COPPA is the law most edtech founders underestimate — until a school district flags it during procurement or the FTC comes knocking. The rules changed significantly in 2025 and the compliance deadline is April 22, 2026. If you're building a product used by children under 13, you need to understand what changed and what it requires from you.
What COPPA is
COPPA — the Children's Online Privacy Protection Act — is a US federal law that restricts how companies collect, use, and share personal data from children under 13 online. It's enforced by the Federal Trade Commission.
The FTC finalized major amendments to the COPPA rule on January 16, 2025. The updated rule went into effect June 23, 2025, with full compliance required by April 22, 2026. These are the first significant changes to COPPA since 2013 and they directly affect edtech companies.
When COPPA applies to your product
COPPA applies to you if your product is directed at children under 13, or if you knowingly collect personal information from children under 13.
In the edtech context, this means: if your tool is used in K-12 classrooms and collects any personal information from students — names, email addresses, user IDs, device identifiers, location data, or behavioral data — COPPA likely applies to you.
The school authorization exception allows schools to consent on behalf of parents for educational use. This means schools can authorize your collection of student data without requiring individual parental consent — but only for educational purposes, and only if your use of that data is limited to the service you were contracted to provide. You cannot use school-authorized data for advertising, product analytics, or any commercial purpose.
What the 2025 updates changed
Separate consent for data sharing — you now need explicit, verifiable parental consent before sharing a child's personal information with third parties for targeted advertising or other purposes. You cannot bundle this into general terms of service. Separate consent workflows for core functionality versus advertising are now required.
Stricter data retention — children's data can only be retained for as long as reasonably necessary to fulfill the specific purpose for which it was collected. Indefinite retention is explicitly prohibited. You need a defined retention policy and a process to delete data when it's no longer needed.
Expanded definition of personal information — the 2025 rule now explicitly includes biometric identifiers such as facial recognition, voiceprints, fingerprints, and retina scans. If your product uses any biometric data for attendance, identity verification, or personalization — that data is now regulated under COPPA.
Third-party accountability — you are now expected to monitor and restrict how your sub-processors use children's data. Every SDK, analytics tool, and third-party service that touches student data needs to be vetted. Cookie syncing, crash reporting tools, and A/B testing platforms are all in scope.
The line you cannot cross
The school authorization exception is not a blank check. It covers educational use only.
You cannot use student data to build user profiles for marketing. You cannot use it to train AI models without explicit authorization. You cannot share it with partners outside the educational purpose. You cannot retain it indefinitely after the school relationship ends.
The FTC takes this seriously. In 2025, Cognosphere paid $20 million in a COPPA settlement for collecting personal information from children without parental consent. COPPA violations carry penalties up to $51,744 per affected child.
What you need to have in place before April 22, 2026
- A clear data map — what personal information does your product collect from users under 13, where is it stored, who has access, and how long you retain it
- A sub-processor inventory — every third-party service that touches student data, with documentation of their data practices
- Separate consent workflows — if you share data with third parties for any purpose beyond the core educational service, you need verifiable parental consent for that separately
- A data retention and deletion policy — specific timelines, not vague language about "as long as necessary"
- A privacy policy written for the education context — generic SaaS privacy policies do not cover COPPA requirements adequately
FAQ
Does COPPA apply if I'm not a US company?
If your product is used by children in the US, COPPA applies regardless of where your company is based. The FTC has enforcement reach over products targeting or knowingly collecting data from US children.
What's the difference between COPPA and FERPA?
FERPA protects education records held by schools and restricts how schools share that data with vendors. COPPA protects personal data collected directly from children online. Both can apply to the same product simultaneously. If your product is used in schools and collects data from students under 13, you need to comply with both.
Our product is used by teachers, not students directly. Does COPPA apply?
If teachers use your product and student data never flows through it — grades, names, identifiers — COPPA likely doesn't apply. If your product receives or displays any student data as part of its function, get a legal review.
The compliance deadline is April 22, 2026. What should we prioritize first?
Start with your data map and sub-processor inventory. You can't build compliant consent flows or retention policies until you know exactly what data you're collecting and where it goes. That audit typically takes 2 to 4 weeks and everything else builds on it.
Top comments (0)