Resources·AI for Teachers
FERPA vs COPPA: What Each Law Covers and Who Enforces It
FERPA and COPPA side by side — which binds schools vs. vendors, who enforces each, the under-13 line, and what both mean when a district vets an AI tool.
What's the difference between FERPA and COPPA?
FERPA is a U.S. Department of Education law restricting how schools disclose information from student education records. COPPA is a Federal Trade Commission rule restricting how commercial online services collect personal information from children under 13. The first binds schools; the second binds companies.
The two laws travel together through every district AI conversation, usually as a single hyphenated blur — "make sure it's FERPA-and-COPPA compliant" — as if they were one requirement with two names. They aren't, and the FERPA-vs-COPPA distinction is worth keeping sharp: different agencies wrote them, they regulate different parties, they trigger on different events, and they fail in different ways. A school that treats them as one law ends up asking each the questions only the other can answer.
This page keeps them apart. If your question is instead whether FERPA applies to AI tools at all, what a data privacy agreement actually commits a vendor to, or whether you can paste a specific thing into a chatbot, that reasoning lives in our guide to student data privacy and AI — this page links into it wherever it goes deeper. And a standing caveat: what follows is a map drawn from the primary sources, not legal advice. Where your district's counsel draws a stricter line, theirs wins.
The side-by-side
| FERPA | COPPA | |
|---|---|---|
| Full name | Family Educational Rights and Privacy Act | Children's Online Privacy Protection Act |
| Enacted | 1974 | 1998 |
| Regulation | 34 CFR Part 99 | 16 CFR Part 312 |
| Written and enforced by | U.S. Department of Education | Federal Trade Commission (state attorneys general can also enforce) |
| Who must comply | Schools and districts receiving federal education funds | Commercial operators of websites, apps, and online services |
| Whom it protects | Students of any age — rights sit with parents and transfer to the student at 18 | Children under 13 |
| What it protects | Personally identifiable information from education records | Personal information collected online from the child |
| Consent baseline | Signed, written parental consent before the school discloses, unless an exception applies | Verifiable parental consent before the operator collects; a school can consent as the parent's agent in the educational context |
| The teeth | Federal funding: withheld payments, cease-and-desist orders, terminated eligibility | Civil penalties, up to $53,088 per violation as of mid-2026 |
The rows that decide real cases are unpacked below — the consent row most of all, so it gets the longest treatment.
Who each law binds: the school or the company
FERPA applies to any "educational agency or institution to which funds have been made available" under a Department of Education program — in practice, essentially every public school and district in the country. The obligations run to the school: it may not disclose personally identifiable information from education records without consent or a qualifying exception, and it must honor parents' rights to inspect and amend those records. A software company, standing alone, cannot violate FERPA in any direct sense. When student data ends up somewhere it shouldn't, the legal event was the school's improper disclosure — the vendor was just where the data landed.
COPPA points the other way. The rule's definition of an operator covers anyone running a commercial website or online service that collects personal information from users, and the duties — privacy notices, verifiable parental consent, giving parents review and deletion rights, retention limits — all fall on that operator. The school is not the regulated party. The FTC's COPPA compliance FAQ is unusually blunt about attempts to reverse this: "operators should not state in Terms of Service or anywhere else that the school is responsible for complying with COPPA, as it is the responsibility of the operator to comply with the Rule." A vendor whose terms try to hand your district its COPPA homework has told you something useful about the vendor.
Hold onto this asymmetry, because it reframes the standard vetting question. FERPA compliance is something your district does, largely through its contracts. COPPA compliance is something the vendor does, which your district verifies. Asking whether a tool "is FERPA compliant" is, strictly, a category error — a point the misreadings section returns to.
Where the under-13 line actually sits
FERPA has no age trigger. A kindergartener's records and a high-school senior's records get identical protection; the only age that matters is 18, when the rights FERPA gives parents transfer to the student — or earlier, if the student enrolls in a postsecondary institution at any age. COPPA is the opposite: the entire rule is about children under 13, and only about information collected online from the child — not information an adult types about them.
For an elementary school, that combination has two consequences worth spelling out. First, every student-facing digital tool in the building is inside COPPA's jurisdiction, because every user is under 13. There is no COPPA-free corner of a K-5 school the way there is in a high school. Second, COPPA's definition of personal information is wider than most adoption conversations assume. The rule and the FTC's FAQ count, among other things: first and last name, persistent identifiers that recognize a user over time and across services, photographs, video, audio files containing a child's image or voice, and geolocation. An AI reading app that records a second grader reading aloud is collecting personal information under COPPA even if no one ever types the child's name into it. So is a math app that sets a tracking cookie.
Two edge notes keep this honest. COPPA also reaches general-audience services with actual knowledge that they're collecting from under-13 users — so "our app isn't for kids" doesn't immunize a vendor whose sign-up data says otherwise. And nonprofit operators generally fall outside the rule, because COPPA rides on the FTC's jurisdiction over commercial entities.
Consent runs in opposite directions
Under FERPA, consent is the school's problem to solve before disclosing. The baseline in 34 CFR §99.30 is a signed and dated written consent from the parent before the school releases personally identifiable information from education records — with the crucial rider "except as provided in §99.31," the section listing exceptions. Practically, school life runs on those exceptions rather than on permission slips, and edtech runs on the school official exception in particular, which lets a district treat a contracted vendor as an extension of its own staff under specific conditions. Our privacy guide works through that exception, the "direct control" requirement, and the data privacy agreements districts sign to satisfy it; the point for this page is only that FERPA consent is between the parent and the school, and the school has lawful paths around collecting it case by case.
Under COPPA, consent is the operator's problem. 16 CFR §312.5 requires an operator to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children. Schools enter the picture through FTC guidance: where a district contracts with an operator to collect students' information for the school's use and benefit — and for no other commercial purpose — the school "may act as the parent's agent and can consent under COPPA to the collection of kids' information on the parent's behalf." That agency comes with conditions on the operator. It must give the school the same direct notice of its data practices it would give a parent, and on request it must let the school review the information, have it deleted, and stop further collection. If the operator wants children's data for its own commercial ends beyond serving the school, school consent cannot cover that — the operator would need to go get parents' consent itself.
Worth noticing: the word "school" does not appear in the operative text of the COPPA rule. The school-consent pathway is FTC staff guidance layered over agency principles, not a clause you can cite in Part 312 — one reason careful district contracts spell the arrangement out rather than gesturing at "COPPA compliance." The rule itself was amended effective 2025 to tighten retention limits and third-party disclosure consent; what that amendment says about AI training specifically is covered in the privacy guide.
The FTC also answers a question districts quietly argue about: who at the school consents. Its FAQ recommends "that schools or school districts decide whether a particular site's or service's information practices are appropriate, rather than delegating that decision to the teacher." If you coordinate technology for a district, that sentence is your mandate in federal guidance — the sign-off belongs to your office, not to whichever classroom found the app first.
Who enforces, and what enforcement looks like
FERPA is enforced by the Department of Education's Student Privacy Policy Office, and the process is administrative from end to end. Parents — or students, once rights transfer — file complaints with the office, generally within 180 days of the violation. The office investigates, issues findings, and gives the school a window to comply voluntarily. Only if that fails does the Department reach for the remedies in 34 CFR §99.67: withholding payments, a cease-and-desist order, or terminating the school's eligibility for federal funding. Notice what's absent — there are no fines, and no penalties aimed at individual teachers. Nobody gets personally fined under FERPA; the pressure is institutional, which is why FERPA discipline reaches a classroom as district policy rather than as a federal knock on the door. The regulations do carry a sharp vendor-facing consequence, though: a third party that improperly rediscloses education-record information must be cut off from that school's records data for at least five years. For a vendor whose business is schools, that ban is closer to a death sentence than any fine.
COPPA enforcement looks like ordinary law enforcement, because it is. The FTC sues operators, and courts can impose civil penalties the FTC's FAQ puts — as of mid-2026 — at up to $53,088 per violation, a figure that compounds quickly when each child's data counts. Penalties in past actions have ranged from zero to many millions depending on egregiousness, the number of children involved, and what was done with the data. State attorneys general can bring COPPA actions too; the FTC's own FAQ points to a string of New York cases.
One review, two laws: the tech coordinator's desk
A K-5 district technology coordinator gets two requests in the same week: the second-grade team wants an AI reading tutor that students log into and read aloud to, and a fifth-grade teacher wants an AI lesson-drafting tool that only she will ever touch. Same district, same word — "AI" — but the legal review is almost entirely different, and two sorting questions do the split:
- Will students use it directly? If yes, COPPA is engaged, because an operator is about to collect personal information from children under 13.
- Will information from education records flow into it? If yes, FERPA is engaged, because the district is about to make a disclosure.
If you're the teacher rather than the coordinator, those two questions are also the whole request. Copy, fill in, send: "I'd like to use [tool]. Students would / would not use it directly, and student-record data would / would not flow into it — can you run it through approval?" That one message hands the coordinator everything the sort below requires.
The lesson-drafting tool answers no to the first question, so COPPA is essentially moot — no child's information is being collected online from a child. The review is a FERPA-and-policy review: what teacher-side data reaches the tool, whether rosters or grades will ever sync into it, and whether it therefore needs a signed agreement before it touches records (the privacy guide carries the vendor questions and the paste-scenarios that govern day-to-day use).
The reading tutor answers yes to both, so the coordinator is running two workstreams on one product. The FERPA workstream fires before a single student uses it: provisioning accounts from the roster is a disclosure of personally identifiable information from education records, so the vendor needs to qualify under the school official exception, with the district's direct control locked in by contract. The COPPA workstream fires the moment a seven-year-old starts reading into the microphone: the operator owes the district direct notice of its practices, review and deletion rights, and — decisively — a data model in which children's information serves the school and nothing else. If the vendor's terms let students' recordings train its models for products beyond the contracted service, the district's authority to consent as the parents' agent collapses, and the vendor is back to needing verifiable consent from every family individually. In practice that single condition sorts vendors faster than any rubric: the ones built for schools can say "for the school's use and no other commercial purpose" in writing, and the ones that can't, won't.
Neither workstream substitutes for the other. A tutor can clear COPPA perfectly and still be a FERPA problem if the district wires the roster into it without a contract; a vendor can sign a beautiful DPA and still be a COPPA problem if its consent machinery for under-13 collection doesn't exist.
Common misreadings, corrected
"COPPA doesn't apply to us — we're a school." Half true, in the least useful way. COPPA doesn't bind the school, but it fully applies to every commercial operator your students use, and your district sits inside the consent mechanics whether it wants to or not: school consent only works within the educational context, and the FTC says operators can't contract their compliance duties onto you. The law not regulating you is not the same as the law not concerning you.
"This tool is FERPA-certified." No such certificate exists. FERPA regulates schools, and no federal office reviews or approves software — so "FERPA compliant" on a vendor's website is self-description, not a credential. What creates actual obligations is the agreement your district signs; that's the document to ask for.
"It's COPPA-compliant, so it's safe for our classrooms." COPPA compliance means the operator handles under-13 collection lawfully. It says nothing about whether your district's disclosure of records into the tool is lawful, nothing about students who are 13, and nothing at all about whether the tool is any good.
"Our students are all over 13, so we're in the clear." That retires most of COPPA. FERPA doesn't age out — an eighth grader's records carry the same protection as a kindergartener's, and every records-disclosure question survives the thirteenth birthday intact.
"A teacher accepted the terms, so consent is handled." Two misses in one sentence. Click-accepting a free tool's terms creates an unreviewed contract on the vendor's terms rather than the district's — the privacy guide covers why that's the quiet failure mode of "free" — and the FTC's guidance places the consent decision with the school or district, not the individual teacher.
The pattern under all five is the same one this page opened with: each law binds one party and triggers on one event. FERPA binds the school and triggers on disclosure from records. COPPA binds the company and triggers on collection from a child. Ask which party and which event you're looking at, and most of the confusion resolves before the lawyers are needed. For what to do once it resolves — the vendor questions, the DPA registry check, and the five paste-or-don't scenarios — pick up at the student data privacy guide, or start from the one-screen checklist in AI for teachers.
Frequently asked questions
Do I need parental consent to use AI tools with students under 13?
Under COPPA that consent obligation belongs to the tool's operator, not to you. A school can consent as the parent's agent when the tool serves an educational purpose and no other commercial one; whether student-record information may flow into the tool is a separate FERPA question the district answers through its contracts.
Can students under 13 use AI chatbots at school?
As of July 2026 no consumer chatbot qualifies, because their own terms set minimum ages of 13 or higher. COPPA doesn't ban tools — it requires operator-side parental consent for under-13 collection — but a tool whose terms exclude your students was never a candidate for school consent in the first place.
Who enforces FERPA and COPPA?
FERPA is enforced by the U.S. Department of Education's Student Privacy Policy Office, whose ultimate lever is a school's federal funding. COPPA is enforced by the Federal Trade Commission — with civil penalties of up to $53,088 per violation as of mid-2026 — and state attorneys general can also bring COPPA actions.
Can an individual teacher give COPPA consent for a classroom app?
The FTC recommends against it: its guidance says schools or districts, not individual teachers, should decide whether a service's information practices are appropriate. If you're a teacher weighing an under-13 tool, the right move is to route it to whoever handles tool approval in your district.
Is there such a thing as a FERPA-certified AI tool?
No. FERPA regulates schools, not software, and no federal office reviews or certifies apps. A vendor calling itself 'FERPA compliant' is describing its own posture; the instrument that actually binds a vendor is a signed data privacy agreement with your district.
Does COPPA apply to free AI tools?
Yes, whenever the operator is a commercial entity — COPPA turns on collection from children under 13, not on price. The genuine exemption is for nonprofit operators, which mostly sit outside the FTC's jurisdiction; a free commercial tool gets no such pass, and is usually adopted through click-wrap terms nobody at the district reviewed.
Your next lesson is a sentence away.
Planning Partner drafts standards-aligned, differentiated lessons — then hands you the controls.
Start free