The Email That Changed Everything
Your EdTech app is growing. Teachers love it, kids are engaged, and schools are signing up. Then you get an email from the FTC: "We've received a complaint regarding potential COPPA violations..."
COPPA (Children's Online Privacy Protection Act) isn't optional if your product is used by children under 13—and in K-12 EdTech, that's most of your users. The penalties are severe, and the FTC actively enforces.
The good news: COPPA compliance is achievable. It requires thoughtful product design, not a massive security overhaul. Here's what you actually need to do.
Does COPPA Apply to Your EdTech Product?
COPPA applies if you operate a website, app, or online service that is either directed to children under 13 OR if you have actual knowledge that you're collecting personal information from children under 13.
COPPA Definitely Applies If:
- Your app is marketed to elementary or middle schools
- Your content is designed for kids under 13
- You collect names, emails, or usernames from students
- You use analytics that track individual child behavior
- Schools use your product with K-5 students
COPPA May Not Apply If:
- Your product is exclusively for high school (14+)
- You only work with teachers, never students directly
- You collect no personal information whatsoever
- Schools handle all data collection themselves
"We don't market to kids" doesn't exempt you if children actually use your product. COPPA applies based on actual use, not just intended audience. If a school uses your app with third-graders, COPPA applies.
The COPPA Checklist for EdTech
1. Parental Consent (or School Consent)
Why it matters for EdTech: COPPA requires verifiable parental consent before collecting data from children under 13—but schools can consent on behalf of parents for educational purposes.
- Determine Your Consent Model — Will you get consent from parents directly, or rely on schools to consent on their behalf?
- School Consent for Educational Use — Schools can provide consent for the collection of student data when used strictly for educational purposes. Document this in your contracts.
- Direct Parental Consent — If your app is used outside school contexts (home use, summer programs), you need direct parental consent.
- Consent Verification — The FTC requires "verifiable" consent—email confirmation isn't enough. Consider: signed permission slips, video verification, or payment verification.
Most K-12 EdTech companies rely on school-provided consent under the "school official" exception. Make this explicit in your Data Processing Agreement with schools.
2. Privacy Policy Requirements
Why it matters for EdTech: COPPA has specific privacy policy requirements—generic policies won't cut it.
- Direct Notice to Parents — Your privacy policy must be linked prominently before any data collection.
- COPPA-Specific Disclosures — Clearly state: what data you collect from children, how you use it, and whether you share it with third parties.
- Contact Information — Include name, address, phone number, and email for a person who can respond to parent inquiries.
- Parent Rights — Explain how parents can review their child's data, delete it, and revoke consent.
3. Data Minimization
Why it matters for EdTech: COPPA requires you to collect only what's necessary. This isn't just good practice—it's the law.
- Collect Only What's Needed — Don't require real names if usernames work. Don't collect birthdates if age ranges suffice.
- No Conditioning on Extra Data — You can't require children to provide more data than necessary to use your service.
- Avoid Persistent Identifiers — Limit cookies, device IDs, and other persistent identifiers to what's strictly necessary.
- No Behavioral Advertising — You cannot use children's data for targeted advertising. Period.
When in doubt, collect less. Every piece of data you collect from children is a compliance liability. Design your product to function with minimal personal information.
4. Data Security & Retention
Why it matters for EdTech: COPPA requires "reasonable" security measures—and breaches involving children attract extra regulatory scrutiny.
- Encryption — Encrypt children's data at rest and in transit.
- Access Controls — Limit who can access student data. Role-based access is essential.
- Retention Limits — Only keep data as long as necessary for its purpose. Define retention periods.
- Secure Deletion — When data is no longer needed (or consent is revoked), delete it completely.
5. Third-Party & Vendor Controls
Why it matters for EdTech: If your vendors access children's data, they become your COPPA liability.
- Vendor Inventory — List every third party that might access student data.
- COPPA-Compliant Vendors Only — Ensure vendors have their own COPPA compliance programs.
- Contractual Protections — Include COPPA obligations in vendor contracts.
- No Unauthorized Use — Vendors cannot use children's data for their own purposes.
Common violation: Using Google Analytics without the "anonymize IP" setting on child-directed pages. Review every analytics and tracking tool for COPPA compliance.
Common COPPA Mistakes EdTech Founders Make
Mistake 1: Relying on Age Gates Alone
A checkbox asking "Are you 13 or older?" doesn't provide COPPA compliance. If your product is clearly designed for children, or if you have actual knowledge children use it, age gates don't protect you. The FTC looks at the totality of the product.
Mistake 2: Assuming School Consent Covers Everything
Schools can consent for educational use—but only for educational use. If your app has features students use at home, or if data is used for non-educational purposes, school consent may not be sufficient. Define "educational purpose" narrowly.
Mistake 3: Overlooking Third-Party SDKs
That analytics SDK, crash reporting tool, or ad network you integrated? If it collects persistent identifiers from children, you're liable. Audit every SDK and third-party integration for COPPA compliance.
Mistake 4: Not Having a Deletion Process
Parents have the right to request deletion of their child's data at any time. If you can't actually delete the data when requested, you're violating COPPA. Build deletion into your architecture from the start.
COPPA Enforcement: What's at Stake
The FTC can fine up to $50,120 per violation—and each child's data collected without proper consent can be a separate violation. For a product with thousands of users, the math gets scary fast.
Realistic Timeline: EdTech to COPPA Compliant
Total: 6-8 weeks for most EdTech startups. Products with significant third-party dependencies or complex data flows may take longer.
COPPA vs FERPA: Understanding Both
Most K-12 EdTech companies need BOTH COPPA and FERPA compliance. COPPA protects younger children specifically; FERPA covers all student data received from schools. They're complementary, not alternatives.
Quick Start: Your First Week
Day 1-2: Data Inventory
List every piece of data you collect from users under 13. Include analytics, crash reporting, and any third-party tools.
Day 3-4: Consent Audit
How are you currently getting consent? Is it from schools or parents? Is it verifiable? Document gaps.
Day 5: Vendor Review
List every third-party service in your product. Check each for COPPA compliance. Flag any that are problematic.
Day 6-7: Privacy Policy Review
Does your privacy policy meet COPPA's specific requirements? Draft updates if needed.
Next Steps
COPPA compliance protects children—and protects your company from significant legal risk. The key is designing with privacy in mind: collect less, secure what you have, and be transparent with parents and schools.
Don't wait for an FTC inquiry to take COPPA seriously. The companies that build privacy into their products from the start avoid the scramble—and the headlines—later.
Building for young learners? vCISO Lite helps EdTech companies navigate COPPA and FERPA together, with integrated compliance tracking and school-ready documentation.