FERPA Compliant SMS: What Higher Ed Institutions Need to Know

When universities and colleges use text messaging to communicate with

students, they enter a legal minefield. The Family Educational Rights

and Privacy Act (FERPA) tightly controls what student information can be

shared, with whom, and under what circumstances. A single SMS sent

without proper consent or containing protected data could expose an

institution to FERPA violations, loss of federal funding, and

reputational damage.

Yet FERPA compliance doesn\'t mean abandoning SMS. Thousands of

institutions use text messaging successfully to communicate with

students---when they understand the rules and implement them correctly.

This guide explains FERPA requirements as they apply to SMS, clarifies

what data can and cannot be shared, and provides a roadmap for FERPA

compliant text messaging programs.

FERPA Basics: What It Covers

FERPA, enacted in 1974, is a federal law that protects the privacy of

student education records. It applies to any institution that receives

federal education funding---which includes virtually all U.S. colleges

and universities. Under FERPA, education records are protected from

unauthorized disclosure, and students have rights to access, correct,

and control their own records.

An \"education record\" is any information recorded in any

medium---including handwritten notes, electronic files, videos, and text

messages---that is directly related to a student and maintained by the

school. Student name, ID number, GPA, major, housing information,

financial aid status, and academic standing all constitute education

records and are protected under FERPA.

The core FERPA requirement: don\'t disclose education records to anyone

except under specific circumstances (which we\'ll detail below).

Violating this prohibition can result in the U.S. Department of

Education withholding federal education funds from the entire

institution---a penalty so severe that universities take FERPA

seriously.

What Student Data Can Be Shared via SMS (And What Cannot)

The key question for SMS compliance: what information can appear in a

text message to a student?

Data You CAN Share via SMS

General reminders and announcements that don\'t contain personally

identifiable protected information. Examples:

\"Housing registration closes May 20. Don\'t miss the deadline!\" (no

student name, no student-specific data)

\"Orientation sessions are now available. Sign up here: \[link\]\"

(generic announcement)

\"Your financial aid offer is ready to view in your student portal.\"

(does not contain specific amounts or details)

\"Your placement test scores are available. Log in to check them.\"

(alerts student to check portal, doesn\'t transmit scores)

The pattern: you can tell a student that information about them exists

and invite them to access it securely, but you should not transmit the

actual protected information via SMS.

Data You CANNOT Share via SMS Without Explicit Consent

Specific academic, financial, or health information. Examples of

violations:

\"Your GPA is 3.42. You\'re on the Dean\'s List.\" (GPA is protected)

\"Your outstanding balance is \$2,450.\" (financial information)

\"Your major is listed as Psychology, but we show no degree progress.

Meet with your advisor.\" (major + degree status)

\"You\'ve registered for our counseling center appointment on Tuesday at

2 p.m.\" (health/mental health data)

\"Your International Student Status is expiring. Contact International

Student Services.\" (visa status is protected)

These messages contain specific protected information that FERPA

restricts. Sending them via SMS without prior written consent from the

student is a violation.

The Directory Information Exception and Student Consent

FERPA allows institutions to disclose limited \"directory information\"

without student consent. Directory information typically includes:

student name, address, email, phone number, date and place of birth,

major, enrollment status, degree honors, and dates of attendance.

However---and this is critical---directory information is not

automatically public. Students have the right to restrict disclosure of

their directory information. Institutions must inform students of their

rights and allow them to opt out. If a student opts out, even directory

information cannot be disclosed.

For SMS purposes, directory information in a message is safer than

protected information. A text saying \"Hi Sarah, your enrollment is

confirmed for Fall 2026\" uses only directory information (name,

enrollment status). But if a student has opted out of directory

information disclosure, even this message could violate FERPA if sent to

a third party.

Always check your student directory information settings and respect

student opt-out requests.

FERPA Compliance Requirements for SMS

If you do send messages containing protected student information via

SMS, you must meet these compliance requirements:

1\. Written Consent

Obtain explicit written consent from the student before disclosing

protected information via SMS. This consent should specify:

What information will be shared (e.g., \"financial aid award amounts,

outstanding balance\")

Via what channel (SMS/text message)

For what purpose (e.g., \"reminder of deadline\", \"status update\")

How long the consent lasts (e.g., \"until graduation\", \"for the

duration of enrollment\")

A simple checkbox in your student portal or a text message that says

\"Do you want to receive financial aid reminders via text?\" establishes

consent. Documentation is key: keep records of when consent was given.

2\. Encryption and Security

SMS itself is not encrypted---text messages travel over cellular

networks and are stored in plain text on devices. For FERPA compliance

when transmitting protected information via SMS, you must use a platform

that encrypts messages. Reputable SMS platforms for education compliance

use end-to-end encryption, secure servers, and access controls to reduce

risk.

Note: This is one reason many institutions choose to send alerts that

point students to secure portals rather than transmitting protected data

directly in SMS.

3\. Access Controls

Limit who within your institution can send SMS messages containing

protected student information. Not every staff member should have access

to a system that can broadcast student financial information via text.

Implement role-based access controls: enrollment counselors can send

enrollment reminders, financial aid staff can send aid-related messages,

etc.

4\. Data Retention Policies

Establish and document how long SMS message records are retained. FERPA

doesn\'t specify retention periods, but best practice is to keep

transaction logs for 3-5 years (in case of audits or complaints) and

delete student content data after its usefulness expires.

5\. Business Associate Agreements (BAAs)

If you use a third-party SMS platform, that vendor is a \"service

provider\" under FERPA. You should have a contract (Business Associate

Agreement or similar) that ensures the vendor agrees to protect student

data, limit use to the specified purpose, and implement required

security measures.

FERPA vs. HIPAA Compliance Requirements

If your institution operates a health center or behavioral health

program, you may be familiar with HIPAA (Health Insurance Portability

and Accountability Act), which protects health information. FERPA and

HIPAA coexist in higher education, and they have different requirements.

Here\'s how they compare for SMS:

------------------------ ------------------------------------------------------------------------------------- --------------------------------------------------------------------

Requirement              FERPA (Education Records)                                                             HIPAA (Health Information)

What\'s Protected        Student education records (academics, financial, enrollment, etc.)                    Protected health information (diagnoses, treatments, test results)

Primary Audience         Students and education institutions                                                   Patients and healthcare providers

Consent for Disclosure   Written consent required for protected info disclosure                                Written consent/authorization required; stricter requirements

Encryption Requirement   Recommended; not strictly required by FERPA but best practice                         Required (HIPAA mandates encryption for ePHI)

Third-Party Vendors      Service provider agreements advised                                                   Business Associate Agreements (BAAs) mandatory

SMS Suitability          Better suited for directory info / portal alerts; risky for detailed protected data   Less suitable for SMS; HIPAA generally prefers secure portals

Breach Notification      FERPA: complaint to Department of Education                                           HIPAA: state attorneys general, HHS, media notification (60+ days)

------------------------ ------------------------------------------------------------------------------------- --------------------------------------------------------------------

Key takeaway: if you\'re sending health-related information (even from a

student health center), apply HIPAA standards in addition to FERPA. This

typically means avoiding SMS for actual health data and using secure

portals instead.

Common FERPA Violations in SMS and How to Avoid Them

Here are real-world mistakes institutions make with SMS:

Violation \#1: Sending GPA or academic standing updates via SMS without

consent.

Fix: Only send alerts that invite students to log in. \"Check your

academic standing in your portal\" is safe. \"Your GPA is 2.8 and

you\'re on academic probation\" is not.

Violation \#2: Confirming specific financial aid amounts in SMS.

Fix: Direct students to their portal. \"Your financial aid offer is

ready\" (safe) vs. \"Your grant is \$5,000 and your loan is \$7,000\"

(violation).

Violation \#3: Sending messages to a phone number without confirming the

recipient.

Fix: Get explicit consent that the phone number belongs to the student,

and that the student wants institution messages at that number. If a

student gives you a parent\'s phone number by accident, you\'ve just

disclosed protected information to an unauthorized third party.

Violation \#4: Retaining SMS message records indefinitely.

Fix: Document your data retention policy. Delete SMS transaction logs

after 3-5 years or after the relevant deadline/semester has passed.

Violation \#5: Sharing student information with third parties via SMS

(e.g., texting a student\'s family member without consent).

Fix: Only communicate with the student directly, to the phone number the

student has authorized.

Building a FERPA-Compliant SMS Program

If you\'re launching an SMS initiative at your institution, here\'s a

compliance checklist:

☐ Audit which student data you\'re currently sharing (academic,

financial, health, other)

☐ Obtain written consent from students before sending protected

information

☐ Choose an SMS platform with encryption and compliance certifications

☐ Implement role-based access controls (define who can send what)

☐ Draft a data retention policy and stick to it

☐ Create or update your service provider agreements to include SMS

vendors

☐ Train staff on FERPA requirements and SMS do\'s and don\'ts

☐ Document your procedures and keep them accessible for audits

☐ Establish a breach notification process in case of accidental

disclosure

The Bottom Line: FERPA and SMS Can Coexist

FERPA compliance doesn\'t prohibit SMS. It requires thoughtful

implementation. The safest approach for most institutions: use SMS for

directory information and portal alerts, not for transmitting specific

protected data. Tell students to \"check your portal,\" and let your

secure online system handle the sensitive details. This approach

maximizes engagement (SMS open rates) while minimizing legal risk.

If you must send protected information via SMS, ensure you have written

consent, use encryption, implement access controls, and document

everything. With these safeguards in place, SMS becomes a powerful

channel for keeping students engaged throughout their enrollment

journey---legally and securely.

FRANSiS™ helps higher education institutions implement FERPA-compliant

SMS programs with built-in consent workflows, encryption, role-based

access, and compliance documentation.

Related Articles:

  • How Universities Use SMS to Prevent Summer Melt (/blog/summer-melt-sms-prevention-universities)
  • Student Enrollment SMS: How AI Improves Yield (/blog/ai-enrollment-sms-boost-yield)
  • HIPAA Compliant SMS Platforms: Complete Comparison (/blog/hipaa-compliant-sms-platforms-comparison)

Book a demo to see how FRANSiS™ simplifies FERPA-compliant student

communication. Visit

Join The Troop

Sign up for our mailing list for insights, perks, and more!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Footer Logo

HIPAA-native AI platform trusted by mission-based organizations nationwide.

List Icon
2505 Anthem Village Drive, Suite E114 Henderson, Nevada, 89052
List Icon
+1(725) 302-3343‬
List Icon
Hello@fransis.us
Platform
PricingSecurityArticles
Solutions
HealthcareEducationNonprofitsGovernment
Resources
Customer StoriesSecurity DocumentationSupportPrivacy PolicyTerms & ConditionsText Messaging Privacy & Consent Policy
Company
AboutContact

© 2026 FRANSiS AI. All rights reserved.

PrivacyTermsHIPAA