The Family Education Rights and Privacy Act (FERPA) is intended to protect student privacy, but has not adapted well to current technology. We consider a special class of student data: directory information. Unlike other FERPA-controlled data, directory information (e.g., student names, contact information, university affiliation) can be shared publicly online or by request without explicit permission.

To understand this policy’s impact, we investigated 100 top-ranked US universities’ directory information sharing practices, finding they publish student contact information online, and provide PII offline by request to many parties, including data brokers. Universities provide limited opt out choices, and focus on negative effects when advising students about opting out. Lastly, we evaluate student preferences regarding the identified directory practices through a survey of 991 US university students. Based on these results, we provide recommendations to align directory practices with student privacy preferences.