Does FERPA protect your students' data? For IECs, mostly no
For most independent educational consultants, no. FERPA binds schools that take federal education funds and vendors acting on a school's behalf. A consultant hired directly by a family is neither, so FERPA does not follow a transcript into your practice or onto the platforms you upload it to. Protection comes from contracts and state law instead.
A lot of independent educational consultants assume that anything touching a student's transcript, test scores, or essays is "FERPA-protected." It is a reasonable guess. It is also, for most of your practice, wrong.
Who FERPA actually covers
FERPA (the Family Educational Rights and Privacy Act) applies to educational agencies and institutions that receive federal education funds, and to the parties acting on those schools' behalf, such as a vendor a school hires to run its own systems. That is the whole scope. An independent consultant hired directly by a family is neither of those things. You are not a school, and in the ordinary course of your work you are not acting as a school's contractor.
That gap matters more than it sounds like it should, because so much of the language around student data borrows FERPA's vocabulary without carrying FERPA's obligations.
What that means in practice
When a family hands you their student's transcript, recommendation letters, or a spreadsheet of essay drafts, and you upload that material to a platform (a CRM, an essay tool, an assessment app, whatever your practice runs on), FERPA is not the law governing what that platform does with the data next. FERPA does not follow the document into your practice or onto the platform, even though it started life as a school record.
So what does protect it? In practice, mainly the platform's own privacy policy and terms of service. Those documents are a contract, not a compliance framework imposed from outside. Whatever they say the vendor can do with the data, that is what the vendor can do. That is precisely why reading them, before you upload anything, is not a formality.
What can apply
A few other protections can come into play, depending on the platform and the student.
COPPA, the federal Children's Online Privacy Protection Act, can apply to online services used by children under 13. Most of your college-bound students are older than that threshold, but it is worth checking for any tool used with younger siblings or early-start programs.
Some states have their own student-privacy or general consumer-privacy laws, and a few extend real protections to data handled outside the K-12 system. Whether one applies to your practice depends on the state you and your families are in and the specifics of the platform, so this is genuinely a case-by-case question rather than a blanket rule. To check your own state, search for "[your state] student data privacy law" and "[your state] consumer privacy act," and look for results from the state attorney general or legislature rather than vendor blogs; that pair of searches surfaces the relevant law in most states in a few minutes.
Contract law is the steady baseline underneath all of this. The platform's policy is the promise. If it says data is not sold, that is a claim you can point back to. If it is silent or vague on a point you care about, that silence is the actual state of your protection, not FERPA filling the gap.
The practical takeaway
None of this is legal advice for your situation, just general information about how these laws are scoped. If you want to know how a specific platform actually treats your students' data, the answer is not "FERPA covers it." The answer is in that platform's privacy policy and terms, which is exactly what the checklist walks you through line by line.
Two related questions worth reading next: do platforms actually sell student data, and what is the real difference between deleting and de-identifying a record a vendor claims to have "removed".
The question this page answers is one of nine on the printable checklist: the checklist.