April 22, 2026 is 9 days away. If your edtech product is used by children under 13 and you haven't reviewed the FTC's updated COPPA rule, you're out of time to plan - you're in execution mode now.
The updated rule has been in effect since June 23, 2025. Full compliance is required by April 22, 2026. COPPA violations carry penalties up to $51,744 per affected child. This is not a rule you want to be catching up on after a school district flags it in procurement or the FTC comes calling.
Here's exactly what you need to do before the deadline.
Step 1 - Map your data
You cannot fix what you haven't mapped. Before anything else, document:
- What personal information your product collects from users under 13
- Where it's stored and in which country
- Who inside your company has access to it
- What third-party services receive or process it
- How long you currently retain it
This audit takes 2 to 4 weeks for most small edtech teams. If you haven't started, start today.
Step 2 - Audit every third-party SDK and service
The fastest path to a COPPA violation is not your own code - it's the analytics tool, crash reporter, or A/B testing SDK you added two years ago and haven't thought about since.
Under the updated rule, you are responsible for how your sub-processors use children's data. Go through every SDK and third-party service in your product. For each one: does it touch student data? If yes, is it contractually bound to COPPA-compliant data handling? If no - remove it, replace it, or get a data processing agreement in place.
Common ones to check: Google Analytics, Mixpanel, Intercom, Hotjar, Segment. If any are active in parts of your product that students use, review them now.
Step 3 - Fix your data retention policy
The 2025 rule explicitly prohibits indefinite data retention for children's data. You need a written policy that defines how long you retain student data and what triggers deletion.
At minimum: student data must be deleted within a defined timeframe after the school relationship ends - typically 30 to 60 days. "Until the user requests deletion" or "as long as the account is active" are not compliant answers.
Step 4 - Check your consent flows
If your product shares any student data with third parties for targeted advertising or purposes outside the educational service - you now need separate, explicit, verifiable parental consent for that. You cannot bundle it into general terms of service.
Most pure edtech products don't run targeted ads, so this step may not apply to you. But if you monetize through advertising or share data with marketing partners, separate consent workflows are required before April 22.
Step 5 - Update your privacy policy
Your privacy policy must:
- Describe what personal information you collect from children under 13
- List the specific third parties or categories of third parties you share data with
- Explain the purposes for any data sharing
- Cover biometric data if your product uses facial recognition, voiceprints, or fingerprints
Generic SaaS privacy policies don't cover these requirements. If yours hasn't been reviewed since 2023, it needs an update.
Step 6 - Review your Data Processing Agreements
Every school you work with should have a signed DPA in place. That DPA needs to reflect your current data practices and sub-processor list. If you've added new third-party services since you last updated your template, update it now.
What to prioritize if you're starting late
If you're starting from zero with 9 days left:
- Audit sub-processors today - remove anything that tracks children's behavior and isn't essential
- Write a data retention policy this week - even a one-page document is better than nothing
- Update your privacy policy to list third parties - this is the most visible compliance signal
- Document everything you're doing - the FTC's standard is "reasonable" compliance practices, and a documented process matters even if it's incomplete
You won't achieve full compliance in 9 days if you're starting from zero. But you can close the biggest gaps and have a credible compliance roadmap. That's what districts and regulators want to see.
FAQ
Does COPPA apply if our product is used by schools but we don't market directly to children?
Yes. If students under 13 use your product and it collects personal information from them - even indirectly through school accounts - COPPA applies. The school authorization exception covers schools consenting on behalf of parents, but only for educational use.
We only collect email addresses and usage logs. Does that count?
Yes. Email addresses are personal information under COPPA. Usage logs linked to identifiable students are covered too. The updated rule expanded the definition to include device identifiers, geolocation data, and biometric identifiers.
What if we miss the April 22 deadline?
Document your compliance progress and keep working. The FTC enforces against companies that show no effort, not just those that miss a deadline. A documented roadmap with real progress is better than silence.
We only work with higher education. Does COPPA apply?
COPPA covers children under 13. If your product is used exclusively by higher education students who are 18 or older, COPPA likely doesn't apply. If you have any K-12 customers or users under 13, it does.
Top comments (0)