COPPA Compliance in School Technology: What Every Administrator Must Know

The Privacy Compliance Landscape for Schools

Student privacy law has grown significantly more complex over the past decade. What began with FERPA (1974) and COPPA (1998) has been supplemented by state-level student privacy laws in over 40 states, FTC enforcement actions that clarify COPPA's application to school contexts, and a growing recognition that the data ecosystems surrounding edtech can expose student information in ways that neither law fully anticipated. For school administrators, the practical challenge is not just understanding the law — it is building systems that maintain compliance across a constantly changing technology landscape.

This guide focuses on the practical compliance obligations most relevant to day-to-day school technology administration, with particular attention to COPPA's application in school contexts, the relationship between COPPA and FERPA, and the state law landscape that increasingly supplements both.

COPPA: The Core Framework

The Children's Online Privacy Protection Act, enacted in 1998 and substantially amended by the FTC in 2013, establishes the foundational framework for protecting children's online privacy. Its core requirements for covered operators (websites and online services directed to children under 13, or with actual knowledge of child users) include:

• Providing clear and comprehensive notice of data collection practices
• Obtaining verifiable parental consent before collecting personal information from children under 13
• Giving parents ongoing rights to review, correct, and delete their children's personal information
• Maintaining the confidentiality, security, and integrity of collected information
• Retaining information only as long as necessary for the purpose it was collected
• Not conditioning participation on the collection of more information than is reasonably necessary

COPPA's definition of "personal information" was expanded in the 2013 amendment to include persistent identifiers (device IDs, cookies, IP addresses), photographs, videos, and audio files — significantly broadening its scope in ways that affect many modern edtech tools.

FERPA: The School-Side Framework

FERPA gives parents of students under 18 (and eligible students — those 18 and over or in postsecondary education) rights over "education records" maintained by schools receiving federal funding. FERPA's core protections:

• Parents' right to inspect and review education records
• Parents' right to request correction of inaccurate records
• Schools' obligation to obtain written consent before disclosing personally identifiable information from education records to third parties

FERPA's "school official" exception allows disclosure of education records to "school officials" with "legitimate educational interests" without parent consent. The Department of Education has interpreted this exception to include edtech vendors acting as "school officials" when they use student data only for the educational purpose for which it was disclosed — but this interpretation requires that the school maintains "direct control" over the data and that the vendor has no independent use of the data.

The School Official Exception for COPPA

The most critical COPPA concept for school administrators is the "school official exception" — the FTC's provision that allows schools to consent to edtech data collection on behalf of parents. The FTC's 2013 guidance states that schools may consent on behalf of parents for edtech operators, provided:

1. The app is used for educational purposes only — not for commercial purposes
2. The school has reviewed the operator's data practices and determined they are appropriate
3. The school has taken steps to ensure the operator uses data only for the educational purpose
4. Parents are notified that the school uses such apps (typically through annual notification)

The school official exception is not automatic — it requires affirmative steps by the school. A school that deploys an edtech app without reviewing its data practices cannot invoke the exception simply by virtue of using the app for educational purposes. The review and assurance requirements are substantive.

SOPIPA and State-Level Student Privacy Laws

California's Student Online Personal Information Protection Act (2014) established a model that over 30 states have since adopted in some form. SOPIPA-type laws typically prohibit edtech operators from:

• Using covered student information to engage in targeted advertising
• Selling or renting student information
• Using student information to build profiles unrelated to educational purposes
• Disclosing covered information except for legal, safety, or consent-based reasons

SOPIPA-type laws apply to all K-12 students — not just those under 13 — and they restrict what vendors can do with student data rather than requiring parental consent. This means schools must ensure vendor contracts prohibit these uses even when the users are 13 or older and COPPA technically doesn't apply.

Building a Compliant App Inventory

The foundation of school technology compliance is a current, complete inventory of every app, platform, and service that processes student data. Many schools are surprised to discover how many tools they are actually using — the combination of district-adopted platforms, school-adopted tools, classroom-level teacher choices, and student-initiated apps often exceeds 100 distinct services, many of which process identifiable student data without formal data processing agreements.

A compliant app inventory includes: the app name and vendor, the type of student data processed, whether a signed data processing agreement is in place, the COPPA/FERPA compliance status as documented by the vendor, the approval level (district, school, or teacher level), and the date of last compliance review. This inventory should be updated at least annually and whenever significant new tools are adopted.

Several tools support this process: Common Sense Privacy's edtech privacy evaluations, Digital Rights Management platforms like TrustEd, and self-service review frameworks from ISTE and CoSN. The Student Data Privacy Consortium (SDPC) maintains a national database of signed data privacy agreements between vendors and school districts — checking whether your vendors are already party to standard agreements can significantly reduce legal review burden.

What Must Be in a Vendor Contract

Every vendor that processes student data on behalf of a school should have a signed data processing agreement that includes at minimum:

• Explicit specification of the categories of student data collected and processed
• Prohibition on commercial use of student data (targeted advertising, sale, profile building for non-educational purposes)
• Data retention and deletion obligations — including deletion timelines when a school discontinues use
• Breach notification requirements — the vendor must notify the school within a specified timeframe (commonly 72 hours) of any unauthorized access
• Sub-processor disclosure — who else the vendor shares data with, and under what restrictions
• Student data return or destruction at contract termination
• Governing law and jurisdiction for dispute resolution

Contracts that lack these provisions are not compliant regardless of the vendor's FERPA/COPPA marketing claims. Verbal or email assurances are legally insufficient.

What Happens When You Get It Wrong

FTC COPPA enforcement has produced penalties ranging from $150,000 to over $5 million against edtech operators. Schools are rarely the FTC's direct enforcement target — but the reputational, community trust, and potential legal exposure from a significant student data breach or unauthorized disclosure is substantial. State attorneys general have been increasingly active in student privacy enforcement under state-level laws. And parent-triggered complaints can prompt Department of Education FERPA investigations that consume significant administrative time regardless of their outcome.

The 2020 FTC enforcement action against Zoom — which resulted in a $85 million settlement and significant business practice changes — demonstrated that even large, well-resourced companies face serious consequences for COPPA violations in school contexts. Schools that unknowingly deployed non-compliant tools faced significant parent concerns and trust erosion regardless of their own legal culpability.

Ready to see the difference? Try Koydo free today →