ChatGPT
Claude
Perplexity
Gemini
GrokWhy US schools face cross-border data exposure
Most US colleges and universities don't think of themselves as international data controllers — but the tools they use and the students they recruit tell a different story. Every enrollment inquiry captured by a Salesforce CRM, every Zoom admission interview with a European applicant, every email campaign sent to prospective students in France or Germany creates a data flow governed by more than one legal framework.
Over 1 million international students enroll in US higher education institutions each year (IIE Open Doors data, 2025). For institutions that actively recruit abroad — particularly in Europe, Canada, and Asia — compliance obligations extend well beyond FERPA into EU, state, and foreign privacy regimes.
Three distinct frameworks shape how US institutions must handle student data today. Each addresses a different scope of protection, and none replaces the others.
FERPA: the foundation of US student data law
The Family Educational Rights and Privacy Act (FERPA) governs access to and disclosure of education records for students enrolled in federally funded programs. It applies to almost every US college and university.
Under FERPA, "education records" encompass a broad range of data: transcripts, financial aid records, disciplinary records, and any information directly related to a student maintained by the institution. Two FERPA provisions matter most for vendor management and cross-border flows.
The "school official" exception. An institution may disclose education records to a school official — including a third-party vendor — without student consent when the vendor performs a legitimate educational function, is under the direct control of the institution, and is subject to FERPA's use and redisclosure limitations. This is the basis on which US schools contract with cloud providers like Google, Microsoft, and Salesforce. Without a properly structured agreement, these disclosures are unauthorized.
The "legitimate educational interest" test. School officials may access records only when they have a legitimate educational interest. This test must be defined in the institution's annual FERPA notification — not just assumed.
For international data flows, FERPA provides no adequacy mechanism equivalent to GDPR's Chapter V. The framework is disclosure-based: if the disclosure is covered by an exception and the vendor agreement is properly structured, FERPA compliance is met regardless of where data is physically stored.
State privacy laws: CCPA/CPRA and beyond
Since the California Consumer Privacy Act (CCPA) took effect in 2020 — updated by the California Privacy Rights Act (CPRA) in 2023 — US schools have faced a patchwork of state-level privacy obligations that FERPA does not preempt.
The critical distinction: CCPA/CPRA applies to California-resident consumers, including prospective students who have not yet enrolled. A Florida-based college actively recruiting in California must offer California-resident applicants the right to know, delete, correct, and opt out of sale or sharing of their personal information. This is distinct from FERPA, which only applies to enrolled students' education records.
As of 2026, more than a dozen states have enacted comprehensive consumer privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, and others). Shared consumer rights across these frameworks include:
- Right to access and copy personal data
- Right to deletion
- Right to opt out of targeted advertising and profiling
- Right to correct inaccurate data
For admissions marketing — email campaigns, targeted ads, CRM data collection from prospective students — these rights apply from the first touchpoint. Schools without a documented request-handling process for prospective students (not just enrolled students) are non-compliant with applicable state laws.
GDPR exposure: when EU law reaches US schools
The EU General Data Protection Regulation applies to organizations outside the EU when they actively target EU residents (GDPR Article 3(2)). A US college with a landing page in French, a Google Ads campaign targeting students in France, or a campus recruiter attending education fairs in Germany is, in the GDPR's view, offering services to EU residents. Processing the personal data of those prospective students falls under GDPR jurisdiction — including the Chapter V transfer obligations.
This is the exposure most US admissions offices underestimate. It means:
- Collecting email addresses from EU students requires a lawful basis (legitimate interest or consent)
- Any transfer of those EU-resident records to a US-based CRM or marketing tool requires a transfer mechanism — typically Standard Contractual Clauses (SCCs) in the vendor's Data Processing Agreement (DPA)
- Transfer Impact Assessments (TIAs) are required for US-bound transfers, documenting that the recipient provides adequate protection despite the absence of an EU adequacy decision for the US as a whole
The US-EU Data Privacy Framework (DPF), adopted in July 2023, provides a streamlined adequacy mechanism — but only for DPF-certified companies. Verify certification status at dataprivacyframework.gov before relying on a vendor's DPF certification.
Vendor compliance table: key tools for US higher education admissions
| Tool | Primary data held | FERPA agreement | CCPA data processor | GDPR DPF/SCC | EU data residency |
|---|---|---|---|---|---|
| Google Workspace for Education | Email, Drive, Meet, forms | Yes — signed DPA required | Yes (CPRA Service Provider) | DPF certified + SCCs | Yes (EU data region, admin opt-in) |
| Microsoft 365 / Teams | Email, SharePoint, Teams | Yes (OST terms) | Yes | DPF certified + SCCs | Yes (EU Data Boundary) |
| Zoom | Video calls, recordings | BAA available | Yes | DPF certified + SCCs | Yes (data residency opt-in) |
| Salesforce (CRM) | Prospect and applicant pipeline | Yes — DPA required | Yes | DPF certified + SCCs | Yes (EU instance available) |
| Common App | Application processing | Institutional agreement | Limited | SCCs in DPA | US-hosted |
| Slate (Technolutions) | CRM / admissions | Yes | Yes | SCCs | US-hosted |
| HubSpot | Marketing, email | Yes — DPA available | Yes | DPF certified + SCCs | Yes (EU) |
Two critical points about this table. First, having a vendor on the DPF certified list does not eliminate the need for SCCs in the DPA — for EU-resident prospects, you need both the DPF certification and a signed DPA with SCCs to fully document the transfer mechanism. Second, FERPA compliance and GDPR compliance are not interchangeable: a properly structured FERPA school-official agreement does not satisfy the GDPR's Article 28 DPA requirements.
90-day compliance action plan for US schools recruiting internationally
Days 1–30: Map your data flows
Inventory every SaaS tool used in the admissions and marketing stack. For each tool, identify: which student records it holds, whether a FERPA-compliant agreement is signed, and whether the tool is used in connection with EU-resident applicants. Request DPA templates from vendors if not already on file.
Expected output: a data map showing which tools hold prospective student data, their FERPA and GDPR status, and gaps requiring remediation.
Days 31–60: Close the documentation gaps
Sign FERPA-compliant DPAs with any vendor that holds education records without one. For tools used to process EU-resident applicant data: review the DPA for GDPR Article 28 compliance, verify SCC annexes are properly executed, and confirm DPF certification if applicable. Update your institution's FERPA annual notification to accurately reflect the school-official exception for all active vendors.
Days 61–90: Establish governance for ongoing compliance
Assign a privacy officer or coordinator responsible for reviewing vendor agreements at contract renewal. Implement a pre-procurement checklist: at minimum, FERPA agreement review and — for programs with EU recruiting activity — GDPR transfer mechanism verification before any new tool goes live. Train admissions and marketing staff on prospective-student data rights under applicable state privacy laws.
One frequently overlooked exposure: staff personal devices and personal email accounts. An admissions officer who emails a prospective student in Germany from a personal Gmail account has created an uncontrolled data flow with no FERPA or GDPR protection. Device policy and institutional email use enforcement are not just IT issues — they are privacy compliance issues with real legal exposure.
FAQ
Does FERPA protect international applicants who have not yet enrolled?
No. FERPA only applies to "education records" of students who are enrolled (or were enrolled) in a federally funded institution. Prospective students who have not yet enrolled are not covered by FERPA. Their data is governed by applicable state privacy laws (CCPA and equivalents), GDPR if they are EU residents, and any applicable foreign law. Many institutions address this gap through institutional privacy policies that extend FERPA-like protections to all applicants.
Do US schools need to comply with the EU GDPR?
It depends on recruiting strategy. If your institution actively targets EU-resident prospective students — through EU-targeted advertising, multilingual landing pages, or in-country recruitment events — GDPR likely applies to the processing of those individuals' personal data under Article 3(2). If EU-student enrollment results entirely from EU residents approaching the institution unsolicited, GDPR may not apply. The boundary is not always clear; legal counsel familiar with GDPR is advisable for institutions with significant EU recruiting activity.
What is the HECVAT and should we use it?
The Higher Education Community Vendor Assessment Tool (HECVAT) is a standardized questionnaire developed by the higher education community to evaluate vendor security and privacy practices. Most large SaaS vendors — Google, Microsoft, Zoom, Salesforce — have completed HECVAT responses available on request. Using HECVAT as a pre-procurement checklist significantly accelerates the DPA review process and is increasingly expected by institutional IT security and legal departments.
What are the penalties for FERPA violations?
FERPA enforcement is handled by the Student Privacy Policy Office (SPPO) within the US Department of Education. The primary penalty for non-compliance is loss of federal funding — a significant deterrent rarely invoked for isolated incidents. In practice, enforcement focuses on institutional practices and typically results in corrective action plans. State privacy law violations carry harsher financial exposure: up to $7,500 per intentional CCPA/CPRA violation, with no maximum on aggregate penalties.
Every US institution that recruits internationally operates at the intersection of FERPA, state privacy law, and GDPR. Most admissions teams are well-versed in FERPA — fewer have mapped how their EU recruiting activity creates GDPR obligations. Closing that gap requires less a compliance overhaul than a systematic vendor audit and documentation update.
Try Skolbot on your school — 30 seconds, no commitmentRelated: GDPR and student data: a complete guide for schools · AI chatbots and GDPR data collection in schools
