You've heard of FERPA. You probably know it has something to do with student privacy. And somewhere in the back of your mind, there's a nagging question: does it apply to my school?
Here's the short answer: it might not. If your school doesn't receive federal funding — no Title I grants, no free and reduced lunch program, no IDEA money — you are very likely not subject to FERPA at all.
But other laws fill that gap, and some of them apply to every school regardless of funding. State student privacy statutes are real. COPPA — the federal law governing children's data online — kicks in the moment you use any digital tool with students under 13.
The honest framing: FERPA compliance for small schools is often the wrong question. The right question is, what are my actual student data obligations, given how my school is structured? This post answers that clearly.
Running your school on Google Sheets and hoping for the best? NavEd gives small schools structured, role-based student records out of the box — your first 5 students are always free, no credit card needed. See how it works
Does FERPA Apply to Your School? (Here's How to Tell)¶
FERPA — the Family Educational Rights and Privacy Act — was passed in 1974. It gives parents the right to access their children's education records, request corrections, and control disclosure. When a student turns 18, those rights transfer to the student.
The law applies to educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education. In practice, if your school receives any of the following, FERPA likely applies:
- Title I grants for low-income student support
- IDEA funding for special education services
- Free and Reduced Lunch Program participation
- E-Rate subsidies for internet or technology
- Any other direct federal education grant
If your school receives none of these — entirely privately funded through tuition, donations, and family payments — you are almost certainly not subject to FERPA. Most microschool founders and co-op leaders have assumed FERPA applies to everyone who works with children. It doesn't. It applies to federally funded schools.
How to check¶
Look at your school's revenue sources. If you've never applied for or received federal education funds, you're not covered. If you're unsure, ask whoever handles your school's finances: "Do we receive any federal education funding?" Yes means FERPA applies. No means keep reading — because you still have real obligations.
What FERPA Actually Requires (If It Applies to You)¶
If FERPA does apply to your school, here's what it actually means day-to-day.
Education records are broadly defined¶
Under FERPA, "education records" covers nearly anything directly related to a student and maintained by the school: grades, transcripts, attendance, enrollment data, health records, disciplinary records, teacher notes. The definition is intentionally broad. When in doubt, treat it as protected.
Parents have specific rights¶
FERPA gives parents (and eligible students over 18) the right to inspect records within 45 days of a request, request amendments to inaccurate records, control disclosure to third parties (requiring written consent in most cases), and receive annual notice of these rights.
Directory information is a distinct category¶
FERPA distinguishes between regular education records and "directory information" — things like the student's name, address, phone number, date of birth, grade level, and participation in activities. Schools can disclose directory information without consent, but only after notifying families and giving them the opportunity to opt out.
This is where many schools trip up. Posting a class roster, publishing an honor roll with names, or sharing a student directory without offering families an opt-out — these are common FERPA violations that feel innocuous but aren't.
Third-party vendors are your responsibility¶
If you use any EdTech tool that accesses student records, that vendor's data practices are your responsibility under FERPA. Sharing student data with a vendor without a proper agreement in place is a violation, even if unintentional.
The Department of Education released updated FERPA guidance in 2025 — 37 revised FAQs — with significant attention to EdTech vendor relationships. The message: vet your tools, know what data they collect, and get proper agreements in writing.
If FERPA Doesn't Apply, What Does? (State Laws + COPPA)¶
This is where most small school compliance guides stop, and it's where the real work begins.
State student privacy laws¶
Many states have enacted their own student privacy statutes that are stricter than FERPA and apply regardless of federal funding. California's SOPIPA restricts how EdTech operators can use student data. New York, Colorado, Virginia, and Texas all have state-level laws that may apply to your school even if you're FERPA-exempt.
You need to know what your state requires. The National Conference of State Legislatures maintains a tracker of state student privacy legislation — worth 20 minutes of your time.
COPPA: The federal law that applies to everyone¶
The Children's Online Privacy Protection Act applies to any online service that collects data from children under 13. If you use any digital tool — an LMS, a grade portal, a communication app — with students under 13, COPPA likely applies to you or to your vendor.
The FTC has clarified that schools can provide consent on behalf of parents for educational tools — but only if the vendor's data collection is limited to educational purposes and the school has evaluated the tool's practices. Translation: you are responsible for knowing what your tools do with student data. You can't delegate that responsibility to the vendor.
The vendor responsibility principle¶
Whether or not FERPA applies to your school, the underlying principle is sound practice: any tool that touches student data should limit collection to educational purposes and prohibit sharing student data for advertising. This isn't just a compliance checkbox — education was the most targeted sector for cyberattacks in 2025, averaging 4,388 attacks per organization per week, a 31% year-over-year increase (Check Point Research, Q2 2025). The tools you choose are a real attack surface.
The 5 Student Data Privacy Practices Every School Should Follow¶
Regardless of whether FERPA, a state law, or COPPA is your primary driver, these five practices represent the baseline for responsible student data management. They're also what any reasonable parent would expect.
1. Centralize your records in a secure, access-controlled system¶
Spreadsheets in shared Google Drive folders can be accessed by anyone with the link, shared accidentally, and have no audit trail. Every school — even a 12-student microschool — should keep student records in a system that requires authentication and enforces role-based access. The Thursday math teacher doesn't need access to every student's health records. The parent of one child shouldn't see another family's information. Access should be limited to what each person actually needs.
2. Control what parents can see — and make sure they can only see their own child¶
When parents log in, they should see only their own child's grades, attendance, and records. This sounds obvious, but it's a configuration problem that comes up repeatedly with ad hoc solutions. A shared spreadsheet view, a group email with the wrong recipients, a portal with insufficient access controls — these are all ways student data leaks unintentionally.
3. Limit who on your staff can access what¶
In a small school where one person wears many hats, this is genuinely harder — but the principle still applies. Create intentional distinctions between who can view records, who can edit them, and who has full administrative access. If you use a school management system, configure its permission settings deliberately rather than accepting whatever defaults the system provides.
4. Vet every EdTech tool before giving it access to student data¶
Before adopting any new digital tool, ask: What data does it collect? Is data sold or shared with advertisers? Does the vendor offer a school data agreement? What happens to student data when you leave? You don't need a legal background to ask these questions — reputable EdTech vendors answer them clearly. If the answers aren't clear, that's information too.
5. Have a simple process for responding to record requests¶
Know where your records live, who can access them, and how you'd export them if a parent asked. If a family left your school and requested their child's transcript six months later, could you produce it? If the answer is "probably, let me dig through my files," that gap is worth closing now.
NavEd is built around the principles of student data privacy. Role-based access control, scoped parent portals, and audit logging of student record searches are all included in the Standard tier — because small schools deserve proper data hygiene, not just enterprise afterthoughts. Try NavEd free with your first 5 students — no credit card required, and you can add your first student in under five minutes.
Choosing EdTech Tools That Protect Student Privacy¶
The privacy question should be part of your vendor evaluation — not an afterthought. Here are the five things to confirm before giving any tool access to student data:
- Data ownership: Your data is yours. The vendor processes it; they don't own it.
- School-specific data agreement: Look for a Data Processing Agreement (DPA) that spells out what's collected, how it's used, and what happens when you leave. If a vendor doesn't have one for schools, ask why.
- Role-based access control: Can you control who sees what? A single shared admin login isn't suitable for student records.
- Audit logs: Can you see who accessed what, and when? This matters for both security and accountability.
- Data deletion on exit: Know what happens to your data if you stop using the service. You should be able to export it in a usable format, and you should know when it gets deleted.
One honest note: NavEd is not a FERPA compliance service and we don't hold a formal FERPA certification. Since we just asked you to interrogate your vendors' data practices, it's fair to hold us to the same standard: NavEd does not sell or share student data for advertising purposes. Student data is never used outside the educational purpose of running your school. We offer a Data Processing Agreement for schools that require one.
What we do offer is a system built around the principles that responsible student data management requires — centralized records, role-based access, scoped parent portals, directory privacy controls, staff permission management, and audit logging for student record searches (every search of student records via NavEd's global search is logged, showing who searched, what they searched for, and when). These are the building blocks. Your school's compliance posture depends on how you configure and use them, not just which platform you pick.
Ready to see how NavEd handles student data? The features that support good data hygiene — role-based access, scoped parent portals, staff permissions, audit logging — are all included in the Standard tier. Start your free account and your first 5 students are always free.
Frequently Asked Questions¶
Does FERPA apply to homeschool co-ops?
Almost certainly not — co-ops typically don't receive federal education funds. But state law may require certain record-keeping practices, and COPPA applies if you're using digital tools with children under 13. Know your state's requirements and vet the tools you use.
What is "directory information" and why does it matter?
Directory information includes generally public-seeming student details: name, address, phone number, email, grade level, dates of attendance, and participation in school activities. FERPA allows schools to disclose directory information without individual consent — but only after giving families notice and a chance to opt out. Schools that share student lists or class rosters without giving families this opportunity are in violation, even if the information seems harmless.
What should I do if a parent requests their child's education records?
If FERPA applies to your school, you must provide access within 45 days of a written request. For everyone else, the practical answer is the same: know where your records are, be ready to share them promptly, and have a calm, clear process. Parent record requests are rarely adversarial — most families just want to know what information you have.
How do I know if a vendor is FERPA-compliant?
Ask for their school data agreement or DPA. Reputable EdTech vendors have clear answers about what data they collect and whether it's restricted to educational purposes. If a vendor can't answer clearly, look elsewhere. The Student Data Privacy Consortium (SDPC) maintains a repository of reviewed vendor agreements — worth checking if your vendor is in their database.
What's the risk of cyberattacks for small schools?
Real and growing. Education was the most targeted sector for cyberattacks in 2025, with organizations facing nearly 4,400 attacks per week on average (Check Point Research, Q2 2025). Small schools are attractive targets precisely because they tend to have weaker defenses than larger institutions. Strong passwords, multi-factor authentication, and keeping student data in well-secured systems rather than ad hoc spreadsheets are the most accessible first steps.
You Have Real Obligations. Here's Where to Start.¶
Whether FERPA applies to your school or not, student data privacy is not optional. Parents entrust you with sensitive information about their children. State laws may impose specific requirements. COPPA applies the moment you use digital tools with young students. And the basic ethical obligation — handling that information carefully — doesn't depend on which law applies.
The good news is that good student data hygiene isn't complicated. It doesn't require a compliance officer or an enterprise software budget. It requires a system with real access controls, deliberate configuration, and a habit of asking the right questions before you adopt new tools. Those are achievable for any school, at any size — and they're the foundation that everything else, from legal compliance to family trust, is built on.
NavEd was built for small schools that take this seriously without having the budget for enterprise compliance tools. Role-based access control, scoped parent portals, staff permission management, directory privacy settings, and audit logging for student record searches are all part of the Standard tier — starting at $2.50 per student per month, with your first 5 students always free.
No credit card. No sales call. Start your free account today and see how it works.
Want to go deeper on related topics? You might also find these helpful:
- How to Manage a Homeschool Co-op — scheduling, records, and administration for co-op coordinators
- The Microschool End-of-Year Checklist — including records review and state compliance documentation
- Parent Portal for Small Schools — what a parent-facing portal should actually do