This is the most common compliance mistake edtech companies make. They get FERPA right - signed DPAs, data used only for educational purposes, school official exception covered - and assume they're done. Then a procurement review or an FTC inquiry surfaces a COPPA gap they didn't know they had.
FERPA and COPPA are separate laws enforced by different agencies. Complying with one does not satisfy the other. If your product is used by K-12 students under 13, you need both.
What each law actually covers
FERPA - the Family Educational Rights and Privacy Act - governs how schools share student education records with third parties. It applies to you as a vendor through the school official exception, which allows schools to share student data with outside vendors performing educational services. FERPA is enforced by the US Department of Education.
COPPA - the Children's Online Privacy Protection Act - governs how online services collect personal information directly from children under 13. It applies to you as an operator, independent of any school relationship. COPPA is enforced by the Federal Trade Commission.
Two different laws. Two different agencies. Two different compliance requirements.
Why one doesn't cover the other
The school official exception under FERPA allows schools to share student data with vendors. But it doesn't give vendors permission to do whatever they want with that data. And it doesn't satisfy COPPA's requirements.
A platform cannot rely on school consent under FERPA to satisfy COPPA's parental consent requirements.
Here's where this gets concrete:
FERPA says: The school has authorized you to receive student data for educational purposes. Use it only for that purpose.
COPPA says: You are collecting personal information from children under 13. You need verifiable parental consent - unless the school is providing that consent on behalf of parents under COPPA's school authorization exception.
The school authorization exception exists in COPPA too, but it's narrower than most companies realize. It covers collection for educational purposes only. The moment you use student data for anything beyond the contracted educational service - analytics, advertising, AI model training, product improvement - school authorization doesn't cover it and you need separate parental consent.
Where the gaps actually appear
Analytics and tracking SDKs
A company can be FERPA compliant - signed DPAs, data used only for educational purposes - but still have a COPPA problem if they're running third-party analytics tools that collect behavioral data from students without proper consent. FERPA doesn't regulate your SDK choices. COPPA does.
Data retention
FERPA doesn't specify precise retention timelines. COPPA's 2025 amendments are explicit: children's data cannot be retained indefinitely and must be deleted when it's no longer needed for the specific purpose it was collected. A FERPA-compliant retention policy may still be non-compliant under COPPA.
Sub-processor accountability
FERPA requires you to disclose sub-processors in your DPA. COPPA goes further - under the 2025 amendments, you are expected to actively monitor and restrict how sub-processors use children's data. The standard is higher and applies independently of your FERPA obligations.
Biometric data
The 2025 COPPA amendments explicitly added biometric identifiers - facial recognition, voiceprints, fingerprints - to the definition of personal information. FERPA doesn't have equivalent specificity. If your product uses any biometric data, COPPA's requirements apply regardless of your FERPA compliance status.
What you need for each
For FERPA compliance:
- Signed Data Processing Agreement with every school customer
- Use of student data limited to the contracted educational purpose
- Documented access controls for who can access student records
- A process to support parent access and correction requests
- A breach notification process
For COPPA compliance you additionally need:
- School authorization mechanism or direct parental consent for data collection from under-13 users
- Sub-processor inventory with accountability measures for each
- Written data retention policy with specific deletion timelines
- Separate consent flows for any data sharing beyond the educational service
- A privacy policy that covers children's data specifically, including biometrics if relevant
- Full compliance with the 2025 amendments by April 22, 2026
The practical test
Ask yourself: if a school district's legal team reviewed your COPPA compliance separately from your FERPA compliance, would they find gaps?
FERPA compliance means your contract with the school is correct and your data use is limited to educational purposes. COPPA compliance means your product's data collection, retention, and sub-processor practices meet the FTC's standards for child-directed services - regardless of what your school contracts say.
Both matter. Neither covers the other.
FAQ
If a school gives us authorization to collect student data, does that satisfy COPPA?
For educational use only - yes, that's the school authorization exception under COPPA. For any use beyond the contracted educational service - advertising, analytics, AI training, marketing - no. Separate parental consent is required.
We're already FERPA compliant. How much additional work is COPPA compliance?
The biggest gaps are usually the sub-processor audit, data retention policy, and privacy policy update. If your FERPA compliance is solid, you're probably 60-70% of the way there. The COPPA-specific gaps are identifiable and fixable.
Does COPPA apply to products used only by teachers, not students?
If teachers use your product and no student data flows through it, COPPA likely doesn't apply. If your product receives, displays, or processes any student data as part of its function, get a legal review.
What's the COPPA compliance deadline?
April 22, 2026 for full compliance with the 2025 amendments.
Top comments (0)