Does FERPA protect your students' data? For IECs, mostly no

A lot of independent educational consultants assume that anything touching a student's transcript, test scores, or essays is "FERPA-protected." It is a reasonable guess. It is also, for most of your practice, wrong.

Who FERPA actually covers

FERPA (the Family Educational Rights and Privacy Act) applies to educational agencies and institutions that receive federal education funds, and to the parties acting on those schools' behalf, such as a vendor a school hires to run its own systems. That is the whole scope. An independent consultant hired directly by a family is neither of those things. You are not a school, and in the ordinary course of your work you are not acting as a school's contractor.

That gap matters more than it sounds like it should, because so much of the language around student data borrows FERPA's vocabulary without carrying FERPA's obligations.

What that means in practice

When a family hands you their student's transcript, recommendation letters, or a spreadsheet of essay drafts, and you upload that material to a platform (a CRM, an essay tool, an assessment app, whatever your practice runs on), FERPA is not the law governing what that platform does with the data next. FERPA does not follow the document into your practice or onto the platform, even though it started life as a school record.

So what does protect it? In practice, mainly the platform's own privacy policy and terms of service. Those documents are a contract, not a compliance framework imposed from outside. Whatever they say the vendor can do with the data, that is what the vendor can do. That is precisely why reading them, before you upload anything, is not a formality.

What can apply

A few other protections can come into play, depending on the platform and the student.

COPPA, the federal Children's Online Privacy Protection Act, can apply to online services used by children under 13. Most of your college-bound students are older than that threshold, but it is worth checking for any tool used with younger siblings or early-start programs.

Some states have their own student-privacy or general consumer-privacy laws, and a few extend real protections to data handled outside the K-12 system. Whether one applies to your practice depends on the state you and your families are in and the specifics of the platform, so this is genuinely a case-by-case question rather than a blanket rule.

Contract law is the steady baseline underneath all of this. The platform's policy is the promise. If it says data is not sold, that is a claim you can point back to. If it is silent or vague on a point you care about, that silence is the actual state of your protection, not FERPA filling the gap.

Who FERPA covers and who it does not Two data paths compared. Left path: a school sends student data to a platform the school contracted with, and a shield marks this as a path where FERPA can apply. Right path: a family sends student data to an independent educational consultant, who sends it on to a platform the consultant chose, and an open padlock marks this as a path where FERPA does not reach and the platform's own privacy policy is the actual protection. School-contracted path School School-contracted platform FERPA can apply Family-hired path Family You (IEC) Platform you chose The privacy policy is the protection

The practical takeaway

None of this is legal advice for your situation, just general information about how these laws are scoped. If you want to know how a specific platform actually treats your students' data, the answer is not "FERPA covers it." The answer is in that platform's privacy policy and terms, which is exactly what the checklist walks you through line by line.

Two related questions worth reading next: do platforms actually sell student data, and what is the real difference between deleting and de-identifying a record a vendor claims to have "removed".


Bring this to your next vendor demo: the full checklist.