SafeGradeAI
EdTech Reviews

Top AI Safety Standards for K-12 Education

A side-by-side look at COPPA, FERPA, GDPR-K, UK AADC, and ISTE — and how the SafeGradeAI rubric maps to each.

S
SafeGradeAI Editorial Team
Research & Policy
·March 10, 2026·Updated May 23, 2026·16 min read

Why no single standard is enough

There is no one law or framework that covers AI in K-12 end-to-end. Strong school-side governance pulls from privacy law (COPPA, FERPA, GDPR-K), age-appropriate design (UK AADC), and pedagogical guidance (ISTE and emerging state AI guidance). The SafeGradeAI rubric is designed to map cleanly to all of them so a single evaluation can be defended against multiple regimes.

This post summarizes each standard in plain language and shows how our pillars line up.

COPPA — Children's Online Privacy Protection Act (US, under 13)

Scope: operators of online services directed at children under 13, or with actual knowledge they are collecting from under-13 users.

Core obligations: verifiable parental consent before collection, clear privacy notices, minimal data collection, parental right to review and delete, and prohibition on conditioning participation on more data than necessary.

AI-specific stress points: prompt logs are personal information. Voice and image inputs are personal information. "Training off" defaults are often not COPPA-grade consent.

Maps to SafeGradeAI: Data Privacy pillar (consent, retention, training exclusion) and Transparency pillar (notice quality).

FERPA — Family Educational Rights and Privacy Act (US, education records)

Scope: education records held by schools that receive federal funding. Covers grades, attendance, behavior records, IEPs, and most student work.

Core obligations: parental access, consent for disclosure, designation of "school officials" who may receive records under a legitimate educational interest, and directory-information rules.

AI-specific stress points: vendors processing graded work or behavioral data must accept the role of "school official." Cross-tenant model training is generally incompatible with FERPA.

Maps to SafeGradeAI: Data Privacy pillar (school-official designation, retention) and Transparency pillar (auditability).

GDPR-K — GDPR provisions for children (EU/EEA)

Scope: any service offered to children in the EU. Age of consent for data processing is 16, lowered by member state to as young as 13.

Core obligations: lawful basis for processing, data subject rights (access, rectification, erasure, portability), data minimization, and age-appropriate transparency.

AI-specific stress points: automated decision-making and profiling have additional safeguards. Children's data requires the highest care.

Maps to SafeGradeAI: Data Privacy and Transparency pillars; informs our Age-Appropriate Design weighting.

UK AADC — Age Appropriate Design Code (UK)

Scope: information society services likely to be accessed by children in the UK. 15 standards, including data minimization, default high-privacy settings, transparency, and protection against detrimental use.

AI-specific stress points: default settings, nudge techniques, profiling, and persuasive design patterns are all explicitly named.

Maps to SafeGradeAI: Age-Appropriate Design and Content Moderation pillars.

ISTE Standards for Educators and Students

Scope: pedagogical and digital-citizenship competencies, not a privacy regime.

Why it matters: anchors AI use to learning outcomes and to student agency. Helps districts move from "is it safe" to "is it worth using."

Maps to SafeGradeAI: informs our recommendation language and the parent/school notes on each evaluation.

Emerging US state guidance

California, Colorado, Virginia, New York, and others have issued or proposed AI-in-education guidance with overlapping but non-identical requirements. SafeGradeAI School Pro reports include the most cited state-specific clauses in the appendix.

How to use this in a procurement review

  1. Identify which regimes apply (student age, geography, data classes).
  2. Pull the SafeGradeAI report and confirm tier and pillar floors.
  3. Cross-check the vendor's DPA against the COPPA/FERPA clauses cited in the report.
  4. Document the decision with a one-page memo that names the standards considered.

That memo is what protects the district if a tool is later challenged.

#COPPA#FERPA#Standards

Continue reading

More articles from the SafeGradeAI editorial team.

By subscribing you agree to receive emails from SafeGradeAI. You can unsubscribe at any time.