DEV Community

Bhavesh Pawar
Bhavesh Pawar

Posted on

What Edtech Companies Need to Check for COPPA Compliance in 2026 (Full Checklist)

#security #compliance #coppa #edtech

The COPPA compliance deadline is April 22, 2026. If your edtech product is used by students under 13, this checklist covers everything you need to have in place. Use it as your audit framework before the deadline and as an ongoing reference after.

Data Inventory

  • [ ] You know exactly what personal information your product collects from users under 13
  • [ ] You know where that data is stored and in which country
  • [ ] You have documented who inside your company has access to student data and why
  • [ ] You have a complete list of every third-party SDK and service that touches student-facing parts of your product
  • [ ] You know how long you currently retain student data

Third-Party SDK and Sub-Processor Audit

  • [ ] Every SDK active on student-facing surfaces has been reviewed for what it collects
  • [ ] SDKs that collect device identifiers, behavioral data, or PII from students have been addressed - removed, replaced with a compliant version, or contractually bound
  • [ ] You have a Data Processing Agreement with every sub-processor that handles student data
  • [ ] Each DPA explicitly restricts the sub-processor from using student data for advertising, profiling, or purposes outside the service they provide to you
  • [ ] Your sub-processor list is current and documented

Consent and Authorization

  • [ ] You have a mechanism for schools to authorize data collection on behalf of parents for educational use (school authorization exception)
  • [ ] If you share student data with third parties for purposes beyond the core educational service - including advertising - you have a separate verifiable parental consent flow for that
  • [ ] Your consent language is clear and in plain terms that parents can understand
  • [ ] You do not bundle consent for advertising or data sharing into general terms of service

Data Retention and Deletion

  • [ ] You have a written data retention policy with specific timelines
  • [ ] Student data is deleted within a defined timeframe after the school relationship ends - typically 30 to 60 days
  • [ ] You have a process to respond to deletion requests from schools or parents
  • [ ] Indefinite data retention has been eliminated from your practices and your policy documents

Biometric and Sensitive Data

  • [ ] If your product uses facial recognition, voiceprints, fingerprints, or retina scans - these are now explicitly covered as personal information under the 2025 COPPA amendments
  • [ ] Biometric data collection from students under 13 has appropriate consent and is covered in your privacy policy
  • [ ] You have assessed whether any AI features in your product generate or process biometric identifiers

Privacy Policy

  • [ ] Your privacy policy is education-specific - not a generic SaaS policy
  • [ ] It describes what personal information you collect from children under 13
  • [ ] It lists the specific third parties or categories of third parties you share data with and the purposes for that sharing
  • [ ] It covers biometric data if your product uses any
  • [ ] It explains parent and student rights to access and delete data
  • [ ] It has been reviewed or updated since the 2025 COPPA amendments

Data Processing Agreements with Schools

  • [ ] Every school customer has a signed DPA in place
  • [ ] Your DPA template covers the school official exception requirements under FERPA
  • [ ] Your DPA lists your current sub-processors
  • [ ] Your DPA includes breach notification timelines - most districts require 72 hours
  • [ ] Your DPA defines what happens to student data when the contract ends

Security Controls

  • [ ] Student data is encrypted in transit and at rest
  • [ ] Access to student data inside your company is limited to people who need it for the contracted service
  • [ ] You have multi-factor authentication on systems that hold student data
  • [ ] You have a written incident response plan for data breaches
  • [ ] You have audit logging in place to track access to student data

Breach Notification

  • [ ] You have a process to identify when student data has been compromised
  • [ ] You know which school customers to notify and how
  • [ ] Your notification timeline is documented and aligns with your DPA commitments and applicable state laws
  • [ ] Key contacts at each school customer are documented

Documentation and Evidence

  • [ ] Your compliance effort is documented - even an incomplete process with a clear roadmap is better than no documentation
  • [ ] Your sub-processor list is maintained and up to date
  • [ ] Your privacy policy reflects your current data practices
  • [ ] Your DPA template has been reviewed by a lawyer who understands edtech and student privacy

If you can check all of these, you are in good shape for April 22

If you can't, prioritize in this order: sub-processor audit first, then retention policy, then privacy policy update, then DPA review. Those four address the most common compliance gaps and the ones districts and regulators check first.

FAQ

Do we need all of this before April 22?

Full compliance by April 22 is the goal. If you're starting late, document your progress and continue working. The FTC enforces against companies that show no effort. A credible compliance roadmap matters.

We're a small team. Which items are most critical?

Sub-processor audit, data retention policy, and privacy policy update. These three address the most visible gaps in a procurement review and the areas where COPPA violations are most commonly identified.

Does this checklist cover FERPA as well?

Partially. The DPA and security sections overlap with FERPA requirements. But FERPA and COPPA are separate frameworks - being compliant with one doesn't mean you're compliant with the other. A separate FERPA review is worth doing alongside this checklist.

Top comments (0)