By Autumn Walden, Editor, AACRAO Connect, Content Strategy Manager, AACRAO
FERPA has long been one of the most relied-upon areas of expertise for AACRAO members, campus leaders, policymakers, and the broader public. The law is fifty years old, yet it governs decisions registrars and enrollment professionals make every single day—decisions that are increasingly complicated by artificial intelligence, cloud-based platforms, immigration enforcement, and a decade of federal guidance that most institutions have never had synthesized in one place.
That’s why the AACRAO Ask the FERPA Professors archive remains one of our most visited resources. Practitioners want to know more than what the law says—to know what to do in the moment, with the tools and pressures they’re actually navigating. It’s also why we take seriously our responsibility to keep our FERPA expertise current, credible, and actionable.
We’re proud to announce the release of “Navigating the Evolving Landscape of Student Privacy Under FERPA,” authored by Dale King, AACRAO Senior Fellow and former director of the U.S. Department of Education’s Student Privacy Policy Office, with a chapter by Michelle Mott, a higher education policy and communications strategist.
The publication is an addendum to the widely cited AACRAO 2012 FERPA Guide authored by LeRoy Rooker, and it tackles everything the original couldn’t have anticipated, such as artificial intelligence, immigration enforcement, healthcare intersections, vendor management, and prison education programs (see endnote below on this PEP work sponsored by Ascendium Education Group).
For King, author and AACRAO FERPA Professor, the need for the addendum is rooted in the volume and complexity of federal guidance issued since 2012.
“The primary purpose of this publication is to synthesize this guidance and provide registrars, admissions officers, and institutions with the information they need to more effectively meet their mission and privacy obligations to students,” King said.
Since the publication of the 2012 guide, the U.S. Department of Education’s Student Privacy Policy Office and Privacy Technical Assistance Center have issued extensive guidance, including enforcement letters and FERPA-related data governance documents. While many were written primarily for K-12 educational agencies, King noted that they remain highly relevant to postsecondary institutions.
The addendum is designed to help institutions understand how FERPA expectations have evolved—and how compliance now requires coordinated attention across governance structures, legal frameworks, security controls, human factors, vendor management, and stakeholder transparency.
Why FERPA feels different now
King said institutional leaders are operating in a fundamentally different compliance environment than the one many were trained to navigate.
“FERPA was written for paper files,” King said. “It now governs AI-generated risk scores, adaptive learning pathways, cloud-stored data held by third-party vendors, and metadata that can re-identify students even after anonymization.”
That shift requires institutions to move beyond narrow definitions of education records and recognize that privacy protection is now an institution-wide governance challenge.
“While firewalls and encryption matter, the real threat comes from uninformed staff and weak governance structures,” King said. “That shifts responsibility squarely to senior leadership and cannot be delegated entirely to IT or the registrar’s office.”
Now, let’s Ask the FERPA Professor:
Readers who wait for each new Ask the FERPA Professors response know that FERPA questions rarely stay simple for long. For those of you who turn to Ask the FERPA Professors first—this one’s for you. I asked King to go deeper on what’s in the update, what’s urgent, and what it means for your work.
What prompted AACRAO to revisit and expand on the 2012 FERPA Guide?
This publication builds on the AACRAO 2012 FERPA Guide authored by LeRoy Rooker. Since the publication of the 2012 guide, the U.S. Department of Education’s Student Privacy Policy Office and its Privacy Technical Assistance Center have issued extensive guidance on FERPA and data governance, including enforcement letters, in the decade since the 2012 guide was published, which is relevant to postsecondary institutions and their meeting of obligations under FERPA. Many of the Department’s documents were primarily for K–12 educational agencies. However, these documents are also highly relevant to institutions and to their ability to meet their obligations under FERPA.
The primary purpose of this publication is to synthesize this guidance and provide registrars, admissions officers, and institutions with the information they need to more effectively meet their mission and privacy obligations to students. The Department’s documents reveal several interconnected themes that collectively illustrate the evolution of student privacy policy and legal interpretations of FERPA by the Department. We believe this publication is needed to better ensure that institutions are aware and informed of this evolution and how it impacts their ability to effectively administer FERPA and protect student privacy. We found that the Department’s guidance support that effective FERPA compliance requires coordinated attention across governance structures, legal frameworks, security controls, human factors, vendor management, and stakeholder transparency.
In your view, what are the most significant changes in the student privacy landscape that institutional leaders need to understand now?
I believe there are several shifts that, taken together, represent a fundamentally different compliance environment than what most institutional leaders were trained to navigate. FERPA was written for paper files. It now governs AI-generated risk scores, adaptive learning pathways, cloud-stored data held by third-party vendors, and metadata that can re-identify students even after anonymization. Leaders who still think of education records as transcripts are operating with an outdated mental model. Also, privacy protection is now primarily a governance challenge, not a technical one. While firewalls and encryption matter, the real threat comes from uninformed staff and weak governance structures. That shifts responsibility squarely to senior leadership and cannot be delegated entirely to IT or the registrar’s office.
I also believe third-party vendor relationships have extended institutional liability in ways many leaders have not internalized. When a vendor or cloud provider holds student data on behalf of the institution, FERPA responsibility stays with the institution. This means that contracts, oversight, and ongoing monitoring are now core compliance functions.
Finally, a decade of Department guidance from 2012 to 2025 shows continuous clarification precisely because the law has not been updated to address current technology. Institutions that wait for clearer federal guidance before acting are, in practice, choosing to operate in unmanaged risk. A core argument of this publication is that proactive stewardship, not reactive compliance, is now the baseline expectation.
The addendum addresses topics including artificial intelligence, immigration enforcement, healthcare intersections, vendor management, and prison education programs. Which of these areas feels especially urgent or misunderstood, and why?
I believe artificial intelligence is the most urgent student privacy challenge institutions face today because its adoption has outpaced the governance frameworks needed to manage it. AI systems now touch students at nearly every point in their academic journey, generating data that raises questions FERPA, written more than 50 years ago, was never designed to answer directly. The result is what the book describes as a “trust crisis,” where deep learning models operating as “black boxes” make decisions affecting students without the transparency FERPA requires, while institutions rush to adopt tools without fully assessing privacy implications. I believe what is at stake is not merely compliance; it is whether students can trust the systems built to support them.
The technological landscape has become so complex and interconnected that many institutions cannot fully map the pathways through which student data flows or the number of AI systems that process it. This rapid adoption creates an unprecedented situation. The use of AI tools and platforms has outpaced the development of policies and regulations designed to govern them. Institutions now face a situation in which the technologies exist and are widely deployed, but the governance frameworks to ensure compliance with federal privacy law are still being developed.
How does this publication help registrars and other enrollment professionals move from legal compliance to practical, day-to-day decision-making?
The publication bridges legal compliance and daily practice in several concrete ways. Rather than stopping at what FERPA requires, it translates statutory obligations into operational frameworks including governance structures, defined staff roles, and vendor contract standards. Registrars are given a clear compliance roadmap rather than a list of legal principles to interpret on their own.
Scenario-based guidance is central to this approach. The publication walks through real-world situations, from handling immigration enforcement requests to responding to student demands to inspect AI-generated records, so staff can recognize how FERPA applies before a problem escalates. Training recommendations are similarly grounded in actual decisions staff face day-to-day rather than abstract statutory text.
The publication also positions the registrar’s office specifically as a linchpin of institutional compliance. Because registrars hold legitimate access to vast quantities of personally identifiable information on a daily basis, the publication treats their judgment and preparation as the institution’s most critical line of defense. The cumulative effect is a shift from reactive compliance, responding to violations after they occur, toward proactive privacy stewardship built into routine operations.
What do you hope readers take away from the book, especially those who may feel overwhelmed by the pace of change around student data, privacy, and institutional responsibility?
This question is really at the heart of why the book was written. We want registrars and institution leaders and staff to feel equipped, not paralyzed. The complexity is real, and the book does not minimize it. But the underlying message is that FERPA is not an obstacle to institutional mission. It is a framework for honoring it. Institutions that internalize that reframe are better positioned than those treating compliance as a burdensome checklist imposed from outside.
For those who feel overwhelmed, the most important takeaway may be that perfection is not the standard. What the book consistently calls for is a conservative, documented, good-faith approach: when the law is ambiguous, err on the side of privacy protection. That posture, consistently applied, is both legally defensible and ethically sound. You do not need to have every answer; you need the right instincts and the right structures.
The book also reframes student privacy as something deeply human, not merely regulatory. Behind every data point is a student who trusted the institution with information about their academic struggles, their health, their finances, their circumstances. That trust is the actual thing being protected, and when institutions see it that way, the work feels less like compliance and more like stewardship.
Finally, the book is clear that this is not one person’s burden to carry. Privacy protection is a shared institutional responsibility, and no single registrar, compliance officer, or IT director is expected to hold it alone. The goal is to build systems and cultures where data protection is not an afterthought but a cornerstone, distributed across every office that touches student information. Readers who feel overwhelmed should take that as both a relief and a call to bring others along with them.
Note: The AACRAO Prison Education work was made possible through funding from Ascendium Education Group, as part of a collaborative grant awarded to the National Association of Student Financial Aid Administrators, with AACRAO serving as a subcontractor. Ascendium Education Group is a 501(c)3 nonprofit organization committed to helping people reach the education and career goals that matter to them. Ascendium invests in initiatives designed to increase the number of students from low-income backgrounds who complete postsecondary degrees, certificates and workforce training programs, with an emphasis on first-generation students, incarcerated adults, rural community members, students of color and veterans. Ascendium’s work identifies, validates and expands best practices to promote large-scale change at the institutional, system and state levels, with the intention of elevating opportunity for all. For more information, visit Ascendium Education Group.
share