FERPA Compliant SMS: What Higher Ed Institutions Need to Know

When universities and colleges use text messaging to communicate with students, they enter a legal minefield. The Family Educational Rights and Privacy Act (FERPA) tightly controls what student information can be shared, with whom, and under what circumstances. A single SMS sent without proper consent or containing protected data could expose an institution to FERPA violations, loss of federal funding, and reputational damage.

Yet FERPA compliance doesn’t mean abandoning SMS. Thousands of institutions use text messaging successfully to communicate with students—when they understand the rules and implement them correctly. This guide explains FERPA requirements as they apply to SMS, clarifies what data can and cannot be shared, and provides a roadmap for FERPA-compliant text messaging programs.

FERPA Basics: What It Covers

FERPA, enacted in 1974, is a federal law that protects the privacy of student education records. It applies to any institution that receives federal education funding—which includes virtually all U.S. colleges and universities. Under FERPA, education records are protected from unauthorized disclosure, and students have rights to access, correct, and control their own records.

An “education record” is any information recorded in any medium—including handwritten notes, electronic files, videos, and text messages—that is directly related to a student and maintained by the school. Student name, ID number, GPA, major, housing information, financial aid status, and academic standing all constitute education records and are protected under FERPA.

The core FERPA requirement: don’t disclose education records to anyone except under specific circumstances.

Violating this prohibition can result in the U.S. Department of Education withholding federal education funds from the entire institution—a penalty so severe that universities take FERPA seriously.

What Student Data Can Be Shared via SMS (And What Cannot)

The key question for SMS compliance: what information can appear in a text message to a student?

Data You CAN Share via SMS

General reminders and announcements that don’t contain personally identifiable protected information. Examples:

“Housing registration closes May 20. Don’t miss the deadline!”
(no student name, no student-specific data)
“Orientation sessions are now available. Sign up here: [link]”
(generic announcement)
“Your financial aid offer is ready to view in your student portal.”
(does not contain specific amounts or details)
“Your placement test scores are available. Log in to check them.”
(alerts student to check portal, doesn’t transmit scores)

The pattern: you can tell a student that information about them exists and invite them to access it securely, but you should not transmit the actual protected information via SMS.

Data You CANNOT Share via SMS Without Explicit Consent

Specific academic, financial, or health information. Examples of violations:

“Your GPA is 3.42. You’re on the Dean’s List.”
(GPA is protected)
“Your outstanding balance is $2,450.”
(financial information)
“Your major is listed as Psychology, but we show no degree progress. Meet with your advisor.”
(major + degree status)
“You’ve registered for our counseling center appointment on Tuesday at 2 p.m.”
(health/mental health data)
“Your International Student Status is expiring. Contact International Student Services.”
(visa status is protected)

These messages contain specific protected information that FERPA restricts. Sending them via SMS without prior written consent from the student is a violation.

The Directory Information Exception and Student Consent

FERPA allows institutions to disclose limited “directory information” without student consent. Directory information typically includes: student name, address, email, phone number, date and place of birth, major, enrollment status, degree honors, and dates of attendance.

However—and this is critical—directory information is not automatically public. Students have the right to restrict disclosure of their directory information. Institutions must inform students of their rights and allow them to opt out. If a student opts out, even directory information cannot be disclosed.

For SMS purposes, directory information in a message is safer than protected information. A text saying “Hi Sarah, your enrollment is confirmed for Fall 2026” uses only directory information (name, enrollment status). But if a student has opted out of directory information disclosure, even this message could violate FERPA if sent to a third party.

Always check your student directory information settings and respect student opt-out requests.

FERPA Compliance Requirements for SMS

If you do send messages containing protected student information via SMS, you must meet these compliance requirements:

1. Written Consent

Obtain explicit written consent from the student before disclosing protected information via SMS. This consent should specify:

What information will be shared (e.g., “financial aid award amounts, outstanding balance”)
Via what channel (SMS/text message)
For what purpose (e.g., “reminder of deadline,” “status update”)
How long the consent lasts (e.g., “until graduation,” “for the duration of enrollment”)

A simple checkbox in your student portal or a text message that says “Do you want to receive financial aid reminders via text?” establishes consent. Documentation is key: keep records of when consent was given.

2. Encryption and Security

SMS itself is not encrypted—text messages travel over cellular networks and are stored in plain text on devices. For FERPA compliance when transmitting protected information via SMS, you must use a platform that encrypts messages. Reputable SMS platforms for education compliance use end-to-end encryption, secure servers, and access controls to reduce risk.

Note: This is one reason many institutions choose to send alerts that point students to secure portals rather than transmitting protected data directly in SMS.

3. Access Controls

Limit who within your institution can send SMS messages containing protected student information. Not every staff member should have access to a system that can broadcast student financial information via text.

Implement role-based access controls: enrollment counselors can send enrollment reminders, financial aid staff can send aid-related messages, etc.

4. Data Retention Policies

Establish and document how long SMS message records are retained. FERPA doesn’t specify retention periods, but best practice is to keep transaction logs for 3–5 years (in case of audits or complaints) and delete student content data after its usefulness expires.

5. Business Associate Agreements (BAAs)

If you use a third-party SMS platform, that vendor is a service provider under FERPA. You should have a contract (Business Associate Agreement or similar) that ensures the vendor agrees to protect student data, limit use to the specified purpose, and implement required security measures.

FERPA vs. HIPAA Compliance Requirements

If your institution operates a health center or behavioral health program, you may be familiar with HIPAA (Health Insurance Portability and Accountability Act), which protects health information. FERPA and HIPAA coexist in higher education, and they have different requirements.

Here’s how they compare for SMS:

Requirement	FERPA (Education Records)	HIPAA (Health Information)
What’s Protected	Student education records (academics, financial, enrollment, etc.)	Protected health information (diagnoses, treatments, test results)
Primary Audience	Students and education institutions	Patients and healthcare providers
Consent for Disclosure	Written consent required for protected info disclosure	Written consent/authorization required; stricter requirements
Encryption Requirement	Recommended; not strictly required by FERPA but best practice	Required (HIPAA mandates encryption for ePHI)
Third-Party Vendors	Service provider agreements advised	Business Associate Agreements (BAAs) mandatory
SMS Suitability	Better suited for directory info / portal alerts; risky for detailed protected data	Less suitable for SMS; HIPAA generally prefers secure portals
Breach Notification	FERPA: complaint to Department of Education	HIPAA: state attorneys general, HHS, media notification (60+ days)

Key takeaway: if you’re sending health-related information (even from a student health center), apply HIPAA standards in addition to FERPA. This typically means avoiding SMS for actual health data and using secure portals instead.

Common FERPA Violations in SMS and How to Avoid Them

Here are real-world mistakes institutions make with SMS:

Violation #1: Sending GPA or academic standing updates via SMS without consent

Fix: Only send alerts that invite students to log in.
“Check your academic standing in your portal” is safe.
“Your GPA is 2.8 and you’re on academic probation” is not.

Violation #2: Confirming specific financial aid amounts in SMS

Fix: Direct students to their portal.
“Your financial aid offer is ready” is safe.
“Your grant is $5,000 and your loan is $7,000” is a violation.

Violation #3: Sending messages to a phone number without confirming the recipient

Fix: Get explicit consent that the phone number belongs to the student, and that the student wants institution messages at that number. If a student gives you a parent’s phone number by accident, you’ve just disclosed protected information to an unauthorized third party.

Violation #4: Retaining SMS message records indefinitely

Fix: Document your data retention policy. Delete SMS transaction logs after 3–5 years or after the relevant deadline or semester has passed.

Violation #5: Sharing student information with third parties via SMS

For example, texting a student’s family member without consent.

Fix: Only communicate with the student directly, to the phone number the student has authorized.

Building a FERPA-Compliant SMS Program

If you’re launching an SMS initiative at your institution, here’s a compliance checklist:

Audit which student data you’re currently sharing (academic, financial, health, other)
Obtain written consent from students before sending protected information
Choose an SMS platform with encryption and compliance certifications
Implement role-based access controls and define who can send what
Draft a data retention policy and stick to it
Create or update your service provider agreements to include SMS vendors
Train staff on FERPA requirements and SMS do’s and don’ts
Document your procedures and keep them accessible for audits
Establish a breach notification process in case of accidental disclosure

The Bottom Line: FERPA and SMS Can Coexist

FERPA compliance doesn’t prohibit SMS. It requires thoughtful implementation. The safest approach for most institutions: use SMS for directory information and portal alerts, not for transmitting specific protected data. Tell students to “check your portal,” and let your secure online system handle the sensitive details. This approach maximizes engagement (SMS open rates) while minimizing legal risk.

If you must send protected information via SMS, ensure you have written consent, use encryption, implement access controls, and document everything. With these safeguards in place, SMS becomes a powerful channel for keeping students engaged throughout their enrollment journey—legally and securely.

FRANSiS™ helps higher education institutions implement FERPA-compliant SMS programs with built-in consent workflows, encryption, role-based access, and compliance documentation.

How Universities Use SMS to Prevent Summer Melt (/blog/summer-melt-sms-prevention-universities)
Student Enrollment SMS: How AI Improves Yield (/blog/ai-enrollment-sms-boost-yield)
HIPAA Compliant SMS Platforms: Complete Comparison (/blog/hipaa-compliant-sms-platforms-comparison)

Book a demo to see how FRANSiS™ simplifies FERPA-compliant student communication. Visit

‍

Join The Troop

FERPA Compliant SMS: Higher Ed Compliance Guide | FRANSiS™