SafeGradeAI
Student Privacy

What COPPA and FERPA Mean for AI Platforms

A plain-English walkthrough of the two US laws that govern student data, what they require of AI vendors, and the questions districts should ask before buying.

S
SafeGradeAI Editorial Team
Research & Policy
·March 25, 2026·Updated May 23, 2026·13 min read

Two laws, one purchasing decision

For US K-12 districts, the two acronyms that matter most when evaluating an AI vendor are COPPA and FERPA. They overlap but cover different things, and a vendor can be technically COPPA-compliant while still failing a FERPA review. This post walks through both in plain English, then turns them into the questions you should ask before signing.

COPPA at a glance

The Children's Online Privacy Protection Act (1998, updated rule 2013, further updates pending) applies to operators of online services directed at children under 13, or that have actual knowledge they are collecting from under-13 users.

Key obligations:

  • Verifiable parental consent before collecting personal information.
  • Notice in clear language about what is collected, how it is used, and with whom it is shared.
  • Parental access — the right to review the child's information and have it deleted.
  • Data minimization — no more collection than reasonably necessary.
  • No conditioning — participation cannot be tied to collection of unnecessary data.

AI-specific implications:

  • Prompt text, voice clips, and images are personal information.
  • "Training on" defaults are not verifiable consent.
  • Persistent identifiers (cookies, device IDs) count.

FERPA at a glance

The Family Educational Rights and Privacy Act (1974) protects the privacy of student education records at any school that receives US Department of Education funding.

Key obligations:

  • Parental access to education records (transfers to students at 18).
  • Consent before disclosing personally identifiable information from records.
  • School official exception — vendors performing a service the school would otherwise perform can receive records without consent, *if* they are under direct control of the school and use the data only for the authorized purpose.
  • Directory information can be disclosed unless the parent opts out.

AI-specific implications:

  • Vendors processing graded work, attendance, behavior, or IEP data are almost always handling education records.
  • The vendor must accept the role of school official in writing.
  • Using student data to train a general-purpose model usually exceeds the "authorized purpose" — that is the most common FERPA failure mode in AI procurement.

Where they overlap and where they don't

  • Under-13 + education record → both apply.
  • Under-13 + consumer app, no school relationship → COPPA only.
  • 13+ student in a school deployment → FERPA applies; COPPA does not.
  • Teacher-only tool that ingests student data → FERPA applies even though no student touches it.

Buyer questions for AI vendors

Use these in your RFP or DPA review. A vendor that cannot answer them in writing is not ready for K-12.

  1. School-official designation. Will you accept the role of "school official" under FERPA and contractually limit use of student data to the authorized educational purpose?
  2. Training exclusion. Confirm in writing that student inputs and outputs are excluded from training of your foundation model and any fine-tuned model used to serve other customers.
  3. Retention. What is the retention window in days for prompts, outputs, and account metadata? What is the deletion SLA after a request?
  4. Sub-processors. Provide a current list with locations and the purpose of each.
  5. Parental access. What is the workflow for a parent to review, export, and delete their child's data?
  6. Incident response. What is the notification SLA for a confirmed breach, and to whom is it sent?
  7. Age gating. How is age verified, and what under-13 protections kick in?
  8. Audit rights. Will you provide an annual SOC 2 Type II or equivalent, and a current penetration-test letter?

Red flags in vendor responses

  • "We may use your data to improve our services" with no carve-out for student data.
  • Retention defined as "for as long as necessary" with no number of days.
  • No named DPO or privacy contact.
  • DPA is non-negotiable boilerplate that omits the school-official clause.
  • Sub-processor list is "available on request" but never actually delivered.

How SafeGradeAI helps

Every certified evaluation explicitly cites the COPPA and FERPA provisions evaluated and includes the language a district can lift into a board memo. School Pro reports include a redlined DPA template and a vendor-questionnaire spreadsheet.

#COPPA#FERPA#Legal

Continue reading

More articles from the SafeGradeAI editorial team.

By subscribing you agree to receive emails from SafeGradeAI. You can unsubscribe at any time.