FERPA Waiver and Privacy in Recommendation Letters

FERPA is a federal law enacted in 1974 and codified at 20 USC section 1232g, with implementing regulations at 34 CFR Part 99. It applies to all educational institutions that receive federal funding under programs administered by the US Department of Education. The Family Policy Compliance Office within the Department of Education enforces FERPA and publishes interpretive guidance.

FERPA does two principal things relevant to recommendation letters. First, it gives students aged 18 and over (and parents of students under 18) the right to inspect and review the student's education records, including the right to seek correction of inaccurate records and the right to consent to disclosures of personally identifiable information. Second, it restricts the disclosure of personally identifiable information from education records without the student's consent (or the consent of the parents of students under 18), subject to a number of statutory exceptions.

Recommendation letters that have been submitted to a school and placed in a student's education record are themselves part of the education record under FERPA, with the consequence that the student normally has the right to inspect them. The FERPA waiver on application forms is the student's voluntary written waiver of that specific right, applied to specific recommendation letters submitted in the application context. The waiver is provided for at 20 USC section 1232g(a)(1)(C) and the relevant regulations.

Most US college, graduate-school, and professional-school applications include a question on the recommender-invitation form asking whether the applicant waives the FERPA right of inspection for the letters being submitted. The Common Application, AMCAS, LSAC, and most institutional applications include the question; the wording varies but the substantive question is the same.

The convention across US academic advising is to recommend that applicants waive. The structural reason: admissions committees read waived letters as more candid than non-waived letters, on the inference that recommenders writing with the knowledge that the applicant cannot later read the letter are freer to write honestly. Non-waived letters are sometimes discounted on the assumption that the recommender wrote softer than they would have without the candidate's potential later view.

The waiver is genuinely voluntary; FERPA does not require the applicant to waive, and the right of inspection survives if the applicant does not waive. The cost of not waiving is the structural one described above: the committee may read the letter with somewhat more scepticism than it would read a waived letter. For most applicants in most contexts, the convention to waive is the cleaner choice and is what experienced advisors recommend. The exception: applicants with a specific reason to want the inspection right (a contested situation with a prior teacher or supervisor, a concern that a specific recommender may write inaccurately) may reasonably choose not to waive in particular cases.

The waiver prevents the student from invoking the FERPA right of inspection for the specific letters covered. It does not prevent the recommender from voluntarily sharing the letter with the student if the recommender chooses to. Some faculty share their drafts with the students they recommend; others maintain a confidentiality practice and do not share. The recommender's discretion is not constrained by the waiver in either direction; the waiver only constrains the student's institutional right of inspection.

The waiver also does not prevent the student from obtaining the letter through other means after the application cycle. If the student is admitted and enrolls at the institution, FERPA may give the student access to the broader education record at the institution, with rules that vary by the institution's policies and the specific records involved. Most institutions treat application-stage recommendation letters as separate from the enrolled-student education record and do not provide retrospective access to waived letters; the practice varies.

The waiver does not affect the institution's obligation to maintain the confidentiality of the letter from third parties. FERPA's broader prohibitions on disclosure of personally identifiable information continue to apply; the institution cannot share the letter publicly or with third parties outside the FERPA exceptions, regardless of whether the student waived inspection. The waiver is specifically about the student's own right of inspection, not about external disclosure.

Title IX of the Education Amendments of 1972 (20 USC sections 1681 to 1688) prohibits sex discrimination in education programs and activities at schools receiving federal funding. The 2024 Title IX regulations, which came into effect in August 2024 and have been subject to ongoing litigation, modified the framework that governs the application of Title IX to a range of contexts; institutions and applicants should consult the current Department of Education guidance for the operative interpretation.

The intersection of Title IX with the recommendation-letter process arises in two principal contexts. First, recommendation letters that contain commentary on sex, gender identity, sexual orientation, pregnancy, family status, or related categories can raise Title IX concerns if the commentary appears to influence the admission or employment decision in a discriminatory way. The cleanest practice for recommenders is to focus on the candidate's academic or professional qualifications and to omit commentary on protected characteristics, even when intended supportively.

Second, recommendations from faculty members who have been the subject of Title IX investigations or findings can themselves become a privacy and procedural-fairness question. Institutions handling such recommendations face a balancing question between the candidate's interest in having the recommendation considered, the institution's interest in the integrity of its admissions process, and the privacy interests of all parties involved in the underlying Title IX matter. This area of practice continues to evolve; institutions typically address it through case-specific procedures rather than general policies.

Recommenders sometimes consider disclosing sensitive information about a student or candidate in a letter, with the intent of providing context that supports the application: a family circumstance that affected academic performance, a mental health history that bears on a gap in the record, a disability that the candidate has not chosen to disclose institutionally. The discretion question is significant; the default should be discretion with explicit consent for exceptions.

Information in a student's education record (grades, formal disciplinary actions, attendance, documented accommodations) is FERPA-protected and cannot be redisclosed in a recommendation letter without the student's consent, even by the faculty member who has access to the record through their teaching role. The FERPA disclosure exception for legitimate educational interest does not extend to placing the information in an outgoing recommendation letter.

Information the student has shared with the recommender in confidence (personal circumstances, mental health, family situations, sexuality, gender identity, immigration status, financial difficulty) is not FERPA-protected per se but carries strong ethical-confidentiality obligations. The cleanest practice is for the recommender to ask the student explicitly whether and how to address the sensitive context in the letter, to defer to the student's preference, and to omit the context if the student is uncertain. The candidate's autonomy over the narrative of their own application is the controlling consideration; the recommender's intent to help does not override the candidate's privacy choice.

For recommendations involving medical or healthcare contexts, the Health Insurance Portability and Accountability Act (HIPAA) may overlay on top of FERPA in some circumstances. HIPAA's Privacy Rule applies to covered entities (most healthcare providers, health plans, healthcare clearinghouses); a faculty physician writing a recommendation for a former medical-student trainee operates as a covered entity in the patient-care context and as a non-covered entity in the academic-recommendation context. The interaction can be complex; the cleanest practice is to keep clinical information out of academic recommendation letters and to address clinical performance through the institution's structured medical-student or resident evaluation process.

For recommendations involving financial-services contexts, the Gramm-Leach-Bliley Act (GLBA) imposes privacy obligations on financial institutions that may bear on what an employer in the financial-services industry can say about a former employee in a reference. The interaction is narrower than the HIPAA-FERPA crossover but can apply in specific situations involving customer-specific information.

For most recommendation-letter contexts, FERPA is the operative privacy framework and the other federal privacy laws do not add significant complexity. The structural question for the recommender is the discretion question: what belongs in this letter, who has consented to what disclosure, and what is the cleanest practice for the specific situation. The legal framework provides the boundaries; the recommender's judgement determines the practice within them.