FERPA, the Family Educational Rights and Privacy Act, is the federal law that governs who can access your child's educational records and under what conditions. It was passed in 1974. That date is not incidental. The law was written when an educational record meant a paper file in a filing cabinet, and its core architecture reflects that. Understanding what FERPA actually covers, as opposed to what people assume it covers, requires sitting with the gap between 1974 and the present for a moment.
The law does three things. It gives parents (and students, once they turn 18) the right to inspect their child's educational records, the right to request corrections to those records, and the right to consent before the school shares those records with outside parties. These are real and meaningful protections, and they are also narrower than most people think.
The gap between "educational records" and "data about students"
FERPA's central limitation is definitional. The law protects "educational records," which are the official documents the school maintains directly related to a student. Grades, transcripts, disciplinary records, special education documentation: those are educational records, and they are covered.
What is not covered is a substantial and growing category of data that is collected about students but does not fit the definition of a formal educational record. The reading app that tracks exactly how long your child stared at each paragraph before turning the page is collecting data about their reading behavior, but that data is not an educational record. It is behavioral metadata generated by a third-party service. The adaptive math platform that logs every wrong answer, every hesitation, every attempt is generating a detailed portrait of how your child thinks, but that portrait lives in the platform's database, and FERPA has very little to say about it.
This is not a loophole people are taking advantage of cynically. It is a structural gap between a 1974 law and a 2020s school environment in which a typical student uses dozens of third-party platforms over the course of a year, each collecting its own data under its own privacy policy.
What actually protects students outside FERPA
Several states have passed their own student privacy laws that go further than FERPA. California's SOPIPA, New York's Education Law 2-d, and others vary significantly by state and are worth knowing about if your state has them.
Beyond law, the most useful protection is asking your school for a list of the third-party tools and apps currently in use at your child's grade level. Most districts maintain this list and are required to do so in states with stronger student privacy laws. What you do with that list, whether you look up each platform's privacy policy, whether you ask which ones have signed data privacy agreements with the district, whether any of them concern you specifically, is up to you. The list is the thing to start with, and the fact that most parents never ask for it is a more significant gap than any flaw in FERPA itself.