Strengthening Transparency & Confidence in FERPA Enforcement
June 2024
Jessica Arciniega, Katherine Kalpos, Morgan Sexton, Amelia Vance, and Casey Waughn
CC BY-NC 4.0
There is a pervasive myth among stakeholders concerned about student privacy that FERPA is not enforced––that it is toothless. This misconception stems from a lack of public transparency throughout the whole FERPA enforcement process at the Department of Education (USED). The public-facing parts of USED’s FERPA enforcement portray FERPA enforcement as weak, specifically due to the low number of punitive enforcement decisions and past systematic problems detailed in a 2018 USED Office of Inspector General (OIG) report.
Yet, the public never sees many of USED’s extensive FERPA enforcement work that takes place behind the scenes, like responding to FERPA complaints, working with stakeholders to rectify violations before FERPA’s punitive measures are necessary, and providing technical assistance and resources to education stakeholders to help preempt violations. The former head of the Student Privacy Policy Office, in a 2019 presentation, explained USED’s relatively infrequent punitive enforcement: “[USED has] found many violations of the law over the years, but, to date, we have always been successful at getting those entities into compliance once a violation has been found.”
To counteract the myth that FERPA is toothless, USED should be required to increase transparency regarding its enforcement activities, both to provide awareness of the ways in which FERPA is working and to provide accountability for the areas in which privacy is falling through the cracks. This increased transparency should include providing extensive metrics about the assistance that USED provides before punitive enforcement is necessary, which would create an ongoing way to measure positive impacts of their technical assistance. Both the perception that FERPA is being enforced and the law’s actual enforcement are critical for ensuring and promoting student privacy.
FERPA Enforcement
FERPA has two primary enforcement mechanisms:
- Withdrawing all federal funding from a school;
- Implementing a five-year ban on receiving personally identifiable information (PII) from education records.*
These mechanisms are used only when there is a policy or practice that violates FERPA and a school does not modify the policy or practice to make it compliant with FERPA. Notably, USED has never withdrawn funding from a school due to a FERPA violation or imposed the five-year ban. The fact that the five-year ban has never been enforced underscores the opacity of FERPA’s complaint and enforcement process. USED could impose the ban as soon as a violation is discovered, yet this has not occurred. This lack of enforcement may be attributed to the severity of the penalty—a minimum five-year ban—which would likely financially cripple any edtech provider. Importantly, a single FERPA violation does not establish a “policy or practice”; rather, courts have held and USED has reiterated that “even several alleged disclosures relating to a single student does not establish such a policy or practice.’” Where the first step in the complaint process is to investigate alleged violations, requiring a policy or practice of violations may hinder USED from probing many allegations and bringing the offending school into compliance.
FERPA's Language
20 U.S.C. § 1232g(f), FERPA’s statutory enforcement section, is only one sentence long and indicates that the Secretary of Education shall “take appropriate actions” to enforce FERPA and to “deal with violations” of FERPA. The FERPA regulations (U.S.C. § 1232g(g)) require the Secretary of Education to create or designate within the Department an office and review board to investigate, process, review, and adjudicate FERPA violations and complaints. FERPA’s statutory structure is built around the idea that no funds will be provided from the federal government if an educational agency or institution has a “policy or practice” of violating FERPA. However, the statute also states that federal funding can only be terminated if “compliance cannot be secured by voluntary means.” FERPA allows the Department to withhold funding only if a school is found to have violated FERPA and the Department determines that the school is unable or unwilling to comply with FERPA.
FERPA regulations expand on the availability of enforcement options, including withholding funding for educational programs, issuing a cease-and-desist order, or terminating eligibility for funding.
Practical Considerations
Withdrawing all federal funding from a school is often described as the “nuclear option” because it would have disastrous effects on schools and institutions, including diverting dollars away from the educational institution that would otherwise be used to educate students. Practical considerations like this are largely why such a penalty has never been imposed.
As noted in the introduction, the fact that the Department has never had to withhold funding is likely an indication of FERPA’s success. However, the mechanics and logistics of enforcement remain a mystery. Currently, the Department of Education is not required to report on its FEPRA-related activities or enforcement actions, which both perpetuates the myth that FERPA is toothless and makes the Department of Education largely unaccountable for enforcement. Neither FERPA’s statutory text nor its regulations specify clearly how the Department should process complaints or establish time frames for resolving complaints. Instead, the Privacy Office has discretion as to how it resolves FERPA complaints, but there is no transparency or accountability that sheds light on how this discretion is exercised.
It’s also important to remember that edtech companies and other parties that process data regulated under FERPA are not directly subject to FERPA; instead, schools are responsible for their school officials’ (which includes edtech companies) compliance with the law. Accordingly, even when an edtech company commits an egregious violation of FERPA, the only remedy originally available under FERPA was to withdraw federal funding from the educational institution and to penalize that institution rather than the school official that violated FERPA. In 1994, Congress passed an amendment to FERPA in an attempt to address this issue, adding one additional enforcement option: “if a third party outside the educational agency or institution permits access” or “fails to destroy” FERPA-protected information, USED must prohibit the educational agency or institution “from permitting access to information from education records to that third party for a period of not less than five years.” Since its creation, this penalty has not been applied by USED, so the efficacy of this punishment is also unclear.
A Third Enforcement Mechanism?: Federal Court
United States v. Miami University
In 1998, the U.S. Department of Justice filed a complaint on behalf of USED to enjoin The Miami University and The Ohio State University from releasing student disciplinary records that contained PII without consent, asserting that the records were protected under FERPA. In affirming the district court’s grant of summary judgment, the 6th Circuit notably stated:
“When a recipient of funds fails to comply with the FERPA, Congress permits the Secretary of Education to "take any ... action authorized by law with respect to the recipient." 20 U.S.C. § 1234c(a)(4). While this provision certainly permits the DOE to bring a cause of action, including, inter alia, an action for injunctive relief, it does not expressly authorize the granting of injunctive relief to halt or prevent a violation of the FERPA. Cf. CSX Transportation, Inc., 964 F.2d at 551. Given the assortment of remedies available in the FERPA, Congress by no means foreclosed the exercise of equitable discretion…and we must embrace our traditional role in equity. 294 F.3d 797 (6th Cir. 2001)
Enforcement in Practice
FERPA is enforced by the Department of Education through its Student Privacy Policy Office (SPPO). SPPO investigates, processes, and makes decisions on complaints, as well as providing technical assistance to help ensure compliance with FERPA. In this regard, it is both a reactive enforcement body that responds to complaints and a proactive resource for educational institutions and FERPA-adjacent entities (such as edtech providers) to consult about how to build practices, processes, and systems that comply with FERPA.
Systematic Problems
The 2018 report by the OIG documented that USED’s investigations of FERPA complaints were not sufficiently timely. The report concluded that USED “did not have controls to ensure that it timely and effectively processed FERPA complaints” and had only closed 24 investigations in fiscal year 2017, leaving 285 investigations open. The report made several recommendations for how USED should improve their handling of FERPA complaints going forward, including:
- Implementing an effective system to track FERPA complaints;
- Communicating with complainants more throughout the investigation process; and
- Using a risk-based model for addressing FERPA complaints, where high-risk complaints are prioritized (rather than addressing complaints in chronological order).
USED mostly concurred with the report’s findings and promptly implemented many changes in accordance with the report’s suggestions. This included:
- Increasing efficiency by consolidating all of USED’s student privacy functions under the newly created SPPO in January 2019, which oversees the Family Policy Compliance Office––the entity created under FERPA to conduct enforcement––and the Privacy Technical Assistance Center (PTAC);
- Dramatically reducing the FERPA complaint backlog from 1,197 pending FERPA complaints in May 2018 to 594 complaints by April 2019;
- Speeding up USED’s response to resolve many FERPA violations by evaluating complaints when they are received to determine whether they are best addressed through the formal complaint process (the previous default) or by USED providing intermediation or resolution assistance; and
- Providing all complainants with regular status updates on their complaints (at least once every six months).
Unfortunately, we could not find any information since 2019 on the status of USED’s FERPA complaint process, and since there has not been follow-up on the effectiveness of USED’s changes to improve the investigation process of FERPA complaints, the 2018 OIG report and the many systematic problems that it highlights remain the most recent publicly available audit of USED’s procedures.
Technical Assistance
However, only considering the low number of publicly announced punitive enforcement decisions and the 2018 OIG report provides an incomplete and misleading picture of USED’s FERPA enforcement because this overlooks the key preventative actions USED takes earlier in the process. In 2010, USED launched the Privacy Technical Assistance Center (PTAC) as a “one-stop resource for education stakeholders to learn about privacy, confidentiality, and security practices related to student-level data systems and other uses of student data.” PTAC proactively supports educational agencies and institutions in many ways, including conducting trainings and webinars, releasing guidance documents and best practices, and providing direct technical assistance. PTAC also engages in outreach and collaborates with stakeholders in the education community (like professional associations and advocacy groups) to promote awareness and understanding of privacy issues and best practices. Through proactive technical assistance, PTAC plays a vital role in enforcing privacy laws by preventing and mitigating potential violations early on, often preventing the need for public punitive actions later in the process.
Reframing Enforcement
Why is PTAC’s extensive FERPA-related work often overlooked in conversations about USED’s enforcement of FERPA? While there is no way to know for certain, we posit that perhaps a significant factor is that we typically perceive enforcement in terms of what the consequences are once a party is found guilty or innocent. This fundamental misconception frames the concept of enforcement too narrowly and wrongly excludes PTAC’s work from overall FERPA enforcement discussions. PTAC’s work to prevent parties from ever reaching the punitive enforcement stage is vital to USED’s work to ensure FERPA compliance and must be included in discussions of USED’s FERPA enforcement activities.
But simply including PTAC’s work in FERPA enforcement discussions will not solve the problem because their support work is not as publicized as the low number of punitive enforcement actions.
To counter the myth that FERPA is toothless and to increase accountability and public trust in USED, the Department should be required to report its FERPA-related activities. Reports should include insights into the complaint resolution process (including the total number of complaints received and resolved each year, with or without punitive measures) and whether the complaints were resolved via the formal investigation process or through another mechanism of enforcement. Reports should also highlight technical assistance activities, including trainings offered (or planning to be offered) and other metrics that help to provide insight on whether the technical assistance is having a positive effect and how it could be improved.
Closing Thoughts
Reporting and accountability measures are important to demonstrate that USED does more than just investigate FERPA complaints: it continually acts on them and remediates FERPA violations. But these are only the first steps to overcoming the myth that FERPA is toothless. Other aspects of compliance and accountability will likely need to be re-evaluated as well, which we will discuss in future recommendations. However, it is most urgent that the reporting and accountability measures are addressed first in order to identify remaining concerns. Once this information is reported and clear, then legislators and agency officials will be able to make an informed decision about any additional enforcement reforms.
* Or, to be more accurate, FERPA states that once the Student Privacy Policy Office “finds that a third party, outside the educational agency or institution, violates § 99.31(a)(6)(iii)(B), then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the violation of § 99.31(a)(6)(iii)(B) access to personally identifiable information from education records for at least five years.” 34 CFR 99.67(c).
