Guide to FERPA-compliant student data flows for career assessment platforms.

FERPA, the Family Educational Rights and Privacy Act of 1974 (20 USC §1232g; implementing regulations at 34 CFR Part 99), is the primary federal student-privacy law in the United States. It applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education — a definition that captures essentially every public school district, every public college and university, and most private institutions of higher education. FERPA does not apply to private K-12 schools that decline federal funds, and it does not apply directly to commercial operators — it applies to the school. The statute creates four primary rights for parents, transferring to students at age 18 or upon postsecondary enrollment: the right to inspect and review education records, the right to seek amendment of inaccurate records, the right to consent to most disclosures of personally identifiable information (PII) from records, and the right to file a complaint with the Department of Education’s Student Privacy Policy Office. “Education records” under §99.3 are records directly related to a student and maintained by the educational agency or institution, or by a party acting for the agency or institution. The moment a career-assessment platform collects, stores, or processes student data on behalf of a school under contract, those records are typically considered education records held by a party acting for the school, and the platform is operating in the FERPA universe — derivatively, through the school’s obligations. The platform itself does not face direct FERPA penalties; the school faces them, and the contract terms between the school and the platform are how the school flows down its obligations. A platform that operates outside any school relationship and collects data directly from students without school contract is not under FERPA but is likely under COPPA (if under-13) or under state student-data-privacy laws.

FERPA generally requires written parental or eligible-student consent before a school discloses PII from education records. The school-official exception under §99.31(a)(1)(i)(B) is the principal mechanism by which schools share student data with online service providers without obtaining individual consent. The exception permits disclosure of PII from education records to other school officials — including teachers — within the agency or institution who have legitimate educational interests in the records. A 2008 amendment expanded the definition of school official to include contractors, consultants, volunteers, and other parties to whom the school has outsourced institutional services or functions. To qualify as a school official under that amendment, the outside party must satisfy four conditions enumerated in the regulation. First, the party must perform an institutional service or function for which the agency or institution would otherwise use employees. Second, the party must be under the direct control of the agency or institution with respect to the use and maintenance of education records. Third, the party must be subject to the requirements of §99.33(a) governing the use and redisclosure of PII from education records. Fourth, the party must meet the criteria the agency or institution has specified in its annual notification of FERPA rights for being a school official with a legitimate educational interest. The first and fourth conditions are typically satisfied by the school’s annual FERPA notice listing third-party service providers. The second and third conditions are satisfied by contract terms in the data-processing agreement. A career-assessment platform deployed under a school contract that includes the standard direct-control and use-restriction language qualifies as a FERPA school official; one operating without those contract terms does not, and the school cannot rely on the exception for that platform.

Directory information under §99.3 and §99.37 is a category of PII from education records that the school may disclose without written consent if it has provided annual public notice of the categories designated as directory information and the parent’s or eligible student’s right to opt out. Categories typically designated include name, address, telephone number, email address, photograph, date and place of birth, major field of study, dates of attendance, grade level, enrollment status, degrees and awards received, participation in officially recognized activities and sports, weight and height of athletic-team members, and the most recent previous educational agency attended. The Department of Education guidance (most recently updated in 2018 and reaffirmed in 2023) explicitly cautions schools against designating sensitive information as directory information — student ID numbers, biometric records, disability status, financial-aid records, and assessment results are typically excluded. Career assessment results — RIASEC code, Big Five trait scores, IQ percentile, skill-audit ratings — are not directory information and should never be designated as such. They are PII from education records that fall under the consent or exception requirements. Two operational implications follow. First, a platform cannot publish student assessment results to a public-facing leaderboard, social feature, or marketing surface without authorization — the school cannot claim directory-information cover. Second, when assessment results need to be shared with a third party such as a postsecondary institution for admissions, an employer for placement, or an external coach for follow-up, the disclosure requires either written consent under §99.30, an applicable exception (the studies exception under §99.31(a)(6) being the most common for research), or an authorized representative status under another provision. The platform should support per-student consent records for these downstream disclosures.

FERPA itself imposes no specific retention period for education records; that is left to state and local record-retention schedules. State retention schedules vary widely — California education records are typically retained five years past the student’s exit (Education Code §16023 and 5 CCR §16020 et seq.), New York follows the State Archives schedule with retention periods varying by record type, Texas follows the State Library and Archives Commission Local Schedule SD. Federal IDEA records under 34 CFR §300.624 must be retained for the duration the parent has access rights to them. State student-data-privacy laws layer additional deletion obligations: California AB 1584 (Education Code §49073.1) requires the operator to delete PII within an agreed timeframe at school request, New York Education Law §2-d requires deletion at the end of the contract term, and similar provisions appear in Connecticut, Colorado, Illinois, Pennsylvania, and Washington student-data laws. The operationally defensible posture for a career-assessment platform is fourfold. First, retain student records during the active contract term plus a defined wind-down (most platforms use 12 months) to allow the school time to export data before deletion. Second, support per-student deletion requests within a contracted SLA (typically 30 days) for parental or eligible-student exercise of rights. Third, maintain a clearly documented deletion process — logical deletion (record marked deleted but recoverable) followed by physical deletion (record actually removed from storage and backups) within a defined window (most platforms use 90 days for backup-cycle reasons). Fourth, provide the school with a deletion certification on contract end. JobCannon’s production retention posture is contract term plus 12 months wind-down, 30-day per-student deletion SLA, 90-day physical deletion from backups, and contract-end deletion certification provided to the district within 30 days of termination.

Roughly twenty-three states have enacted student-data-privacy laws that impose obligations on operators beyond what FERPA requires, and the trend continues. The earliest and most influential is California’s SB 1177 (2014, codified as Education Code §22584) creating the Student Online Personal Information Protection Act (SOPIPA), and AB 1584 (codified at Education Code §49073.1) imposing contract terms on local-education-agency-operator agreements. SOPIPA prohibits operators from using student data for targeted advertising or selling student information, and prohibits creation of advertising profiles. AB 1584 requires the contract to include data-ownership clauses (the LEA owns the data), security clauses, prohibition on commercial use, parental access procedures, and breach-notification commitments. New York’s Education Law §2-d (2014, with regulations at 8 NYCRR Part 121 effective 2020) goes further — a Parents’ Bill of Rights for Data Privacy and Security must be incorporated into every contract, and operators must comply with the NIST Cybersecurity Framework, encrypt data at rest and in transit, and report breaches within seven calendar days to the school which must in turn report within ten days to NYSED. Colorado SB 16-128 (now C.R.S. §22-16-101 et seq.), Connecticut Public Act 16-189, Illinois Student Online Personal Protection Act (105 ILCS 85), Pennsylvania’s Right-to-Know-related provisions, Washington House Bill 1495 (RCW 28A.604), Virginia’s Educational Technology Vendor Standards §22.1-289.01, and roughly fifteen others form the rest of the patchwork. For a multi-state deployment the operator typically maintains a base data-processing agreement aligned to the most stringent state requirements (often NY §2-d) with state-specific addenda. The platform must be able to handle different breach-notification timelines (CA = 72 hours, NY = 7 calendar days, CT = without unreasonable delay), different deletion timeframes, and different parental-rights mechanisms. JobCannon’s district-tier deployment includes a state-tuned addendum library covering the major state laws and a single base agreement satisfying NY §2-d and CA AB 1584 minimums.

A defensible FERPA evaluation focuses on six artifacts. First, the data-processing agreement — it must establish the platform as a school official under §99.31(a)(1)(i)(B), specify direct-control language, prohibit redisclosure without authorization under §99.33(a), restrict use to the educational purpose, and incorporate the relevant state student-data-privacy law addendum. Second, the data inventory — the platform should provide a written list of every category of PII it collects, with indication of which fields are required versus optional, the purpose of collection, retention period, and deletion mechanism. Third, the subprocessor list — cloud hosting (e.g., AWS, GCP, Vercel), email service (Resend, SendGrid), analytics (PostHog, Amplitude), error tracking (Sentry), customer-support tools, AI inference providers if used. Each subprocessor should have a corresponding data-processing addendum with the operator. Fourth, the security posture — SOC 2 Type II or equivalent, encryption at rest (AES-256 typical) and in transit (TLS 1.2 or higher), access controls with multi-factor authentication for staff, audit logging of data access. Fifth, the breach-notification commitment — timeline (72 hours to 7 days depending on state), content of notice, recipient list, and incident-response process. Sixth, the AI-training commitment — whether the operator uses student data to train AI models, with explicit opt-in or opt-out language. JobCannon’s district-tier posture: a base DPA establishing school-official status with direct-control language; a published data inventory; a published subprocessor list; SOC 2 in progress with current security attestations available on NDA; AES-256 encryption at rest, TLS 1.3 in transit, MFA for staff, audit logs retained 90 days; 72-hour breach-notification commitment for California districts and 7-day for New York districts; explicit no-AI-training-on-student-data commitment with opt-in option for districts that want to participate in research-grade improvements.