explicit consent. Similarly, a coach who explains that a player is benched due to grades or discipline has disclosed protected information without authorization — a FERPA violation, regardless of intent.

💡 Prevention tip: Don’t discuss the reasons for a student’s absence unless you’re authorized to do so. Instead, use neutral language like “The student is unavailable.”

Mishandling records on digital platforms

Digital tools have made student record management more efficient, but they’ve also created new ways for FERPA violations to happen. Emailing sensitive information without encryption, misconfiguring access permissions, or using collaboration platforms without proper controls can all lead to unauthorized disclosure.

A few common scenarios:

• An administrator emails a student’s transcript to the wrong address.
• A teacher screen-shares during a virtual class while another student’s grades sit open in a browser tab.
• Records are stored in a shared cloud folder with overly broad access permissions.
• A counselor discusses a disciplinary issue in a Teams channel accessible to staff without a legitimate educational interest.

Each of these is a FERPA violation, regardless of intent.

💡 Prevention tip: Adopt secure email systems, verify recipient details, and use encryption when transmitting sensitive student records electronically.

Improper release of directory information

FERPA allows schools to disclose “directory information” (e.g., name, address, phone number, honors) without prior consent if parents and students are given a chance to opt out. Violations occur when opt-outs are not honored or the information is improperly shared.

If a school publishes a list of students who made the honor roll, including those who opted out of directory information sharing, it’s a clear FERPA violation.

💡 Prevention tip: Maintain a current record of opt-outs and cross-check before disclosing any directory information.

Leaving student records unsecured

A folder of student grades left on a teacher’s desk during lunch, or an unlocked computer with a student information system still open, can expose protected information just as easily as a misdirected email.

Both scenarios make student records accessible to people who have no legitimate educational interest in seeing them, and both qualify as FERPA violation examples, even if no one actually looked.

💡 Prevention tip: Always store physical records in locked cabinets and password-protect digital files. Use secure logins for computers and file management systems.

Failure to provide access to student records

As already mentioned, FERPA grants parents and eligible students the right to access and review education records. Refusing or failing to provide access within a reasonable timeframe is a violation.

For example, delaying or denying a parent’s request for their child’s records without a valid reason violates FERPA’s 45-day timeline.

💡 Prevention tip: Establish clear procedures for handling requests for education records and ensure compliance with the required timeline.

Improper disposal of records

How records are disposed of matters as much as how they’re stored. Records containing PII that aren’t destroyed securely can be retrieved, viewed, or copied by unauthorized individuals, which qualifies as a FERPA breach.

The most common example is throwing grade sheets, disciplinary records, or printed student documents in a regular trash or recycling bin instead of shredding them. The same applies to digital records that are deleted from a folder but remain recoverable on a hard drive or backup system.

💡 Prevention tip: Use shredding services or secure digital data destruction methods for proper disposal of student records.

Emerging FERPA Risk Areas

FERPA risk is no longer limited to paper files, report cards, or hallway conversations. The newest FERPA violation examples involve AI tools, cloud platforms, and third-party services, where weak governance can expose PII at scale.

AI tools and student data

AI tools like note-taking apps, chatbots, and tutoring platforms can expose student PII when data is entered without proper safeguards.

If staff upload grades, disciplinary records, or counseling notes into a generative AI system, that information may be processed or stored outside the school’s control, especially without a clear educational purpose, access controls, or a compliant vendor agreement in place.

Third-party edtech platforms

Many schools rely on third-party edtech vendors for classroom management, assessment, messaging, and analytics.

Under FERPA, these vendors qualify as “school officials” only when all three of the following apply:

• They perform a service the school would otherwise handle with its own staff.
• They remain under the school’s direct control over how education records are used and maintained.
• They use the data only for the authorized educational purpose.

Cybersecurity threats and data breaches

Cyber incidents now carry both operational and FERPA risk.

Ransomware, account compromise, and phishing attacks can expose transcripts, contact information, disciplinary records, and other student PII.

The faster institutions can isolate affected systems, review audit trails, and determine what data was exposed, the faster they can contain the compliance impact.

Remote and hybrid learning environments

Zoom, Teams, shared cloud folders, and parent-facing messaging apps create new opportunities for accidental disclosure.

Common examples include screen sharing during a virtual class with another student’s grades visible in an open browser tab, storing records in a cloud folder with overly broad permissions, or discussing student issues in messaging channels accessible to staff without a legitimate educational interest.

FERPA Violation Consequences and Penalties

FERPA violations don’t stay contained. The fallout reaches operations, finances, and reputation, often long after the original incident is closed.

Loss of federal funding

FERPA violations can lead to losing access to federal financial assistance, including Title I and other critical funding programs.

Most public schools and universities rely heavily on federal aid, so losing this funding could severely disrupt operations. The fallout would force budget cuts affecting educational resources, teacher salaries, and student services.

Legal repercussions

FERPA itself doesn’t give parents or students the right to sue, but that doesn’t mean violations are consequence-free.

Schools regularly face legal action under state privacy laws and data breach statutes, with claims that can lead to settlements, court judgments, and penalties from state regulators.

The federal picture looks different.

To date, the Department of Education hasn’t withdrawn federal funding from any institution solely for a FERPA violation.

What the Student Privacy Policy Office (SPPO) does instead is require corrective actions: mandatory policy revisions, staff retraining, system access audits, and ongoing reporting. The financial pressure tends to come from the state side, through lawsuits and settlements brought under state privacy and negligence laws.

Reputational damage

Of all the consequences of a FERPA violation, reputational damage is usually the one that schools feel first. A regulatory investigation can take months to play out, but a publicized breach can draw media attention and parent backlash within days, sometimes hours.

The downstream effects depend on the institution.

K-12 districts often see a loss of community trust, school board scrutiny, and pressure on leadership. Higher education institutions face the same, plus risks to alumni support, donations, and external partnerships, all of which depend on a clean privacy track record.

What to Do After a Suspected FERPA Violation

If your school suspects that student education records were improperly exposed, speed and documentation matter.

FERPA does not prescribe a formal breach response workflow, but a structured internal response can reduce compliance and operational risk.

1. Contain the exposure — Isolate the affected system, revoke access, disable the shared link, or attempt to retrieve the misdirected communication.
2. Assess the scope — Identify what records were exposed, how many students may be affected, and who received or accessed the data.
3. Notify leadership and legal counsel — Escalate the incident to the appropriate compliance, IT, legal, and administrative teams.
4. Document everything — Keep a written record of the timeline, actions taken, systems involved, and personnel responsible for the response.
5. Determine notification obligations — FERPA itself does not mandate breach notification, but many state breach notification laws do.
6. Implement corrective action — Update policies, adjust permissions, retrain staff, and strengthen controls to prevent the same issue from recurring.

This is operational guidance, not legal advice, and districts should coordinate incident response with counsel when evaluating notification obligations and remediation steps.

5 Steps to Avoid FERPA Violations

Most of the FERPA violation examples covered earlier share a common cause: missing policies, weak access controls, or untrained staff. Preventing them requires a proactive approach to managing student information.

Develop clear data retention and archiving policies

Having a well-defined data retention policy is essential to avoid mishandling student records. FERPA doesn’t mandate specific retention timelines. Schools must create their own policies to determine how long records are kept and when they should be securely disposed of.

Without a documented retention schedule, districts often keep student records indefinitely, increasing breach risk, or delete them too soon, creating compliance gaps. A retention policy should define what records to keep, how long to keep them, who is responsible, and how to dispose of them securely.

Here are the most important steps to take:

• Implement a data archiving solution like Jatheon to securely store education records, ensuring they are accessible only to authorized personnel.
• Review archived records and dispose of outdated or unnecessary data securely (e.g., shred physical records or use certified digital deletion methods).
• Ensure archived records are stored in compliance with FERPA, FOIA, and state-specific laws.

Provide regular staff training

Ensure that all employees who handle student records understand FERPA regulations and the institution’s data privacy policies.

Educate them on:

• The proper handling and storage of sensitive data
• Identifying exceptions where data can be disclosed without consent
• Secure use of digital platforms and email communication

FERPA responsibilities by role

• Teachers — Handle grades, recommendation letters, classroom discussions, and digital learning tools in a way that limits disclosure to authorized parties
• IT/Systems Administrators — Enforce access controls, encryption, vendor management, audit logging, and breach response procedures
• Registrars/Records Officers — Manage record access requests, opt-out tracking, retention schedules, and disclosure workflows
• Administrators/Principals — Oversee policy enforcement, annual notification, training, and complaint handling
• Counselors — Manage sensitive counseling and health-related information while understanding where FERPA ends, and HIPAA or state rules may apply

Limit access with role-based permissions

Restrict access to education records to only those employees with a legitimate educational interest. Use role-based access controls to ensure that sensitive information is not accessible to unauthorized individuals.

Best practices include implementing password protection, encryption, and multi-factor authentication (MFA) for digital systems, as well as conducting regular audits to review access logs and ensure compliance.

Use FERPA-compliant technology

Adopt tools and platforms designed to meet FERPA compliance requirements.

Features to look:

• Encryption for data in transit and at rest
• Role-based access and audit trails to track activity
• Secure sharing features for student records

Questions to ask before approving any edtech vendor:

• Does the vendor sign a FERPA-compliant data sharing agreement?
• Does the vendor limit data use to the stated educational purpose?
• Does the vendor provide audit logs and access controls?
• Does the vendor have a documented incident response plan?
• Can the vendor certify data deletion upon contract termination?

Maintain accurate opt-out records

FERPA allows the disclosure of “directory information” unless parents or eligible students opt out. To avoid violations, keep an updated record of opt-out requests and cross-check records before sharing any directory information.

Summary of the Main Points

• FERPA protects student education records at federally funded institutions, giving parents and eligible students the right to access, amend, and control disclosure of their records.
• Protected records include grades, disciplinary files, health data, financial information, contact details, and PII like Social Security numbers and biometric data.
• Common FERPA violations include posting grades publicly, sharing PII without consent, exposing email addresses in group messages, discussing students in public, mishandling digital files, ignoring opt-out requests, leaving records unsecured, delaying access requests, and improper disposal of PII.
• Consequences include loss of federal funding, state-level lawsuits, reputational harm, and higher compliance costs from audits and corrective actions.
• Prevention requires clear retention policies, regular staff training, role-based access controls, FERPA-compliant technology, and accurate opt-out tracking.

FAQ

What is a FERPA violation?

A FERPA violation occurs when a school or its staff fails to protect the privacy of a student’s education records. This usually involves the unauthorized disclosure of personally identifiable information (PII) from these records to a third party without the student’s or parent’s consent.

What is an example of an educational record according to FERPA?

An educational record is any record that contains information directly related to a student and is maintained by an educational institution or a party acting on its behalf. This can include information in any format, such as paper documents, computer files, video, or audio.

What is a FERPA waiver?

A FERPA waiver is a student’s written consent that allows an educational institution to release their protected educational records to a third party. While it can apply to various situations, it’s most commonly seen in college applications.

Can an eligible student or parent sue a school for a FERPA violation directly?

No. The law does not give individuals the right to sue a school directly for a FERPA violation. The only way to enforce the law is to file a complaint with the U.S. Department of Education’s Student Privacy Policy Office (SPPO), which is the federal authority that investigates such claims.

Can a teacher or a school use a third-party app or website with students?

Yes, but the school is still responsible for protecting the data. If a third-party vendor collects student PII, it becomes a “school official” under FERPA. The school must ensure it has a legitimate educational interest and that the vendor’s data handling practices are secure and compliant. The school, not the vendor, is held accountable for any FERPA violations. This is why schools often have a list of approved and vetted digital tools.

Can you go to jail for violating FERPA?

No. FERPA is a federal administrative law, not a criminal statute. Violations are enforced through the Department of Education and can result in loss of federal funding, but not criminal penalties. However, if a FERPA violation also involves a separate criminal act, such as identity theft, criminal charges could apply under other laws.

Does FERPA apply to classroom recordings or videos?

Yes, if the recording is directly related to a student and maintained by the school. However, surveillance footage kept solely by campus security for law enforcement purposes is typically exempt, unless it’s shared with school staff or added to a student’s file, at which point it becomes FERPA-protected.

What are the main FERPA exceptions to consent?

FERPA permits disclosure without consent in several circumstances, including: to school officials with legitimate educational interest, to another school where the student is transferring, in connection with financial aid, during health or safety emergencies, in compliance with a judicial order or subpoena, and for directory information if the student or parent has not opted out.

How does FERPA apply differently in K-12 vs. higher education?

In K-12, parents hold FERPA rights until the student turns 18 or enrolls in a postsecondary institution. In higher education, rights belong to the student. This distinction affects who can access records, who must provide consent, and how institutions handle parent inquiries. Higher education institutions also face additional complexity around work-study employment records and research data.

About the Author

Natasa Djalovic

Natasa Djalovic is a Senior Content Writer at Jatheon, with 10+ years of experience in creating B2B and SaaS content, with a strong focus on compliance, archiving, and tech topics. Outside of work, she likes to collect and build LEGO sets, hang out with her cats, and watch documentaries.