Amelia Vance has an important piece on NASBE about FERPA and directory information. Her piece includes some research conducted last year:
In 2017, data analyst Leah Figueroa sent email requests to 10 institutions of higher education asking for “a listing of student directory information.” Three schools requested that she fill out a Freedom of Information Act (FOIA) request before she could receive the data (depending on the state, directory information may or may not be considered subject to state FOIA laws); two schools sent her a public link to their student directory; and one provided her with the records of 22,006 of their students after she paid $50. Figueroa did not need to identify herself or provide a reason why she needed the information—even though sensitive information was shared with her, such as telephone numbers and email addresses. She noted that, while most directory information requests are legitimate, coming from “researchers or other colleges seeking to recruit students—some are likely coming from predatory loan companies,” other “aggressive marketers,” or even a stalker seeking the “dorm address of a student.”
Read more on NASBE.