Somewhere between the pilot approval and the purchase order, every campus biometric project lands on general counsel’s desk with the same cover question: does this violate FERPA?
The short answer: facial authentication can be deployed in a FERPA-compliant way, because FERPA doesn’t prohibit biometrics — it regulates records. Under 34 CFR § 99.3, a biometric record is explicitly part of a student’s personally identifiable information, so the rules you already follow for transcripts and disciplinary files extend to facial templates and the access events they generate. Compliance is a design question, not a yes/no question.
Here is what counsel actually checks, in the order they check it.
Where do biometrics sit in FERPA’s definitions?
FERPA protects education records — records directly related to a student and maintained by the institution or a party acting for it. Its regulations define personally identifiable information to include a biometric record: measurable biological characteristics used for automated identification, facial characteristics among them.
Two consequences follow. A facial template enrolled for door access is PII the moment your institution — or your vendor, acting on your behalf — maintains it. And biometric records can never be designated as directory information; there is no public-by-default path for a face the way there is for a name or a major. That mostly means biometric access control has to run through FERPA’s two standard release valves: consent, or a recognized exception.
Are door access logs education records?
This is the part that surprises facilities teams. An access event — student X authenticated at the residence hall at 11:42 p.m. — is a record about an identifiable student, maintained by the institution. In most readings, that makes the log an education record: parents and third parties can’t browse it, students can ask to inspect records about themselves, and disclosures need consent or an exception.
The workhorse exception is school officials with a legitimate educational interest. Security operations staff reviewing an incident qualify. A coach curious about an athlete’s comings and goings does not. The practical control is role-based access to the log itself — the same least-privilege logic behind zero trust at the door, applied to the data the door produces. Health-and-safety emergencies are the other valve: FERPA permits disclosure without consent when there is an articulable threat, which is exactly when access logs matter most.
What does the vendor contract need to say?
When a third-party platform stores enrollment data, compliance hinges on the school-official exception applied to vendors: the provider performs an institutional service, stays under the institution’s direct control over the records, and uses them only for that purpose. Contract review should confirm four things: purpose limitation (access control only — never marketing, model training, or resale), direct control (the institution can order deletion, and deletion is verifiable), a redisclosure prohibition, and a security posture with an independent attestation you can file.
Architecture makes that review easier or harder. A system that parks face photos in a vendor cloud raises every one of those questions. A system that converts the face into an encrypted, non-reconstitutable template and matches at the edge — on the device, with no photos, names, or videos stored on it — shrinks the data FERPA has to reach. That is the model behind the Alcatraz Platform and Rock X: on-device matching in under a second, AES-256 at rest, TLS 1.2/1.3 in transit, consent that is recorded, auditable, and revocable, and SOC 2 attestation for counsel to file rather than a promise to trust.
One honest limit: FERPA is a federal floor, not the whole map. A deployment that clears FERPA can still trip a state statute — Illinois’ BIPA chief among them — so read this alongside the state biometric landscape.
Why does opt-in consent simplify everything?
You can spend a semester mapping exceptions, or you can collect consent up front and make most of the analysis moot. Written, informed, revocable consent is FERPA’s cleanest disclosure basis — and it is what students and privacy officers ask for anyway. The strongest deployments make it architectural: students enroll themselves in about a minute, consent is captured at enrollment, badges keep working for everyone who declines, and revocation deletes the template. The consent record then does double duty as a FERPA disclosure basis and the centerpiece of your privacy-first rollout playbook. A well-drafted consent form is where that starts.
If counsel would rather see the consent and deletion flow than read about it, book a demo — those two screens are usually their first request.
Frequently asked questions
Does FERPA prohibit facial authentication on campus?
No. FERPA regulates records, not technologies. Biometric records are personally identifiable information under 34 CFR § 99.3, so facial templates and access data must be handled like other protected student records — with consent or a recognized exception, and never as directory information.
Are door access logs education records under FERPA?
Generally yes, when they identify a student and are maintained by the institution or its vendor. Treat them accordingly: restrict viewing to school officials with a legitimate educational interest, honor student inspection requests, and document any health-and-safety emergency disclosures.
Can a university share biometric data with a vendor under FERPA?
Yes, under the school-official exception — if the vendor performs an institutional service, stays under the institution's direct control over the records, and uses them only for that purpose. Contracts should add purpose limitation, verifiable deletion, and a redisclosure ban.