Last updated 3 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
- FERPA Basics: Understanding Your Privacy Rights
- Understanding “Directory Information”: The Exception to Consent
- What Counts as Directory Information?
- School Responsibilities: Notification is Key
- Your Right to Privacy: Opting Out of Disclosure
- Limits on Disclosure: Understanding the Boundaries
- Finding Official Information: Where to Learn More
The Family Educational Rights and Privacy Act (FERPA) is the cornerstone federal law protecting student education records privacy in the United States. Administered by the U.S. Department of Education, FERPA gives parents and eligible students significant rights regarding their education records. Generally, schools must obtain written consent before sharing personally identifiable information (PII).
However, FERPA includes several exceptions. This article focuses on one major exception: “directory information.”
Understanding what constitutes directory information, why this category exists, and how schools must handle it is crucial for effectively managing educational privacy. The rules around directory information reflect FERPA’s attempt to balance safeguarding sensitive student data while allowing schools flexibility to conduct routine operations and share basic information, such as names for yearbooks or sports participation.
FERPA Basics: Understanding Your Privacy Rights
FERPA (found at 20 U.S.C. § 1232g and 34 CFR Part 99) applies to educational agencies and institutions receiving funding under any program administered by the U.S. Department of Education. This broad scope means virtually all public K-12 schools, school districts, and most postsecondary institutions must comply with FERPA.
Private and faith-based elementary and secondary schools generally don’t receive such funding and are often not subject to FERPA requirements. Parents considering private K-12 schools should ask directly about the school’s privacy policies, as FERPA protections may not apply.
FERPA provides parents with several fundamental rights regarding their children’s education records:
Right to Inspect and Review
Parents can access and review their child’s education records maintained by the school. Schools must provide access within a reasonable period, not exceeding 45 days after receiving a request. Schools aren’t always required to provide copies unless circumstances prevent parents from reviewing the originals.
Right to Seek Amendment
Parents can request that schools amend education records they believe are inaccurate, misleading, or violate privacy rights. If the school refuses, parents have the right to a formal hearing. If the school still denies the request after the hearing, parents can place a statement with the record outlining their view.
Right to Consent to Disclosures
Generally, schools must obtain written permission from parents before releasing any PII from a student’s education record. However, FERPA allows disclosure without consent under specific conditions, including the directory information exception, disclosures to school officials with legitimate educational interests, disclosures to schools where a student is transferring, disclosures for financial aid purposes, and health and safety emergency disclosures.
Transfer of Rights
When a student turns 18 OR attends a postsecondary institution at any age, FERPA rights transfer from the parent to the student. At this point, the student becomes an “eligible student.”
This transition can cause confusion, particularly for parents of college students who may still provide financial support. FERPA addresses this by including an exception: postsecondary institutions may (but aren’t required to) disclose education records to parents of eligible students without consent if the student is claimed as a dependent for federal income tax purposes.
What Are Education Records?
FERPA’s protections center on “education records,” broadly defined as records directly related to a student and maintained by an educational agency or institution, or by a party acting for the institution. This includes files, documents, and materials in various formats containing student-identifiable information.
Not all student information records are considered “education records” under FERPA. Excluded categories include:
- Records kept in the sole possession of the maker (private notes)
- Records created and maintained by a school’s law enforcement unit for law enforcement purposes
- Employment records for individuals whose employment isn’t tied to student status (unless it’s work-study)
- Grades on peer-graded papers before collection and recording by an instructor
Information obtained through a school official’s personal knowledge or observation is generally not protected by FERPA unless that knowledge comes from education records.
Understanding “Directory Information”: The Exception to Consent
While FERPA typically requires prior written consent to disclose PII from education records, the law includes specific exceptions. One of the most common is “directory information,” which allows schools to disclose certain information without obtaining consent if they follow specific procedures.
FERPA regulations define directory information as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This definition hinges on a general assessment of potential harm or privacy invasion.
The rationale is practical. It permits schools to share basic, commonly requested information for routine purposes without the administrative burden of seeking individual consent for every instance. Examples include publishing names in yearbooks, graduation programs, school plays, honor roll lists, athletic team rosters, or confirming enrollment status to potential employers.
Directory information is still part of the student’s protected education record—not unprotected data. However, FERPA allows different disclosure treatment if the school adheres to required notification and opt-out procedures. This differs from non-directory information (grades, transcripts, disciplinary actions, disability status), which generally requires explicit written consent for disclosure unless another FERPA exception applies.
The definition’s reliance on what is “not generally considered harmful or an invasion of privacy” introduces subjectivity. Information like a home address might seem innocuous generally but could pose risks in specific circumstances. In the digital age, even seemingly harmless data points can be aggregated and used in unintended ways.
FERPA addresses this variability by empowering individuals. The law establishes a baseline definition and gives parents and eligible students the right to “opt-out,” allowing them to apply their own privacy standard and prevent directory information disclosure.
This opt-out mechanism highlights a fundamental difference in how FERPA treats directory information versus other PII. For most education records, the default is privacy: schools cannot disclose without consent. For directory information, the process reverses this default. Once a school properly designates information as directory information and provides required public notice, it can disclose that information unless the parent or eligible student opts out. This places responsibility on the individual to restrict disclosure, rather than on the school to obtain permission beforehand.
What Counts as Directory Information?
FERPA doesn’t dictate a uniform list of directory information items for all schools. Each educational agency or institution decides what specific information it will designate as directory information, as long as those items fit within the broad federal definition. This means directory information lists can vary between school districts or universities. Parents and eligible students must consult their specific school’s official FERPA notification to know precisely what data elements are included in its directory information policy.
While schools have discretion, FERPA regulations and U.S. Department of Education guidance provide examples of information typically designated as directory information:
- Student’s name
- Address
- Telephone listing
- Email address
- Photograph
- Date and place of birth
- Major field of study
- Grade level
- Enrollment status (e.g., undergraduate/graduate, full-time/part-time)
- Dates of attendance (period during which a student attends or attended, such as academic year or semester, not specific daily attendance records)
- Participation in officially recognized activities and sports
- Weight and height of athletic team members
- Degrees, honors, and awards received
- Most recent educational agency or institution attended
FERPA explicitly prohibits certain data elements from ever being designated as directory information due to their sensitive nature:
- A student’s Social Security number (SSN)
- A student’s ID number (with limited exceptions)
The rule regarding student ID numbers requires careful attention. A student ID number, user ID, or other unique personal identifier used for accessing electronic systems can be designated as directory information only if that identifier cannot be used by itself to access education records. Access must require one or more additional authentication factors, such as a Personal Identification Number (PIN), password, or other method known only to the authorized user.
Similarly, a student ID number displayed on a student ID badge can be directory information only if it meets this security standard – it cannot grant access to records without an additional authentication factor. This rule balances the practical necessity of using student IDs in modern school environments with the need to prevent the ID from becoming a key to unlock sensitive, non-directory information.
The following table contrasts examples of information that schools might designate as directory information with types of information generally considered non-directory PII requiring stronger FERPA privacy protections:
| Commonly Designated as Directory Information (Examples – School Policy Dependent) | Generally NOT Directory Information (Requires Consent or Other Exception for Disclosure) |
|---|---|
| Name | Social Security Number |
| Address | Student ID Number (unless specific exception criteria are met) |
| Telephone listing | Grades / Grade Point Average (GPA) |
| Electronic mail address | Academic Transcripts |
| Photograph | Standardized Test Scores |
| Date and place of birth | Disciplinary Records |
| Major field of study | Disability Information / Records |
| Grade level | Health and Medical Records (maintained by the school) |
| Enrollment status (e.g., undergrad/grad, full/part-time) | Specific Daily Attendance Records |
| Dates of attendance (period, e.g., 2023-2024 school year) | Race / Ethnicity |
| Participation in officially recognized activities and sports | Country of Origin |
| Weight and height of members of athletic teams | Mother’s Maiden Name |
| Degrees, honors, and awards received | Student Course Schedules |
| Most recent educational agency or institution attended | Biometric Records (e.g., fingerprints, retinal scans, voiceprints) |
This table shows the distinction between the limited data potentially eligible for disclosure as directory information and the broader range of sensitive PII within education records that FERPA rigorously protects through consent requirements and specific exceptions.
School Responsibilities: Notification is Key
FERPA requires schools to notify parents of currently attending students and eligible students currently attending about their directory information policy before disclosing any designated directory information without prior written consent. This notification is typically provided annually, often as part of the school’s general FERPA rights notification.
The notification method is flexible. FERPA doesn’t require individual notices to each parent or eligible student. Schools can use any method “reasonably likely to inform” the relevant parties, including:
- Student handbooks
- School newsletters
- Local newspapers
- School or district websites
- Including it within the overall annual FERPA rights notification
While this flexibility is practical for schools, the “reasonably likely to inform” standard means parents and eligible students need to be proactive in looking for this information. It might be embedded within lengthy documents or posted in places not frequently checked. Since exercising the opt-out right depends entirely on receiving and understanding this notice, its potential obscurity can create a practical barrier to meaningful privacy control.
FERPA regulations specifically mandate the content of the public notice. The notice must clearly state:
- The types of personally identifiable information (PII) that the educational institution has designated as directory information. Schools must list the specific data elements (e.g., name, address, email) considered directory information, ensuring transparency about exactly what data is potentially subject to disclosure. Vague descriptions aren’t sufficient; the notice must provide necessary detail for an informed opt-out decision.
- The parent’s or eligible student’s right to refuse to let the institution designate any or all of those types of information as directory information concerning that student (the “right to opt-out”).
- The period of time within which a parent or eligible student must notify the institution in writing that they don’t want information designated as directory information.
The U.S. Department of Education’s Student Privacy Policy Office (SPPO) provides a Model Notice for Directory Information template that schools and districts can adapt for their use.
Your Right to Privacy: Opting Out of Disclosure
Perhaps the most critical component of the directory information exception for individuals is the right to opt-out. FERPA guarantees that parents (for students under 18 and not enrolled in postsecondary education) and eligible students (students 18 or older, or attending a postsecondary institution) can prevent schools from disclosing their designated directory information.
To exercise this right, the parent or eligible student must follow the procedure outlined in the school’s public notice. Generally, this involves:
Submitting a Request in Writing
The opt-out notification must be written. Verbal requests are typically insufficient under FERPA.
Meeting the Deadline
The written request must be submitted to the designated school office or official within the “reasonable period of time” specified in the school’s annual public notice. FERPA doesn’t define “reasonable,” and schools may set relatively short windows (sometimes only 10-30 days at the beginning of the school year). Check the school’s notice carefully for the deadline and submission instructions and act promptly to avoid missing the opportunity.
Specifying the Scope
Depending on the school’s policy and opt-out form, individuals may opt-out of all designated directory information disclosure, or select specific items to restrict (e.g., allow name for yearbook but block address and phone number). Some schools offer an “all-or-nothing” choice, while others provide a more granular “menu selection.”
Once a valid opt-out request is received within the specified timeframe, the school is legally obligated to honor it. This means the school cannot disclose that student’s directory information to third parties without obtaining prior written consent (unless another FERPA exception applies in a specific situation).
The opt-out request remains in effect indefinitely unless the parent or eligible student formally rescinds it in writing. If a parent or eligible student submitted an opt-out request while the student was enrolled, the school must continue to honor that restriction even after the student has graduated or withdrawn. This provides lasting protection against future disclosures (e.g., to alumni groups or marketers).
Conversely, schools aren’t required under FERPA to provide notice about directory information to former students or their parents, nor are they required to honor opt-out requests received after the student is no longer in attendance. This makes the enrollment period the critical window for exercising the opt-out right with long-term implications.
While opting out strengthens privacy control, be aware of potential practical consequences. Schools often point out that restricting directory information disclosure might prevent the student’s inclusion in:
- School yearbooks
- Honor roll announcements or published lists
- Graduation programs
- School directories distributed to other families
- News releases celebrating student achievements
- Published athletic team rosters or programs
Additionally, opting out might prevent the school from verifying enrollment status or degrees conferred to third parties like potential employers or other institutions without obtaining specific written consent each time.
However, the opt-out has limits. Choosing to restrict directory information disclosure doesn’t make the student anonymous within the school. FERPA explicitly states that a student may not use their opt-out right to prevent school officials from identifying the student by name or disclosing the student’s electronic identifier or institutional email address in class. The opt-out right primarily targets external disclosure of designated information to third parties, not the necessary use of identifying information for internal educational purposes or classroom interactions.
Limits on Disclosure: Understanding the Boundaries
Even when a parent or eligible student hasn’t opted out of directory information disclosure, FERPA and school policies can still place limits on how schools share this information.
One significant limitation comes from the school’s own policy, as stated in its public notice. FERPA allows educational institutions to be more restrictive in their disclosure practices than the law minimally requires. If a school’s public notice states that directory information disclosure will be limited to specific parties, for specific purposes, or both, then the school must adhere to those self-imposed restrictions (34 CFR § 99.37(d)).
For instance, a school district might state in its annual notice that it will only disclose directory information for yearbooks and to respond to requests from military recruiters (as required by other federal laws), but not for general commercial purposes. If such limitations are stated in the notice, the school is bound by them under FERPA and cannot legally disclose directory information to other parties or reasons, even if a student hasn’t opted out. This provision means the school’s own policy can serve as a powerful privacy control, offering an avenue for parents and students to advocate for stronger institutional protections beyond individual opt-outs.
Another crucial limitation involves linking directory information with more sensitive data. FERPA regulations prohibit an educational institution from disclosing or confirming directory information if doing so requires using the student’s Social Security number or other non-directory information (either alone or combined with other data elements) to identify or help identify the student or records, unless the institution obtains prior written consent (34 CFR § 99.37(e)). This rule safeguards against using directory information as a seemingly innocuous key to unlock or verify more sensitive, non-directory PII without proper authorization.
The question of whether schools can sell student directory information is complex. FERPA itself doesn’t contain an explicit prohibition using the word “sell” within the main section governing directory information disclosure (§ 99.37). However, several factors constrain this practice:
- State Laws: Some states have enacted laws explicitly prohibiting public educational institutions from selling students’ personal information, including directory information.
- School Policies: If a school’s directory information notice limits disclosures to specific non-commercial purposes or recipients, selling the information to commercial entities would violate its own stated policy and thus FERPA.
- Third-Party Vendor Context: U.S. Department of Education guidance regarding third-party service providers suggests that using PII from education records for purposes like targeted marketing may violate FERPA or other laws.
- Linking Prohibition: The rule against using non-directory information to identify students when disclosing directory information without consent could implicitly limit sales practices that rely on such data matching.
Therefore, while FERPA § 99.37 doesn’t directly forbid selling directory information that has been properly designated and for which no opt-out exists, the combination of potential state laws, binding school policies, and related federal guidance means that selling directory information is often restricted or prohibited in practice.
Finally, FERPA doesn’t require schools to keep a log or record of disclosures made under the directory information exception. This differs from most other FERPA exceptions, where schools generally must record who accessed PII, when, and for what legitimate purpose. The lack of a recordation requirement for directory information means that if a parent or eligible student hasn’t opted out, they generally have no way under FERPA to find out exactly who received their directory information or when it was disclosed. This operational difference results in less transparency and accountability for directory information disclosures compared to sharing other types of FERPA-protected data.
Finding Official Information: Where to Learn More
Navigating FERPA, especially its exceptions like directory information, requires access to accurate and current information. The primary and most authoritative source for guidance on FERPA is the U.S. Department of Education’s Student Privacy Policy Office (SPPO). SPPO administers and enforces FERPA and provides technical assistance to schools, parents, and students.
SPPO offers a wealth of resources online. Here are key official sources for reliable information:
- SPPO Main Website: The central hub for all official FERPA information, guidance, and resources is https://studentprivacy.ed.gov/.
- FERPA Regulations: For specific legal requirements, the full text of the FERPA regulations (34 CFR Part 99) is available at https://studentprivacy.ed.gov/ferpa. Directory information rules are primarily found in sections § 99.3 (“Directory information” definition) and § 99.37.
- Parent Guide to FERPA: A comprehensive yet accessible overview designed for parents is available at https://studentprivacy.ed.gov/resources/parent-guide-family-educational-rights-and-privacy-act-ferpa. A Spanish language version is also available.
- Eligible Student Guide to FERPA: Students who are 18 or older or attending a postsecondary institution should consult https://studentprivacy.ed.gov/resources/eligible-student-guide-family-educational-rights-and-privacy-act-ferpa.
- Frequently Asked Questions (FAQs): SPPO provides answers to common questions at https://studentprivacy.ed.gov/frequently-asked-questions. A helpful PDF addressing specific FERPA FAQs, including directory information, is available at https://www.ed.gov/media/document/ferpa-faq-102031.pdf.
- Directory Information Specific Page: SPPO maintains a dedicated page summarizing directory information concepts at https://studentprivacy.ed.gov/content/directory-information.
- Model Notice for Directory Information: The template notice for schools regarding directory information can be viewed at https://studentprivacy.ed.gov/resources/model-notice-directory-information.
Given the complexities and potential for misinformation from unofficial sources, relying on these official U.S. Department of Education resources is essential for understanding your rights and schools’ obligations regarding directory information under FERPA.
If you have specific questions not answered by these resources, or if you believe a school has violated your FERPA rights, you can contact SPPO directly by email at [email protected]. Information on filing a formal complaint is available on the SPPO website. Consulting these official channels ensures you receive the most accurate and up-to-date guidance.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.