FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryeducationFERPA

Campus Security AI, Facial Recognition, and the FERPA Question

By Basel IsmailMay 29, 2026

Campus Security AI, Facial Recognition, and the FERPA Question

Universities have been quietly deploying facial recognition systems for campus security over the past several years. Some of these deployments are modest, like using biometric access control at residence halls. Others are more ambitious, scanning crowds at sporting events or monitoring building entrances across an entire campus. The security rationale is straightforward. But the moment a facial recognition system links a biometric scan to a student's identity, schedule, or location pattern, you're potentially inside FERPA territory, and that changes the compliance calculus significantly.

Where Facial Recognition Meets Education Records

FERPA (20 U.S.C. § 1232g) protects "education records," defined broadly as records that are directly related to a student and maintained by an educational agency or institution. The Department of Education has historically interpreted "maintained" to include records kept by a party acting for the institution. So when a university contracts with a facial recognition vendor and that vendor stores biometric templates linked to student identities, the question becomes whether those records qualify.

The answer is almost certainly yes in many deployment scenarios. If a system logs that a specific student entered a chemistry lab at 2:14 PM on a Tuesday, and that log is maintained as part of the institution's records infrastructure, it fits comfortably within FERPA's definition. The biometric template itself, when linked to a student's identity, is directly related to that student. The fact that the record was generated by an AI system rather than a registrar doesn't change the analysis.

There is a narrow exception worth noting. FERPA excludes "records maintained by a law enforcement unit of the educational institution" from the definition of education records, provided those records are created by the law enforcement unit for law enforcement purposes and maintained separately. This is the carve-out under 34 CFR § 99.8. Some institutions have tried to route their facial recognition programs through campus police departments to land inside this exception. It can work, but the boundaries are thin. If campus security shares facial recognition data with the dean of students for a disciplinary proceeding, or if the system is integrated with student information systems, the law enforcement unit exception likely collapses.

The Vendor Problem

Most universities aren't building facial recognition in-house. They're contracting with companies like Verkada, Clearview AI, or smaller niche vendors. Under FERPA, these vendors need to qualify as "school officials" with "legitimate educational interests" under 34 CFR § 99.31(a)(1). That means the contract needs to specify that the vendor is performing a service the institution would otherwise perform itself, that the vendor is under direct control of the institution regarding use and maintenance of education records, and that the vendor won't redisclose the information without authorization.

This is where things get uncomfortable. Facial recognition vendors often retain biometric data for model training. They may aggregate data across clients. Clearview AI's entire business model, before it got hit with enforcement actions across multiple jurisdictions, was built on scraping and aggregating facial data. The Illinois BIPA settlement alone cost Clearview $50 million in 2024. If your vendor is doing anything with student biometric data beyond the narrow scope of the contract, you have a FERPA violation on your hands, and the institution bears the risk, not the vendor.

The Department of Education's Student Privacy Policy Office (SPPO) has been clear on this point in guidance letters. The 2011 and 2015 guidance on outsourced institutional services emphasized that institutions cannot outsource their FERPA obligations. You can outsource the function; you cannot outsource the compliance.

Consent, Directory Information, and Biometrics

FERPA generally requires written consent before disclosing personally identifiable information from education records. There are exceptions, the school official exception being the most commonly invoked for vendor relationships. But consent becomes a live issue when facial recognition data is shared with external law enforcement agencies, which happens more often than institutions like to admit.

Some institutions have considered classifying student photographs as "directory information" under 34 CFR § 99.3, which can be disclosed without consent unless a student opts out. A photograph might qualify. A biometric faceprint derived from that photograph almost certainly does not. The biometric template is a mathematically derived representation of facial geometry. It is not the same as a yearbook photo. The SPPO has not issued specific guidance on this distinction, but the logic tracks with how other regulators have treated biometric identifiers. Illinois BIPA, Texas CUBI, and Washington's biometric privacy statute all treat biometric identifiers as a distinct and more sensitive category than photographs.

This gap in explicit federal guidance creates real risk for institutions. You're making classification decisions about novel data types under a statute written in 1974, and the enforcement mechanism, potential loss of federal funding, is severe enough that conservative interpretation is the rational approach.

The Policy Posture Institutions Should Adopt

Given the regulatory uncertainty, institutions deploying facial recognition for campus security should consider several concrete steps:

Conduct a FERPA-specific data mapping exercise for any facial recognition system. Identify every point where biometric data intersects with student identity information. If those intersections exist, treat the data as education records.
Audit vendor contracts against 34 CFR § 99.31(a)(1) requirements. Specifically confirm that the vendor does not retain biometric data for purposes beyond the contracted service, does not use student data for model training, and has adequate access controls and breach notification provisions.
Do not rely on the law enforcement unit exception unless the facial recognition system is genuinely operated by and maintained exclusively within the campus law enforcement unit, with no data sharing to academic or administrative functions.
Do not classify biometric templates as directory information. The risk of misclassification far outweighs the administrative convenience of avoiding consent requirements.
Layer state biometric privacy laws into the analysis. At least ten states now have biometric privacy statutes or relevant consumer privacy laws. FERPA compliance alone is not sufficient if your institution operates in Illinois, Texas, Washington, or any state with a private right of action for biometric violations.
Establish a clear retention and deletion schedule for biometric data. FERPA doesn't specify retention periods for education records, but state biometric laws often do. Illinois BIPA requires destruction within three years of last interaction or when the purpose for collection is satisfied, whichever comes first.

The University of Michigan's 2020 moratorium on facial recognition technology is one example of an institution deciding the compliance and ethical risks outweighed the security benefits. Other institutions, particularly those with large campus police operations and Division I athletics programs, have moved in the opposite direction. Neither approach is inherently wrong, but the institutions moving forward need to be doing so with eyes open on the FERPA implications.

Where FirmAdapt Fits

FirmAdapt's platform is built for exactly this kind of multi-layered regulatory problem, where federal requirements like FERPA intersect with state biometric privacy laws and vendor management obligations. The compliance mapping tools allow institutions to trace data flows from facial recognition systems through vendor infrastructure and back, identifying FERPA exposure points and flagging contract provisions that fall short of 34 CFR § 99.31 requirements.

For education institutions evaluating or already running campus security AI, FirmAdapt provides a structured way to document compliance decisions, maintain audit trails, and adapt as the SPPO issues new guidance or state legislatures expand biometric privacy protections. The architecture treats regulatory overlap as a default condition rather than an edge case, which is the right posture for any institution operating facial recognition systems that touch student data.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free