Top AI Safety Standards for K-12 Education
A side-by-side look at COPPA, FERPA, GDPR-K, UK AADC, and ISTE — and how the SafeGradeAI rubric maps to each.
Why no single standard is enough
There is no one law or framework that covers AI in K-12 end-to-end. Strong school-side governance pulls from privacy law (COPPA, FERPA, GDPR-K), age-appropriate design (UK AADC), and pedagogical guidance (ISTE and emerging state AI guidance). The SafeGradeAI rubric is designed to map cleanly to all of them so a single evaluation can be defended against multiple regimes.
This post summarizes each standard in plain language and shows how our pillars line up.
COPPA — Children's Online Privacy Protection Act (US, under 13)
Scope: operators of online services directed at children under 13, or with actual knowledge they are collecting from under-13 users.
Core obligations: verifiable parental consent before collection, clear privacy notices, minimal data collection, parental right to review and delete, and prohibition on conditioning participation on more data than necessary.
AI-specific stress points: prompt logs are personal information. Voice and image inputs are personal information. "Training off" defaults are often not COPPA-grade consent.
Maps to SafeGradeAI: Data Privacy pillar (consent, retention, training exclusion) and Transparency pillar (notice quality).
FERPA — Family Educational Rights and Privacy Act (US, education records)
Scope: education records held by schools that receive federal funding. Covers grades, attendance, behavior records, IEPs, and most student work.
Core obligations: parental access, consent for disclosure, designation of "school officials" who may receive records under a legitimate educational interest, and directory-information rules.
AI-specific stress points: vendors processing graded work or behavioral data must accept the role of "school official." Cross-tenant model training is generally incompatible with FERPA.
Maps to SafeGradeAI: Data Privacy pillar (school-official designation, retention) and Transparency pillar (auditability).
GDPR-K — GDPR provisions for children (EU/EEA)
Scope: any service offered to children in the EU. Age of consent for data processing is 16, lowered by member state to as young as 13.
Core obligations: lawful basis for processing, data subject rights (access, rectification, erasure, portability), data minimization, and age-appropriate transparency.
AI-specific stress points: automated decision-making and profiling have additional safeguards. Children's data requires the highest care.
Maps to SafeGradeAI: Data Privacy and Transparency pillars; informs our Age-Appropriate Design weighting.
UK AADC — Age Appropriate Design Code (UK)
Scope: information society services likely to be accessed by children in the UK. 15 standards, including data minimization, default high-privacy settings, transparency, and protection against detrimental use.
AI-specific stress points: default settings, nudge techniques, profiling, and persuasive design patterns are all explicitly named.
Maps to SafeGradeAI: Age-Appropriate Design and Content Moderation pillars.
ISTE Standards for Educators and Students
Scope: pedagogical and digital-citizenship competencies, not a privacy regime.
Why it matters: anchors AI use to learning outcomes and to student agency. Helps districts move from "is it safe" to "is it worth using."
Maps to SafeGradeAI: informs our recommendation language and the parent/school notes on each evaluation.
Emerging US state guidance
California, Colorado, Virginia, New York, and others have issued or proposed AI-in-education guidance with overlapping but non-identical requirements. SafeGradeAI School Pro reports include the most cited state-specific clauses in the appendix.
How to use this in a procurement review
- Identify which regimes apply (student age, geography, data classes).
- Pull the SafeGradeAI report and confirm tier and pillar floors.
- Cross-check the vendor's DPA against the COPPA/FERPA clauses cited in the report.
- Document the decision with a one-page memo that names the standards considered.
That memo is what protects the district if a tool is later challenged.
Continue reading
More articles from the SafeGradeAI editorial team.
The Hidden Risks of Unverified AI Tools in Schools
Schools are adopting generative AI faster than they can vet it. Here are the five risk vectors administrators consistently underestimate, and how the SafeGradeAI rubric surfaces them.
How Parents Can Evaluate AI Apps Safely
A practical at-home checklist parents can run in 10 minutes before letting their child use a new AI assistant, tutor, or companion app.
AI Policy Frameworks Every School District Should Have
The four governance documents your district needs before the next school year, with a starter template structure for each.
What COPPA and FERPA Mean for AI Platforms
A plain-English walkthrough of the two US laws that govern student data, what they require of AI Vendors, and the questions districts should ask before buying.