COPPA and FERPA: EdTech Compliance Essentials
Building education technology means navigating COPPA for young children and FERPA for students of all ages. Here's what EdTech founders must understand before launching.
Jason Overmier
Innovative Prospects Team
Education technology sits at the intersection of innovation and regulation. You’re building tools to help students learn, but you’re also handling data about children and young adults. The regulatory framework reflects that sensitivity.
Two laws dominate EdTech compliance: COPPA for young children and FERPA for students of all ages. They’re often confused, but they serve different purposes and apply differently.
Here’s what EdTech founders need to understand before collecting their first student data point.
Quick Answer
| Law | Who It Protects | When It Applies | Key Requirement |
|---|---|---|---|
| COPPA | Children under 13 | Any website/app collecting data from children | Parental consent before collection |
| FERPA | Students (any age) | Educational institutions receiving federal funding | Protect education records, limit disclosure |
Key insight: COPPA applies to you directly as an EdTech provider. FERPA applies primarily to schools, but you’ll feel its requirements through contracts and data processing agreements.
COPPA: Children’s Online Privacy Protection Act
COPPA applies to any online service that:
- Targets children under 13, or
- Has actual knowledge it’s collecting data from children under 13
What COPPA Requires
| Requirement | What It Means for You |
|---|---|
| Parental notice | Clear privacy policy explaining data practices |
| Parental consent | Verifiable consent before collecting data from children |
| Parental access | Parents can review, delete, and refuse further collection |
| Data minimization | Only collect what’s reasonably necessary |
| Security | Reasonable security practices |
| Retention limits | Delete when no longer needed |
Verifiable Parental Consent
This is the biggest operational challenge. Acceptable methods:
| Method | Practical Notes |
|---|---|
| Signed consent form | Traditional, works for school-wide deployments |
| Credit card transaction | Not practical for most EdTech |
| Phone/video verification | Requires staff time |
| Email + additional verification | Common for lower-risk services |
| School-based consent | For school-directed services, school can consent |
For school-focused EdTech: Schools can often provide consent on behalf of parents for educational purposes, but this requires specific conditions and documentation.
COPPA-Safe Harbor Programs
The FTC has approved safe harbor programs that provide certification:
| Program | What It Provides |
|---|---|
| PRIVO | Certification and consent management |
| kidSAFE | Seal program with guidelines |
| CARU | Self-regulatory guidelines |
Certification doesn’t guarantee compliance, but it demonstrates good faith.
COPPA Penalties
| Violation | Maximum Penalty |
|---|---|
| Per violation | $50,120 (2024 figure, adjusted annually) |
Note: Each child affected can count as a separate violation. A single app with thousands of child users could face millions in penalties.
FERPA: Family Educational Rights and Privacy Act
FERPA applies to educational institutions that receive federal funding. It doesn’t directly regulate EdTech companies, but it shapes every contract you’ll sign with schools.
What FERPA Protects
FERPA protects “education records”: records directly related to a student and maintained by the educational institution.
| Protected | Not Protected |
|---|---|
| Grades and transcripts | Directory information (with opt-out) |
| Disciplinary records | Personal notes of educators |
| Special education records | Law enforcement records |
| Health records held by school | Employment records (if not students) |
Student/Parent Rights Under FERPA
| Right | Description |
|---|---|
| Access | Review education records within 45 days of request |
| Amendment | Request correction of inaccurate records |
| Consent | Control disclosure of personally identifiable information |
| Complaint | File complaints with the Department of Education |
How FERPA Affects EdTech Companies
Schools can’t share FERPA-protected data with you without meeting specific requirements:
| Requirement | Practical Meaning |
|---|---|
| Legitimate educational interest | Data used only for school’s educational purposes |
| Written agreement | Contract specifying data use, destruction requirements |
| Annual notification | School must notify parents of data sharing practices |
| Data security | You must protect data to FERPA standards |
Your contracts will include: Data processing terms, security requirements, data destruction obligations, audit rights, and breach notification requirements.
Compliance Framework for EdTech
COPPA Compliance Checklist
Privacy Policy Requirements:
- List all operators collecting data
- Describe what information is collected
- Explain how information is used
- Disclose whether data is shared with third parties
- State that consent is required for children under 13
- Explain how parents can review and delete data
Operational Requirements:
- Age-gate or age-collection mechanism
- Parental consent workflow for users under 13
- Parental access portal for data review/deletion
- Data minimization practices
- Secure data storage and transmission
- Data retention and deletion policies
- Staff training on COPPA requirements
Third-Party Integration:
- Review all SDKs and APIs for data collection
- Ensure analytics tools are COPPA-compliant
- Contract with data processors for compliance
FERPA Compliance Checklist
Contract Preparation:
- Template data processing agreement ready
- Security documentation available for schools
- Data destruction procedures documented
- Breach notification procedures documented
- Audit trail for data access
Technical Requirements:
- Role-based access controls
- Encryption at rest and in transit
- Audit logging for data access
- Data segregation by school/district
- Secure data destruction capabilities
Operational Requirements:
- Staff training on FERPA obligations
- Background checks for staff accessing data
- Incident response procedures
- Regular security assessments
Common Mistakes
| Mistake | Consequence | Fix |
|---|---|---|
| Assuming COPPA doesn’t apply | You have users under 13 whether you know it or not | Implement age collection or conservative approach |
| Using standard analytics | Most analytics tools aren’t COPPA-compliant | Use privacy-focused analytics or no tracking |
| Not having deletion workflows | Can’t respond to parental requests | Build deletion into your data layer |
| Ignoring FERPA in contracts | Schools can’t sign with you | Have compliant contract templates ready |
| Storing data indefinitely | Violates both COPPA and FERPA | Define and enforce retention limits |
| Not vetting third parties | Liable for their violations | Audit all data-touching integrations |
Design Patterns for Compliance
Age Collection
// Age gate pattern
const AGE_GATE_PROMPT = "Before we continue, please enter your birth year";
const COPPA_AGE = 13;
function requiresParentalConsent(birthYear: number): boolean {
const currentYear = new Date().getFullYear();
return currentYear - birthYear < COPPA_AGE;
}
// Route to parental consent flow if under 13Data Minimization
// Collect only what's needed for the educational purpose
interface StudentProfile {
// Required for service
id: string;
gradeLevel: number;
// Optional, only if needed for functionality
displayName?: string;
avatar?: string;
// NEVER collect without explicit need and consent
// emailAddress?: string; // Only if communications require it
// location?: string; // Almost never needed
}Parental Access
// Parental access workflow
async function handleParentRequest(parentId: string, childId: string) {
// 1. Verify parent relationship
const relationship = await verifyParentChild(parentId, childId);
if (!relationship.valid) throw new Error("Unauthorized");
// 2. Retrieve child's data
const childData = await exportChildData(childId);
// 3. Provide in accessible format
return {
data: childData,
exportDate: new Date(),
deletionInstructions: "To delete, click here..."
};
}Working with Schools
Contract Expectations
Schools and districts will expect:
| Document | Purpose |
|---|---|
| Data processing agreement | Defines your FERPA obligations |
| Security questionnaire | Documents your security practices |
| Insurance certificate | Proof of cyber liability coverage |
| SOC 2 report (eventually) | Independent security verification |
| Privacy policy | COPPA/FERPA-compliant disclosure |
Sales Cycle Implications
EdTech sales cycles are longer partly due to compliance review:
| Stage | Compliance Component |
|---|---|
| Initial contact | Privacy questions surface early |
| Evaluation | Security/privacy review by IT |
| Procurement | Contract negotiation, DPA signing |
| Implementation | Data integration with school consent |
| Ongoing | Annual reviews and audits |
Budget extra time for these reviews.
State Laws to Watch
Federal law sets the floor. Some states add requirements:
| State | Additional Requirements |
|---|---|
| California | SOPIPA (no marketing to students), CCPA |
| New York | Education Law §2-d, strict security requirements |
| Colorado | Additional student data protections |
| Student data privacy laws | 40+ states have enacted some form |
Best practice: Build for the strictest state. Federal compliance becomes easier when you exceed requirements.
EdTech compliance isn’t optional, but it shouldn’t prevent you from building valuable tools for students and educators. If you’re planning an EdTech product and want guidance on building compliance into your architecture from day one, book a consultation. We’ve navigated COPPA and FERPA for education products and can help you avoid common pitfalls.
