FERPA and COPPA are two distinct US federal privacy laws that apply to educational technology (EdTech), and the key difference is that FERPA (Family Educational Rights and Privacy Act) protects the privacy of student education records held by schools and districts, while COPPA (Children's Online Privacy Protection Act) regulates the online collection of personal information from children under 13 by commercial websites and online services, including many EdTech vendors. For EdTech providers, this means they must navigate a dual-compliance landscape: respecting FERPA obligations delegated by their school partners while also meeting COPPA's direct requirements for parental notice and consent when their platform is used by children under 13.
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA), enforced by the U.S. Department of Education (ED), is a federal law that protects the privacy of student education records. FERPA applies to all educational agencies and institutions that receive funds under any program administered by the Secretary of Education. Under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99), schools must obtain written consent from a parent or eligible student (age 18 or older) before disclosing personally identifiable information (PII) from a student's education record, with specific exceptions for "school officials with legitimate educational interests" and certain directory information.
Key FERPA Obligations for EdTech
EdTech vendors typically operate as "school officials" under FERPA, meaning they must contractually agree to:
- Use student data only for authorized educational purposes
- Not further disclose PII from education records
- Maintain direct control over the data under the school's direction
- Return or destroy data at the school's request
What is COPPA?
The Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission (FTC), governs the online collection of personal information from children under 13. COPPA (15 U.S.C. §§ 6501–6506; 16 CFR Part 312) applies to operators of commercial websites and online services directed to children or that knowingly collect personal information from children under 13. EdTech platforms fall under COPPA when schools use them as a "means of enrolling" or as a "school-authorized service" where the operator collects personal information from students.
Key COPPA Obligations for EdTech
For EdTech vendors, COPPA requires:
- Clear and understandable privacy policy describing data practices
- Verifiable parental consent before collecting personal information from children under 13
- Parental rights to review, refuse further use, and delete collected data
- Reasonable data security procedures
- Retention of data only as long as reasonably necessary
FERPA vs COPPA: Comparison Table
How FERPA and COPPA Overlap in EdTech
The critical overlap occurs when an EdTech vendor collects personal information from students under 13 in a school context. The FTC's 2025 COPPA rule updates clarify that when a school "authorizes" an EdTech service for classroom use, the school can provide consent on behalf of parents — but only if the vendor uses the data solely for educational purposes and does not use it for commercial purposes like behavioral advertising or creating profiles for non-educational purposes. Vendors must still provide direct privacy notices to parents and maintain COPPA-compliant data practices.
Key Takeaway: While FERPA governs the school's obligations regarding education records, COPPA imposes direct responsibilities on EdTech vendors when collecting data from children under 13. Schools can facilitate COPPA consent for educational purposes, but vendors must still maintain distinct COPPA compliance programs.
Practical Compliance Guide for EdTech Vendors
Step 1: Determine Your Legal Obligations
Begin by mapping which laws apply. If your platform is used by K-12 schools and processes student data, FERPA applies via your contracts with schools. If your platform is directed at children under 13 or you knowingly collect data from users under 13, COPPA applies directly to you.
Step 2: Establish a Compliant Data Governance Framework
Implement a system to classify student data by applicable regulation. For example, a classroom collaboration tool may need to treat student-submitted assignments as FERPA-protected education records while simultaneously managing COPPA consent for any data collected from students under 13 through user profiles or engagement tracking.
Step 3: Design Parent- and School-Facing Privacy Notices
Provide separate, clear notices: one for schools (detailing your role as a school official under FERPA) and one for parents (complying with COPPA's direct notice requirements). COPPA requires the direct notice to include what information you collect, how you use it, and how parents can exercise their rights.
Step 4: Implement Age Verification Without Overcollection
Use neutral age-gating mechanisms that do not require collecting unnecessary personal information. COPPA prohibits requiring a child to disclose more information than reasonably necessary to participate in an activity. For example, a simple "Are you under 13?" prompt without requiring a birth date can suffice when combined with school authorization.
Step 5: Establish Data Minimization and Retention Policies
Both FERPA and COPPA require limiting data collection to what is necessary for the educational purpose. COPPA specifically requires retaining data only as long as reasonably necessary. Map your data flows to ensure you collect only the minimum data required for core functionality and delete student data at the end of each school term or when no longer needed.
Consequences of Non-Compliance
Non-compliance carries significant risks. FERPA violations can lead to the loss of federal education funding and, in cases of egregious conduct, litigation by parents or state attorneys general under state privacy laws. COPPA violations are enforced by the FTC, with civil penalties up to $51,744 per violation, and the FTC has brought major actions against EdTech companies for COPPA violations, resulting in multi-million-dollar settlements and mandated compliance programs.
Need to Navigate Both FERPA and COPPA? Get a Compliance Assessment
CyberSilo's Compliance Standards Automation helps EdTech vendors map their data practices against FERPA, COPPA, and overlapping state privacy laws like CCPA. Our experts can identify gaps and build a unified compliance framework that satisfies both federal laws.
State Privacy Laws and the FERPA-COPPA Landscape
EdTech vendors must also consider state-level laws. The California Consumer Privacy Act (CCPA) as amended by the CPRA has specific carve-outs for data subject to FERPA and COPPA, but still imposes obligations for employee data and business-to-business data. States like Connecticut, Colorado, and Texas have privacy laws that may apply to EdTech vendors' broader data practices. The interplay between FERPA, COPPA, and state laws creates a complex compliance matrix that requires a comprehensive state privacy compliance approach.
Best Practices for EdTech Vendors
Conduct Regular Data Mapping
Document every data element collected, its source, purpose, and applicable regulatory obligation. Update this mapping annually or with any significant product change.
Build Consent Management Tools
Develop a centralized consent management system that handles both COPPA parental consent and FERPA disclosure authorizations. The system should support multiple consent paths: school authorization for educational use and direct parental opt-in for non-educational features.
Train Staff on Both Laws
Ensure that product managers, data engineers, and customer-facing teams understand the differences between FERPA and COPPA. A data scientist who treats all student data as governed only by FERPA may inadvertently violate COPPA by using data for model training without parental consent.
Leverage Automated Compliance Tools
CyberSilo's Compliance Standards Automation solution can help EdTech companies continuously monitor their data flows against FERPA and COPPA requirements, flagging potential violations before they escalate.
Ready to Simplify Dual Compliance? Get Your Assessment
Our team specializes in helping EdTech companies navigate the intersection of FERPA, COPPA, and state privacy laws. Get a compliance assessment that covers both federal laws and identifies state-level obligations.
Our Conclusion & Recommendation
FERPA and COPPA create overlapping but distinct compliance obligations for EdTech vendors. The most common compliance failure occurs when vendors treat COPPA-required parental consent as a substitute for FERPA's school-authorization framework, or vice versa. A unified compliance strategy must address both laws simultaneously: building COPPA-compliant age gates and consent flows while maintaining FERPA-compliant data-sharing agreements with school districts.
For EdTech vendors serving K-12 markets in the US, the practical recommendation is to adopt a compliance automation platform that can map every data flow to both FERPA and COPPA requirements. CyberSilo's Compliance Standards Automation provides continuous monitoring and gap analysis against both federal laws and state-specific privacy requirements, reducing enforcement risk and building trust with school district partners.
Assess Your EdTech Compliance Today
Our compliance experts can review your current practices against FERPA, COPPA, and applicable state laws in just days, not weeks.
