FERPA Compliance Checklist for AI Tools

Quick answer

Before a school or district approves any AI tool, someone should be able to answer a basic question clearly: how does this product interact with student data, and is that interaction acceptable under FERPA?

This checklist is designed to make that review concrete.

Why FERPA compliance matters for AI

AI tools often process more data, more quickly, and in more opaque ways than older edtech products. That makes FERPA review more important, not less.

The issue is not just whether a vendor says it is “FERPA compliant.” The real question is whether your team understands:

• what data is collected
• how it is stored
• whether it is shared
• whether it is used for training
• how deletion, access, and agreements are handled

This checklist helps you move from vague reassurance to actual review.

The Checklist

Use this checklist before approving any AI tool for classroom or administrative use.

1. Data Collection Scope

• Does the tool collect personally identifiable information (PII)?
• What specific data points are collected (name, email, grades, behavior)?
• Is data collection limited to what’s educationally necessary?

2. Data Storage & Security

• Where is student data stored? (US-based servers preferred)
• Is data encrypted at rest and in transit?
• Does the vendor have SOC 2 Type II certification?
• What is the data retention policy?

3. Data Sharing

• Does the vendor share data with third parties?
• Is student data used for model training?
• Can the vendor sell or monetize student data?

4. Consent & Access

• Does the tool require parental consent (for under-13)?
• Can parents request to view their child’s data?
• Can parents request data deletion?

5. Vendor Agreements

• Has the vendor signed a Student Data Privacy Agreement (DPA)?
• Is the DPA compliant with your state’s student privacy law?
• Does the agreement include breach notification procedures?

6. De-identification

• If data is used for analytics, is it properly de-identified?
• Does de-identification meet FERPA’s standard (cannot be re-identified)?

How to use this checklist in practice

Do not use this as a box-checking exercise at the very end.

Use it:

1. before pilots expand
2. before teachers are told a tool is approved
3. before family-facing AI use scales
4. before a board or cabinet is told the privacy questions are settled

What counts as a warning sign

Pause approval if:

• the vendor cannot explain training use clearly
• data retention terms are vague
• there is no usable DPA path
• parental access or deletion answers are unclear
• the product team treats privacy questions as sales friction instead of core governance questions

Related next steps

This checklist works best when paired with:

• the free AI policy template for schools
• How to Evaluate AI Tools for Your District
• the roundup on Best AI Tools for Teachers in 2026
• the broader Resources hub