What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. It gives parents certain rights with respect to their children's education records, and these rights transfer to the student when they reach age 18.
FERPA applies to all educational agencies and institutions that receive funding under any applicable program of the U.S. Department of Education — which includes virtually every public school district in the country.
Why It Matters for Web Filtering
When web filtering tools collect per-student browsing data, safety alerts, or behavioral analytics, this data can constitute "education records" under FERPA. Schools must ensure their filtering vendor handles this data with proper privacy safeguards.
What FERPA Protects
FERPA protects "education records" — any records that are directly related to a student and maintained by an educational agency or institution. This includes:
Student names and contact information
Student ID numbers and device identifiers
Grades, transcripts, and academic records
Disciplinary records and behavioral data
Browsing activity logs linked to students
Safety monitoring alerts (self-harm, bullying)
Special education records (IEPs)
Biometric data and photographs
Parent Rights Under FERPA
Right to Inspect
Parents can inspect and review their child's education records within 45 days of a request.
Right to Amend
Parents can request correction of records they believe are inaccurate or misleading.
Right to Consent
Schools must obtain written consent before disclosing PII from education records (with exceptions).
Right to File Complaints
Parents can file complaints with the U.S. Department of Education if they believe FERPA was violated.
FERPA Exceptions for Web Filtering Vendors
Schools can share student data with web filtering vendors without parental consent under the "school official" exception (34 CFR § 99.31(a)(1)). This requires:
The vendor performs a service that would otherwise be done by school employees
The vendor is under the school's direct control regarding use of education records
The vendor uses the data only for the purpose for which the disclosure was made
The vendor meets the criteria for a 'school official' in the school's annual FERPA notification
The vendor does not re-disclose PII without authorization
Best Practice
Include web filtering vendors in your district's annual FERPA notification as "school officials with legitimate educational interests." This ensures transparency and compliance.
How KyberGate Ensures FERPA Compliance
Encryption at Rest & Transit
All student data encrypted with AES-256 at rest and TLS 1.3 in transit. No plaintext student data anywhere.
Organization-Scoped Data
Each school's data is completely isolated. No cross-organization data access is possible.
Role-Based Access Control
Admins, teachers, and counselors see only what they need. Principals see more than teachers. Parents see only their child.
No Data Sales or Advertising
We never sell, share, or use student data for advertising, marketing, or any purpose beyond the school's authorized use.
Data Retention Controls
Schools control their data retention period. All data is permanently deleted within 30 days of contract termination.
Audit Trail
Every access to student data is logged. Schools can audit who viewed what, when, for compliance documentation.
Parent Portal
Built-in parent access to their child's safety data, fulfilling the 'right to inspect' requirement transparently.
DPA Ready
We sign Data Processing Agreements (DPAs) and are listed on the Student Data Privacy Consortium registry.