Education & FERPA Compliance for LLMs

Protecting student privacy and education records when using AI and LLMs in K-12 schools, colleges, and universities

Educational institutions face unique privacy obligations when implementing LLMs. The Family Educational Rights and Privacy Act (FERPA) protects student education records, while COPPA adds requirements for children under 13. Sending student information to LLM vendors without proper safeguards can violate federal law, jeopardize federal funding, and expose institutions to civil liability. Understanding these requirements is critical for K-12 schools, colleges, universities, and edtech companies.

⚠️ Critical Risk: Loss of Federal Funding

FERPA violations can result in loss of all federal education funding. For most institutions, this represents millions or even billions of dollars annually. The Department of Education can also require corrective action and impose limitations on data sharing practices.

FERPA Fundamentals

The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) is a federal law that protects the privacy of student education records.

What Are "Education Records"?

Education records are records that are:

Directly related to a student, AND
Maintained by an educational agency or institution (or party acting for it)

Examples of Education Records:

Grades, transcripts, GPA
Course schedules and enrollment records
Disciplinary records
Special education and IEP documents
Financial aid records
Attendance records
Student ID numbers (if linked to personally identifiable info)
Email addresses assigned by the school

Personally Identifiable Information (PII) from Education Records

FERPA protects PII in education records, which includes:

Direct Identifiers:

Student name
Parent/family member names
Student address
Student ID number
SSN or other government ID

Indirect Identifiers:

Date and place of birth
Mother's maiden name
Photos, videos, audio recordings
Biometric identifiers
Any other info that alone or combined makes a student's identity traceable

✅ Directory Information Exception

Schools may disclose "directory information" without consent IF they have:

Notified parents/students of what info is considered directory information
Given parents/students opportunity to opt out
Waited a reasonable time for opt-outs

Directory Information typically includes: name, address, phone, email, date of birth, honors/awards, participation in sports/activities, photos. Does NOT include grades, GPA, SSN, or disciplinary records.

The "School Official" Exception for LLM Vendors

FERPA generally prohibits disclosing education records without consent. However, schools MAY share records with "school officials" who have a "legitimate educational interest."

📋 Can LLM Vendors Be "School Officials"?

YES, if the school:

Designates the vendor as a "school official" in its annual FERPA notice
Ensures the vendor has a "legitimate educational interest" in accessing student data
Ensures the vendor is under the school's direct control regarding use and maintenance of education records
Uses the vendor to perform an institutional service or function the school would otherwise perform itself

Required Contract Provisions

To qualify as a "school official," the LLM vendor contract must include:

Purpose Limitation: Vendor may only use student data for the specific educational service contracted (not for any other purpose, including model training)
No Redisclosure: Vendor cannot re-disclose student PII to other parties without school authorization
Direct Control: School maintains direct control over use of education records
Data Destruction: Vendor must destroy or return data when no longer needed for the authorized purpose
Audit Rights: School can audit vendor's compliance with FERPA obligations
Breach Notification: Vendor must promptly notify school of any unauthorized access

Legitimate Educational Interest

The vendor's access must be necessary to:

Provide educational services to students (tutoring, adaptive learning)
Support instructional activities (grading assistance, curriculum development)
Perform administrative functions (enrollment, scheduling)
Conduct research or evaluation to improve education

❌ NOT a legitimate interest: Using student data to train commercial AI models for sale to other customers.

COPPA for K-12 Schools

The Children's Online Privacy Protection Act (COPPA) applies to online services directed to children under 13 or that have actual knowledge they're collecting personal information from children under 13.

COPPA School Exception

Schools can consent on behalf of parents for the collection of students' personal information IF:

The online service is used solely for educational purposes
The school obtains the consent (not the vendor directly)
The information collected is not used for any commercial purpose (e.g., targeted advertising)

⚠️ COPPA Requirements for LLM Vendors Serving K-12

If an LLM service is used by students under 13, the vendor must:

Provide clear notice of data collection practices
Collect only information necessary for the educational activity
NOT use student data for targeted advertising
NOT build user profiles for commercial purposes
Maintain reasonable security procedures
Delete student data when no longer needed for educational purpose

State Student Privacy Laws

Many states have enacted student privacy laws that go beyond FERPA. These often impose additional requirements on edtech vendors:

Common State Law Requirements

California (SOPIPA, AB 1584): Operators of K-12 online services cannot sell student info, use it for targeted ads, or build profiles beyond educational purposes. Must delete data upon school request.
New York (Ed Law §2-d): Requires contracts with third-party vendors; annual data privacy officer designation; parent access rights; encryption of data in transit.
Illinois (SOPPA): Written agreements required; data minimization; must post privacy policies; limits on biometric data collection.
Connecticut (PA 13-3): Contracts must limit data collection to school purposes; prohibits targeted advertising and sale of data.
Colorado (HB 16-1423): Contracts must specify data usage limitations; vendors must delete data within reasonable timeframe after termination.

Student Privacy Pledge

The Student Privacy Pledge is a voluntary commitment by edtech companies (now administered by the State Privacy & Security Coalition). Signatories pledge to:

Not sell student information
Not use student data for behavioral targeting of ads
Not build profiles beyond educational purposes
Maintain comprehensive security programs
Delete student data when no longer needed

Check if LLM vendors have signed: Many major providers (Google Workspace for Education, Microsoft Education) have signed; consumer LLM interfaces generally have not.

Safe LLM Use Cases for Educational Institutions

Educational institutions can use LLMs safely if proper safeguards are in place:

✅ Administrative Tasks (No Student PII)

Course description writing, policy drafting, curriculum planning using only de-identified information.

No FERPA concern: No student PII involved

✅ Lesson Planning & Content Creation

Generate quizzes, discussion prompts, assignment ideas without student data.

No FERPA concern: No student records involved

✅ Research Using De-Identified Data

Analyze aggregated, anonymized student performance data for research purposes.

Requirement: Data must be truly de-identified per FERPA standards

✅ Student-Facing Chatbots (With Controls)

Tutoring bots, study assistants IF vendor has proper FERPA/COPPA safeguards.

Requirement: Vendor designated as school official; FERPA-compliant contract

✅ Grading Assistance (With FERPA Contract)

LLMs helping grade essays or providing feedback on assignments.

Requirement: School official designation; no data retention; no training on student work

✅ Accessibility Tools

Text-to-speech, translation, reading comprehension assistance for students with disabilities.

Requirement: FERPA-compliant vendor; minimal data collection

❌ High-Risk Use Cases

These use cases require special attention or may not be permissible:

Using Consumer ChatGPT for Student Work: Free ChatGPT may use data for training; no FERPA protections. ❌ Not compliant.
Sending Full Transcripts to LLMs: Contains sensitive PII (names, grades, courses, SSNs). Requires robust FERPA contract or parental consent.
Analyzing Disciplinary Records: Highly sensitive; may reveal mental health or criminal justice involvement. Requires strong justification and safeguards.
Biometric Data (Voice, Facial Recognition): Many states restrict biometric collection in schools. Requires parental consent in most jurisdictions.

FERPA-Compliant LLM Vendors

When selecting LLM vendors for use with student data, prioritize those with education-specific offerings:

✅ Education-Focused LLM Services

Google Workspace for Education: Gemini integration available; Student Privacy Pledge signatory; no ads or data mining; FERPA/COPPA compliant.
Microsoft Education (Azure OpenAI): GPT models available through education licensing; FERPA-compliant agreements available; no training on student data.
Khan Academy's Khanmigo: Built on GPT-4; designed for K-12 with guardrails; FERPA-compliant; Student Privacy Pledge signatory.
Turnitin (Feedback Studio with AI): Writing feedback tools; FERPA-compliant; established education vendor.
Gradescope (Autograder AI features): FERPA-compliant grading assistance; owned by Turnitin.

Contract Checklist for Education LLM Vendors

Ensure contracts include:

✅ Designation as "school official" with legitimate educational interest
✅ Prohibition on using student data for commercial purposes (ads, product development, model training)
✅ Data minimization (collect only what's necessary for educational purpose)
✅ No re-disclosure of student data without school authorization
✅ Data deletion upon contract termination or school request
✅ Encryption of student data in transit and at rest
✅ Breach notification within 24-48 hours
✅ Compliance with state student privacy laws (NY Ed Law §2-d, SOPIPA, etc.)
✅ Annual security audits or SOC 2 certification
✅ Parental access rights (parents can review data collected about their child)

Best Practices for Education Institutions

DO

Designate LLM vendors as "school officials" in annual FERPA notice before sharing student data
Ensure vendor contracts prohibit using student data for model training or commercial purposes
Use education-specific LLM services (Google Workspace for Education, Microsoft Education)
Train faculty and staff on FERPA requirements and what data cannot be shared with LLMs
Obtain parental consent for collecting data from students under 13 via COPPA-compliant methods
Maintain audit logs of who accessed student data and when

DON'T

Use consumer ChatGPT or similar services with student names, grades, or education records
Share student data with vendors that don't have FERPA-compliant contracts
Allow faculty to use personal LLM accounts for grading or analyzing student work
Assume encryption alone makes a vendor FERPA-compliant (contractual terms are required)
Permit vendors to use student data for targeted advertising or building commercial user profiles
Forget to comply with state student privacy laws in addition to FERPA

Need Help with FERPA-Compliant AI Implementation?

We can help your educational institution safely implement LLMs while protecting student privacy and maintaining FERPA compliance.

Schedule a Consultation