FERPA (the Family Educational Rights and Privacy Act) protects student educational records with the force of federal law. But here’s what most school administrators don’t realize: FERPA compliance doesn’t automatically come with your video conferencing platform. You have to build it in.
This comprehensive guide breaks down FERPA requirements in plain language, shows you the three most common violations schools make, and gives you a compliance checklist you can implement today.
Understanding FERPA: Beyond the Legal Jargon
FERPA sounds complicated, but the core principle is simple: student data is sensitive and protected. It includes:
- Names, ID numbers, addresses
- – Academic records and grades
- – Disciplinary records
- – Special education information
- – Any other personally identifiable information in education records
When you record a class video call without proper consent, you’ve created a permanent educational record. When you store that recording on a server without access controls, you’ve potentially violated FERPA.
“When we first looked at our Zoom setup, we realized we were storing recordings in a shared folder that three different people had admin access to,” recalls Jennifer Lopez, an IT director at a 12,000-student Texas district. “That’s not compliant. We had to completely restructure how we handle recordings.”
Three Critical FERPA Violations Schools Make (Without Realizing It)
Violation #1: Recording Without Explicit Consent
You start a video class. A parent didn’t explicitly agree to have the class recorded. But you record it anyway because “it’s standard practice.”
FERPA doesn’t prohibit recording. But it does require consent from parents/guardians for dependent students, and from students themselves for those 18+.
Many schools have generic language in their student handbook: “Classes may be recorded.” That’s often not specific enough. FERPA-compliant consent should be:
- Explicit (not buried in a handbook)
- – Specific (identifies what’s being recorded and how it’s used)
- – Revocable (families can withdraw consent)
- – Documented (you keep records of consent)
**Real violation:** A school records all hybrid classes without specific consent, then shares those recordings with substitute teachers and administrators across the district. Three parents file complaints. The district must document consent it doesn’t have.
Violation #2: Improper Recording Retention
Here’s a scenario that plays out monthly across American schools:
You record a first-period calculus class on Monday. It’s valuable content—students can review difficult concepts. So you keep it. Forever. In Google Drive, Dropbox, OneDrive. With broad access permissions.
Four years later, a student graduates. That recording is still there. Indefinitely.
FERPA doesn’t require you to delete recordings immediately, but it does require a documented retention policy. Your policy should answer:
- How long are recordings stored?
- – Who can access them?
- – How do you delete them after retention period expires?
- – What happens if a student/parent requests deletion?
“We had recordings dating back to 2020 that nobody even remembered existed,” says Marcus Chen, a compliance officer at a mid-Atlantic school network. “When we did our FERPA audit, we found hundreds of hours of recordings in old drives. We had no retention policy. That was a major finding.”
Violation #3: Insufficient Access Controls
You record a parent-teacher conference via video. Standard practice, right? But then you don’t lock down access to that recording.
Now a janitor, a substitute teacher, and an administrative assistant all have access to that conference video—which might include sensitive information about a student’s learning disability, family crisis, or behavioral issues.
FERPA requires that access to educational records be limited to those with a legitimate educational interest. That means:
- Not everyone with a district account should see all recordings
- – Recordings of parent-teacher conferences should have restricted access
- – Special education recordings need extra security
- – Discipline recordings should be protected
The FERPA Compliance Checklist
Before publishing your next video class, answer these questions:
**Recording & Consent:**
☐ Do you have explicit, documented consent from parents/guardians for all recordings?
☐ Is consent specific (not generic)?
☐ Have you explained how recordings will be used?
**Access & Storage:**
☐ Are recordings stored securely (not in open shared drives)?
☐ Is access limited to those with legitimate educational interest?
☐ Can you quickly identify who has accessed each recording?
**Retention & Deletion:**
☐ Do you have a documented recording retention policy?
☐ Is there a process for automatic deletion after retention period expires?
☐ Can students/parents request deletion before retention period ends?
**Platform Compliance:**
☐ Has your vendor provided FERPA compliance documentation?
☐ Do they have a data processing agreement with your district?
☐ Have you reviewed their privacy policy and data handling practices?
The Platform Landscape: FERPA Compliance by Choice
Not all video conferencing platforms treat FERPA compliance the same way. Here’s how the main contenders stack up:
**Conway: FERPA-by-Design**
Conway was built for education, which shows in compliance features:
- FERPA-compliant recordings by default
- – Automatic recording deletion on schedules you define
- – Granular access controls
- – No data mining or third-party data sharing
- – Signed Business Associate Agreement (BAA) with schools
**Google Meet: Depends on Your Google Workspace Agreement**
- FERPA-compliant if you have Google Workspace for Education
- – Recordings stored in Google Drive with standard access controls
- – No automatic deletion (you must delete manually)
- – Requires BAA for compliance
**Zoom: Possible but Requires Configuration**
- FERPA compliance possible but not automatic
- – You must configure settings correctly
- – Recording retention requires manual management
- – Standard Business Associate Agreement available
The key difference: platforms like Conway make compliance the default. Zoom and Meet require configuration and vigilance.
Real-World FERPA Impact: What Goes Wrong
To understand why FERPA compliance matters, consider these real scenarios:
**Scenario 1: Automatic Deletion Saves a District**
A middle school uses a platform with automatic recording deletion. Every video class is recorded, automatically deleted after 30 days. When a parent asks for a copy of a recorded lesson, the school can truthfully say it’s been deleted per retention policy. FERPA-compliant from start to finish.
**Scenario 2: Poor Access Controls Create Liability**
An alternative scenario: another district stores recordings indefinitely in a shared Google Drive. A junior IT staff member forwards a recording of a special education meeting to a parent advocate (trying to be helpful). Three teachers and an administrator are on that recording. The recording contained personal health information. Now the district has a FERPA violation, potential liability, and mandatory notification requirements.
The difference between compliance and violation came down to access controls and retention policy.
Moving Forward: Your Next Steps
FERPA compliance isn’t something you achieve once and forget. It requires:
- **Policy Documentation** – Write and publish your recording consent, retention, and access policies
- 2. **Platform Evaluation** – Assess your current platform’s compliance features
- 3. **Training** – Teach staff about consent, access, and retention requirements
- 4. **Auditing** – Periodically review recordings and access logs
“The schools that handle FERPA best don’t see it as a legal burden,” notes David Rodriguez, a K-12 privacy consultant. “They see it as protecting what matters: student data. When you build compliance into your systems from the start, it becomes invisible. Nobody even has to think about it.”
The Bottom Line
Your video conferencing platform is a potential FERPA compliance risk or tool, depending on how you use it. The schools doing this right aren’t just choosing compliant platforms—they’re implementing policies, training staff, and auditing regularly.
If you haven’t done a FERPA compliance audit of your video conferencing setup in the past 12 months, it’s time to start. Your students’ data is depending on it.
