Quick answer: FERPA-compliant SMS means sending text messages to students without disclosing protected education records to unauthorized parties, obtaining proper consent before texting non-directory information, and choosing a vendor with strong data governance practices, written data use agreements, and encryption protecting student data in transit and at rest.
What FERPA actually covers — and why SMS fits into it
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records at institutions that receive federal funding. An education record is broadly defined: any record, file, document, or other material that contains information directly related to a student and is maintained by an educational institution or a party acting for the institution.
Most compliance teams immediately think of transcripts, grades, and financial aid files. But FERPA's scope extends further. A text message that references a student's enrollment status, academic standing, financial aid disbursement, disciplinary matter, or health record held by the institution can contain education record information — and must be handled accordingly.
This does not mean institutions cannot text students. It means the content of those messages, and the platform carrying them, must meet FERPA's handling standards. General outreach — event reminders, campus alerts, enrollment deadline notices — typically does not disclose protected records. Messages that reference individual student data require closer scrutiny.
Directory information, consent, and the opt-in question
FERPA distinguishes between two categories of student information. Directory information — typically name, enrollment status, and institution-designated public fields — can be disclosed without consent unless the student has filed a FERPA hold. Non-directory information requires written consent before disclosure to any outside party.
For SMS programs, this distinction matters in two ways. First, the content of any message referencing non-directory data requires that a proper consent process be in place. Second, the phone number itself may be considered education record information depending on how it was collected and what your institution's FERPA policy designates as directory information.
Separate from FERPA, the Telephone Consumer Protection Act (TCPA) requires affirmative opt-in consent before sending marketing or promotional text messages to any individual. Institutions running SMS programs for financial aid, enrollment, or student services should capture and document opt-in at the point of collection — for example, during application, enrollment, or account creation. This note is general guidance, not legal advice; consult your institution's counsel for compliance determinations specific to your programs.
What to require from an SMS vendor
Choosing the right platform is as important as crafting the right policies. When evaluating vendors, your compliance and IT teams should look for the following:
- Written data use agreement. FERPA requires that third-party vendors who access student education records operate under a formal agreement limiting their use of that data to the contracted purpose. Ask every vendor for their standard data use agreement before procurement.
- Encryption in transit and at rest. Student data transmitted through the platform should be protected by encryption in transit (TLS 1.3) and at rest (256-bit AES). Ask vendors to confirm these specifications in writing.
- No data sale or secondary use. Vendors must not sell, share, or use student data for their own commercial purposes. This should be explicit in the contract, not implied.
- Access controls and audit logs. Staff access to student contact information within the platform should be role-based. Audit logs should record who sent what, and when, for compliance review purposes.
- 10DLC registration support. Since 2023, commercial SMS in the United States routes through registered 10-digit long code (10DLC) numbers. A compliant vendor should handle 10DLC registration on your institution's behalf and maintain current carrier compliance.
- Opt-out management. The platform must honor STOP requests instantly and maintain suppression lists so opted-out students are never re-messaged without fresh consent.
Where higher ed institutions use compliant SMS effectively
Institutions that operate with clear FERPA policies and a properly contracted vendor can use SMS across a wide range of student-facing programs without disclosing protected records:
- Enrollment and registration reminders — deadline alerts that do not reference individual academic standing
- Financial aid action reminders — prompting students to complete steps, without disclosing award amounts in the message body
- Campus safety and emergency notifications — mass alerts and closures where no individual student data is included
- Advising appointment reminders — confirming times without disclosing the reason for the appointment
- Orientation and onboarding sequences — step-by-step guidance for new students through welcome, housing, and ID processes
- Two-way advising conversations — when students initiate contact, staff can respond within the platform maintaining an auditable record
The common thread: compliant use keeps message content general and action-oriented, rather than surfacing specific protected data points in the message body. Where a student needs personalized information, the best practice is to direct them to a secure portal rather than transmitting sensitive details over SMS.
For a detailed breakdown of platform capabilities designed for higher education contexts, see our guide to the best texting platform for higher education.
How FRANSiS™ supports FERPA-aware SMS programs
FRANSiS™ is an AI-powered two-way SMS platform built for mission-driven organizations including higher education institutions. The platform is designed with data governance as a foundation, not an afterthought.
Data in transit is protected with TLS 1.3 encryption; data at rest uses 256-bit AES encryption. FRANSiS supports formal data use agreements for institutional clients. The platform's AI Powered Helper automates outreach sequences — enrollment reminders, financial aid nudges, orientation messages — while maintaining opt-out compliance automatically: a student who texts STOP is immediately removed from all automated sends.
Pricing is flat, predictable, and unlimited — institutions can run high-volume outreach campaigns without per-message cost surprises that create pressure to skip compliance steps. 10DLC registration is handled as part of onboarding, and FRANSiS supports TCPA-aligned opt-in capture within the platform.
FRANSiS does not guarantee FERPA compliance — that determination depends on how your institution configures its programs and what your legal counsel advises. What FRANSiS does provide is a platform architected to support compliant operations, with the data agreements, encryption, access controls, and audit trails that compliance teams expect from a higher education vendor. Institutions operating in healthcare contexts may also find our overview of HIPAA-compliant text messaging relevant for crossover use cases such as campus health and counseling services.
Frequently asked questions
Is SMS covered by FERPA?
It depends on what the message contains. A text message that includes or references a student's protected education record information is subject to FERPA's handling requirements. General outreach messages — deadline reminders, event notices, campus alerts — that do not disclose individual student record data typically fall outside FERPA's direct restrictions, though your institution's legal counsel should make that determination for your specific programs.
Do we need a data use agreement with our SMS vendor?
Yes, if the vendor will have access to student education record information. FERPA requires that school officials — including contracted third-party service providers — operate under a formal agreement that limits data use to the contracted educational purpose, prohibits secondary use or sale of the data, and holds the vendor to the same standards as institution employees. Request the vendor's standard data use agreement before signing any contract.
Does a student's phone number count as a FERPA-protected education record?
Possibly. Whether a phone number is treated as an education record depends on how it was collected — if it was provided during enrollment or stored in a student information system, it is likely an education record. Some institutions designate phone numbers as directory information, which changes the consent requirement. Review your institution's FERPA policy and directory information designation with your registrar and legal counsel.
What is the difference between FERPA consent and TCPA opt-in for SMS?
These are separate legal requirements. FERPA governs disclosure of education record information and applies to how institutions handle student data. TCPA governs consent to receive text messages and applies to how institutions contact individuals by phone or SMS. An institution may satisfy FERPA requirements for a given message while still needing to demonstrate TCPA opt-in consent before sending it. Both frameworks apply independently and your institution should have processes to document compliance with each.
Sign up for our mailing list for insights, perks, and more!


