FERPA and COPPA Compliance: Complete Guide for Schools 2026
Understanding federal student data privacy laws, parent rights, school responsibilities, and compliance checklists to protect student information and avoid penalties.
Student data privacy is no longer optional — it's a legal and ethical imperative. FERPA (Family Educational Rights and Privacy Act) and COPPA (Children's Online Privacy Protection Act) are the two most important federal laws protecting student information. Schools that fail to comply risk losing federal funding, facing fines up to $43,280 per COPPA violation, and damaging parent trust. This comprehensive guide explains everything your school needs to know about FERPA and COPPA compliance.
📚 What is FERPA? (Family Educational Rights and Privacy Act)
FERPA is a federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education — virtually all public schools and many private schools.
🔑 Key FERPA Provisions
- Right to inspect and review: Parents have the right to inspect their child's education records within 45 days of request.
- Right to request amendments: Parents can request corrections to inaccurate or misleading records.
- Right to consent to disclosure: Schools must obtain written parental consent before disclosing personally identifiable information (PII) to third parties.
- Right to file complaints: Parents can file complaints with the U.S. Department of Education if they believe their FERPA rights have been violated.
- Annual notification requirement: Schools must notify parents annually of their FERPA rights (typically in a student handbook or school website).
FERPA applies to "education records" — any record directly related to a student maintained by an educational agency. This includes grades, attendance records, discipline records, health records, and even teacher emails about a student.
🔒 What is COPPA? (Children's Online Privacy Protection Act)
COPPA applies to websites, online services, and mobile apps directed at children under 13. It also applies to general audience sites that knowingly collect personal information from children.
🔑 Key COPPA Provisions
- Verifiable parental consent required: Schools must obtain verifiable parental consent before collecting personal information from children under 13.
- Clear privacy policy required: Schools must post a clear, understandable privacy policy describing what information is collected and how it's used.
- Parent review and deletion rights: Parents have the right to review and delete their child's information.
- Data minimization: Schools cannot require children to disclose more information than is reasonably necessary.
- Data security: Schools must maintain reasonable security procedures to protect children's information.
COPPA applies to "personal information" including: first and last name, home address, email address, phone number, Social Security number, persistent identifiers (cookies, IP addresses), photos, videos, and geolocation data.
📊 FERPA vs COPPA: Key Differences School Leaders Must Know
While both laws protect student privacy, they apply to different situations and have different requirements. Here's a detailed comparison:
| Aspect | FERPA | COPPA |
|---|---|---|
| Who enforces? | U.S. Department of Education | Federal Trade Commission (FTC) |
| Who is protected? | All students regardless of age | Children under 13 |
| What schools must comply? | Schools receiving federal funding | Any website/service collecting child data |
| Parental consent required? | For disclosing records to third parties | Before collecting any personal information |
| Maximum penalty | Loss of federal funding | $43,280 per violation |
| Right to delete data? | No explicit deletion right | Yes, parents can request deletion |
| Annual notification required? | Yes, to parents annually | Privacy policy must be posted |
⚠️ FERPA Exceptions: When Schools Can Disclose Without Consent
FERPA includes several important exceptions where schools can disclose student records without parental consent:
- School officials with legitimate educational interest — teachers, administrators, counselors who need the information to perform their duties.
- Transfer to another school — records can be transferred when a student transfers to another educational institution.
- Financial aid purposes — to determine eligibility, amount, or conditions of financial aid.
- Health and safety emergencies — to protect the health or safety of the student or others.
- Directory information — schools may disclose "directory information" (name, address, phone number, honors, awards) without consent if parents are given opt-out notice.
- Court orders or subpoenas — with reasonable effort to notify parents before compliance.
🤖 COPPA and AI: What Schools Need to Know in 2026
With the rapid adoption of AI tools in education, COPPA compliance has become more complex. The FTC has clarified that COPPA applies to AI-powered educational tools that collect student data.
⚠️ Important COPPA AI Guidance:
- AI chatbots — Schools must obtain parental consent before students under 13 interact with AI chatbots that collect personal information.
- AI writing assistants — Must have clear privacy policies and data deletion procedures.
- Automated content generation — Schools must ensure AI tools do not retain student data for training purposes without consent.
📋 FERPA and COPPA Compliance Checklist for Schools
Use this checklist to ensure your school is fully compliant with both laws:
✅ Annual Compliance Requirements
✅ Data Collection & Consent
✅ Data Security Measures
👪 Parent Rights: What Parents Can Expect From Your School
Under FERPA and COPPA, parents have these fundamental rights:
- Right to access (FERPA): Request and receive copies of all education records within 45 days.
- Right to amend (FERPA): Request corrections to inaccurate or misleading records.
- Right to consent (FERPA & COPPA): Approve or deny disclosure of personally identifiable information to third parties.
- Right to review and delete (COPPA): Parents can review and request deletion of their child's personal information from online services.
- Right to complain (FERPA): File complaints with the U.S. Department of Education.
- Right to opt-out (FERPA): Decline directory information sharing (name, address, photos, etc.).
🛡️ Managing Third-Party Vendors Under FERPA and COPPA
Many data breaches occur through third-party vendors — learning apps, assessment tools, communication platforms, and cloud storage. Follow these best practices:
- Vet all vendors before signing contracts: Request their privacy policies, security certifications (SOC2, ISO 27001), and data breach history.
- Sign data protection agreements (DPA): Legally binding contracts specifying how vendors handle, store, and delete student data.
- Restrict data sharing: Vendors should receive only the minimum data necessary for their service.
- Require breach notification: Vendors must notify your school within 48 hours of a data breach.
- Conduct annual vendor reviews: Ensure vendors remain compliant with evolving laws and standards.
- Maintain a vendor inventory: Document every third-party application or service that receives student data.
💻 CIPA and COPPA: Understanding the Difference
Schools often confuse CIPA (Children's Internet Protection Act) with COPPA. Here's the distinction:
📡 CIPA
Requires schools to implement internet filtering and safety policies to receive E-rate funding.
Focus: Blocking inappropriate content online
🔒 COPPA
Requires parental consent before collecting personal information from children under 13.
Focus: Protecting collected data privacy
Both laws are important for school compliance, but they serve different purposes. CIPA focuses on filtering, while COPPA focuses on data collection consent.
🏫 Case Study: How One School Recovered from a COPPA Violation
Scenario: A California elementary school used a popular reading app that collected student email addresses and reading progress data. The school did not obtain parental consent before account creation.
FTC Action: $50,000 fine for COPPA violations plus required implementation of a comprehensive privacy program.
Lessons learned: The school now maintains a "COPPA-approved vendor list," obtains written parental consent before any digital tool usage, and conducts quarterly compliance audits.
📌 Key takeaway: Parental consent is NOT optional for children under 13 using online services.
📁 FERPA Rules for Digital Records and Cloud Storage
FERPA applies equally to paper and digital records. Schools using cloud storage, learning management systems, or student information systems must ensure:
- Cloud providers sign data protection agreements (DPAs)
- Student data is encrypted both in transit and at rest
- Access logs are maintained and reviewed regularly
- Data is not stored on personal devices or unsecured servers
- Parents have the same access rights to digital records as paper records
❓ Frequently Asked Questions About FERPA and COPPA
Q: Can schools sell student data to advertisers?
No. Under FERPA and most state laws, selling student data for commercial purposes (advertising, marketing) is strictly prohibited. Schools cannot share student data for commercial gain without explicit parental consent.
Q: How long should schools retain student data?
Retention periods vary by jurisdiction and data type. Best practice: Keep academic records for 3-5 years after graduation, attendance and disciplinary records for 3 years, and health records as required by law (often 7+ years). Delete or anonymize outdated data.
Q: Do FERPA and COPPA apply to private schools?
FERPA only applies to schools receiving federal funding (most public schools). However, many states have similar student privacy laws that apply to private schools. COPPA applies to any website or online service directed at children under 13, regardless of school type.
Q: What is a FERPA "directory information" opt-out?
FERPA allows schools to disclose "directory information" (name, address, phone number, honors, awards) without consent, but schools must give parents the opportunity to opt out annually. Many schools provide this opt-out form during registration.
Q: How do FERPA and COPPA work together?
FERPA governs education records held by schools. COPPA governs information collected online from children under 13. When a school uses an online service that collects student data, both laws may apply — FERPA for the school's records, COPPA for the online service's collection practices.
Q: What are the penalties for COPPA violations?
The FTC can impose civil penalties of up to $43,280 per violation. In practice, fines can reach millions of dollars for widespread violations. The FTC has also required companies to delete illegally collected data and implement comprehensive privacy programs.
📋 Staff Training Checklist for FERPA and COPPA
All school staff who handle student data should complete this training annually:
About the Author
Usman Ali is the founder of EduTrackHub and a certified education data privacy specialist. He has consulted for 100+ schools on FERPA, COPPA, and GDPR compliance, helping them implement data protection frameworks that prevent breaches and build parent trust. He holds certifications in education law and data privacy from recognized institutions.
📧 goneawayas@gmail.com | Connect on LinkedIn
📚 Related Resources
Protect Your Students' Data with Confidence
EduTrackHub is fully FERPA and COPPA compliant, with bank-level encryption and annual third-party security audits.
Start Free Trial →No credit card required • SOC2 compliant • Data never sold