COPPA in K-12 eLearning: A Compliance Guide for Schools and EdTech

Imagine a third-grade student logging into a reading app. They type their name, pick an avatar, and start answering questions. Behind that simple screen, data is moving fast. Names, device IDs, location hints, and even voice recordings can be collected if the system isn’t built right. For schools and education technology companies, getting this wrong doesn’t just mean bad design-it means legal trouble. The Children’s Online Privacy Protection Act, known as COPPA is a U.S. federal law designed to protect children under 13 from having their personal information collected online without parental consent. It was enacted in 1998 and enforced by the Federal Trade Commission (FTC). In the world of K-12 eLearning, where digital tools are everywhere, understanding COPPA is not optional. It is the baseline.

Many educators confuse COPPA with FERPA, the Family Educational Rights and Privacy Act. While FERPA protects student records held by schools, COPPA targets operators of websites and online services directed at children under 13. If your school uses a platform that collects data directly from students under 13, COPPA applies. Even if the tool is used by teachers, if it interacts with young students and gathers personal info, you need to know the rules.

What Exactly Does COPPA Cover?

COPPA defines "personal information" broadly. It includes names, home addresses, phone numbers, email addresses, Social Security numbers, geolocation precise enough to identify a street or city, photos, audio files like voiceprints, and persistent identifiers such as cookies or device IDs. If an eLearning platform collects any of these from a child under 13, it must get verifiable parental consent first.

The law also requires clear privacy policies. These aren’t just boilerplate text buried in a footer. They must be written in plain language, explain what data is collected, how it’s used, and whether it’s shared with third parties. Operators must give parents the right to review, delete, or refuse further collection of their child’s data.

Who Needs to Comply? Schools, Vendors, or Both?

This is where things get tricky. COPPA primarily targets "operators"-the companies running the websites or apps. But schools play a role too. When a district adopts an eLearning tool, it acts as an agent of the parents for consent purposes. That means the school can provide blanket consent on behalf of families, but only if the vendor agrees to follow strict guidelines.

Here’s the catch: the vendor still has to comply with COPPA’s core requirements. They can’t just say, “The school gave us permission.” They must ensure data is handled securely, not sold, and not used for behavioral advertising. If a vendor shares student data with advertisers or sells insights to third parties, they violate COPPA-even if the school signed off.

For example, in 2024, the FTC fined a popular educational game company $500,000 for failing to obtain proper parental consent and sharing children’s data with ad networks. The school had approved the tool, but that didn’t shield the vendor from liability. This shows why districts must vet vendors carefully, not just check a box during procurement.

COPPA vs. FERPA: Knowing the Difference

Most K-12 professionals hear both acronyms but don’t know how they overlap. Let’s break it down simply.

FERPA is a federal law that protects the privacy of student education records held by schools receiving federal funds. It gives parents and eligible students (over 18) rights to inspect, amend, and control disclosure of those records. FERPA applies to all K-12 students, regardless of age.

COPPA, on the other hand, focuses on online interactions with children under 13. It doesn’t care if the school holds the record-it cares who is collecting data directly from the child via a website or app.

In practice, many eLearning tools fall under both laws. A math platform used by fifth graders might collect performance data (FERPA-covered) while also tracking login times and device types (COPPA-relevant). Schools must manage both layers.

How Schools Can Stay Compliant: Practical Steps

You don’t need a law degree to handle COPPA. You do need a process. Here’s what works in real-world settings:

1. Audit Your Tools: List every app, website, and platform used by students under 13. Check each one’s privacy policy. Look for phrases like “we share data with partners” or “we use cookies for advertising.” Red flags.
2. Require Vendor Contracts: Include clauses that mandate COPPA compliance. Specify no selling of data, no behavioral ads, and secure storage. Make sure vendors sign annual attestations.
3. Train Staff: Teachers often download apps without checking privacy settings. Run short training sessions showing how to spot risky tools. Use checklists, not lectures.
4. Use Blanket Consent Wisely: If your district provides centralized consent, document it clearly. Keep records of which tools were covered and when parents were notified.
5. Monitor Third Parties: Just because a vendor says they’re compliant doesn’t mean their subcontractors are. Ask who handles data processing. Demand transparency.

One district in Arizona saved itself from potential fines by creating a simple rubric. Before approving any new tool, staff scored it on five criteria: data minimization, parental controls, encryption, third-party sharing, and ease of deletion. Tools scoring below four points got rejected. Simple, effective, repeatable.

State Laws Add Another Layer

COPPA is federal, but states have added their own rules. California’s Student Online Personal Information Protection Act (SOPIPA), passed in 2013, goes beyond COPPA. It bans selling or renting student data and prohibits targeted advertising based on student activity. Similar laws exist in Illinois, New York, and Texas.

If your school operates in multiple states, you must meet the strictest standard. For instance, a cloud-based learning management system serving schools in CA, NY, and TX must follow SOPIPA’s ban on data sales, even if COPPA allows limited sharing with consent.

Keep an eye on updates. As of 2026, several states are considering expanding definitions of personal information to include biometric data and emotional indicators derived from AI analysis. What seems harmless today could become regulated tomorrow.

Real-World Risks and How to Avoid Them

Let’s talk about what happens when things go wrong. In 2023, a widely used virtual classroom platform faced backlash after it was discovered that its chat feature recorded voice clips for “quality improvement.” Parents sued. The FTC investigated. The company settled for $1.2 million and overhauled its data practices.

Why did this happen? No one asked: Who owns this audio? Is it stored? Who can access it? Was parental consent obtained? These are basic questions, yet they were skipped.

To avoid similar issues, adopt a “privacy by design” mindset. Build compliance into product selection, not as an afterthought. Ask vendors:

• Do you collect audio, video, or location data?
• Is it encrypted in transit and at rest?
• Can parents request deletion within 30 days?
• Do you conduct regular security audits?

Building a Culture of Privacy

Compliance isn’t just about avoiding fines. It’s about trust. Students deserve safe digital spaces. Parents expect their children’s data to be treated with care. Schools that prioritize privacy build stronger communities.

Start small. Create a privacy champion in each department-a teacher, IT specialist, or admin who stays updated on changes. Share monthly tips. Celebrate wins when teams reject risky tools or improve contracts.

Remember, COPPA isn’t a hurdle. It’s a framework for responsible innovation. Used well, it helps create better products-not fewer options, but safer ones.