Closing the Department of Education could have a big impact on student data privacy rights

On March 20, 2025, President Trump signed an executive order seeking to close the Department of Education and “return the power of education to the states.”  However, closing the Department of Education may end the enforcement of the Family Educational Rights and Privacy Act (FERPA or Act), which has been the leading federal law protecting student information.  This means that while Congress and the States look to fill the gap left by FERPA, schools will be left with uncertainty as to their obligations to protect student data.

History of FERPA and the Department of Education

Congress passed the original version of FERPA in 1974. That original version focused on parents’ rights to inspect and correct their students’ data.  Then, in 1979, Congress created the Department of Education (Department) to provide federal oversight of funding to schools and to ensure that schools comply with all federal laws regarding education. 

Since its original passage, Congress has amended FERPA nine times.  These amendments created strong links between FERPA and the Department to address parents’ growing concerns of data breaches and misuse of student data. For example, the current version of FERPA only applies to educational agencies that receive federal funds administered by the Department. Additionally, the Department is the only body with the authority to enforce FERPA.

Impact of the Department of Education closure on FERPA

Given that FERPA is closely tied to the Department, its closure will likely render the current version of FERPA moot. However, Congress may choose to amend FERPA to link its obligations directly to the receipt of any federal educational funding and remove the ties to the Department.  For example, in the news release discussing the executive order, the Secretary of the Department stated:

“Closing the Department does not mean cutting off funds from those who depend on them—we will continue to support K-12 students, students with special needs, college student borrowers, and others who rely on essential programs. We’re going to follow the law and eliminate the bureaucracy responsibly by working through Congress to ensure a lawful and orderly transition.”

Congress may also amend FERPA to make another agency, such as the Department of Health and Human Services (HHS), responsible for its enforcement.  Having HHS as the agency responsible is a suitable alternative since they already handle cybersecurity investigations for HIPAA-covered entities. However, HHS itself has experienced staff layoffs and may be unable to handle additional FERPA investigations.

If Congress does take up the baton of amending FERPA for a tenth time, they will likely update a number of sections of the Act.  Given the large number of high-profile data breaches impacting educational institutions, Congress may want to follow the states’ lead on student data privacy by expanding the information that requires notice and creating strict deadlines for notice.  These new requirements may create issues for schools that are already facing funding shortfalls.

Impact of the closure of the Department of Education on state laws

Within the past couple of years, some of the states have passed laws addressing the protection of student data.  Many of these laws expanded the types of information that must be protected. For example, the Kansas Act includes grade levels as protected information. Meanwhile, the Illinois Act includes food purchases, political affiliations, and search activity, among others as covered information.  This trend towards more expansive student data privacy laws may become the norm if the Department’s functions are given to the states.

If FERPA is no longer in place, more states will likely try to rush out legislation to avoid gaps in the protection of student data leading to a patchwork of student state privacy laws.  It may also result in disparities in how student data is protected nationwide, creating concerns about equal access to student privacy.

The bottom line

Until the issues stated above with the Department of Education are fully resolved, schools will need to continue to fully comply with FERPA. However, if the Department of Education is closed and FERPA no longer applies, schools will need to get used to uncertainty when it comes to their cybersecurity obligations.  They will need to closely monitor the trends, not only in their own state, but also state trends in general to make sure they are covered in the event of a cybersecurity incident.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.