Technology is a cornerstone of children’s education. In a typical school day, they'll log onto e-learning platforms, take quizzes on tablets and submit homework through apps. And each of these interactions generates data.
To protect children under 13, federal laws regulate how their data is collected online and how it can be used. One key law, the Children’s Online Privacy Protection Act (COPPA), requires parental consent before collecting personal information from young users. Schools and educational institutions can face fines of over $40,000 for each violation, underscoring the importance of compliance.
To help your organization meet legal obligations, this guide covers COPPA’s core requirements, including which data triggers obligations, and how to obtain parental consent before collecting information to remain audit ready.
Table of Contents
- What is COPPA?
- Why COPPA compliance is important
- Who needs to be COPPA compliant?
- Five steps for complying with COPPA
- Tools and resources for managing children's personal information
- COPPA compliance checklist
- Frequently Asked Questions (FAQs)
What is COPPA?
COPPA is an online privacy protection act that places parents in control of what personal information gets collected from children under 13.
The law applies to businesses, commercial websites, online services — including mobile apps, digital platforms that either targets children or knowingly collects data from them and the Internet of Things (IoT). The IoT refers to gadgets like smart home devices, wearables, some toys and other connected items that contain sensors, software, and internet access that let them gather and exchange information.
Congress passed COPPA in 1998, and the Federal Trade Commission (FTC) started enforcing it in 2000. Since then, lawmakers have updated it twice to keep pace with the way technology collects data from children.
A 2013 update expanded what counts as a child’s personal information. Before that, the law mainly covered names, addresses and social security numbers. After 2013, it added geolocation data, photos, videos and audio recordings — the kind of information smartphones and tablets routinely collect.
A 2025 update went further. Now, COPPA covers biometric identifiers like voiceprints and facial recognition data. It also covers additional government-issued identifiers like passport numbers, state ID numbers and birth certificate numbers with compliance required by April 2026.
FERPA and COPPA
In addition to COPPA, schools deal with other, overlapping privacy laws. FERPA protects the privacy of student education records, like grades, disciplinary files and enrollment information. In comparison, COPPA controls online data collection. If your district rolls out AI tools, COPPA guides what data you’re allowed to gather and sets rules for how service providers you work with can use or sell that information. For example, when kids use an AI tutoring site or turn in their homework through an online platform, COPPA sets the rules on what information these tools are allowed to gather and explains that they need to get parental permission. These two separate pieces of legislation have different triggers, but educational institutions need to comply with both of them.
Why COPPA compliance is important
Children don't always understand what happens when they share personal information online. That makes them vulnerable. Data breaches have affected 1.7 million US children and identity theft targeting minors has jumped 40% since 2021.
COPPA requires businesses to obtain parental consent before collecting data from children under 13, and it sets out specific rules for how that data gets used. For example, since the 2025 update, third-party service providers can’t assume consent for using information to advertise to your students; they must ask parents explicitly and document every decision.
The FTC can fine organizations $43,280 per violation, and each piece of improperly collected information counts as a separate violation. A school using multiple platforms to serve hundreds of students can rack up substantial fines quickly. Beyond financial penalties, COPPA violations also damage a school’s reputation. Parents lose trust and schools face public scrutiny.
Who needs to be COPPA compliant?
COPPA applies to three types of operators:
- US based operators of apps, websites or online services directed to children under 13.
- International companies whose child-directed services reach US users.
- Any platform that knowingly collects personal information from children under 13.
- The FTC looks at multiple factors when deciding what qualifies as a child-directed site or service.
The conditions include:
- Is the content designed for kids?
- What do your marketing materials say about the intended audience?
- Do similar services attract children?
- What are users saying in reviews?
- Are their public statements about who should use your service?
Schools get extra attention here. Educational institutions routinely use online services that collect student data like learning management systems, educational apps and cloud-based collaboration tools. When a school puts these tools in front of students under 13, they become responsible for COPPA compliance. That responsibility includes oversight of third-party vendors that process student data.
Five steps for complying with COPPA
1. Publish a COPPA-compliant privacy policy
Write your privacy policy so parents can understand it, with no legal jargon. Make sure to cover:
- What personal information you collect from children?
- What you do with that information?
- Who else sees it and why?
- How parents can review and delete information or stop you from collecting their child's data.
The 2025 amendments made data policy requirements more detailed. For example, you now need to name the third parties that get children's data and explain what kind of companies they are. Using cookies or device IDs? Explain why. Recording children's voices? Describe how you use those audio files and confirm you delete them as soon as you're finished with them.
2. Notify parents
Before collecting data from a child, send parents a direct notice. Clearly explain what information you will collect, how it will be used or disclosed, and list any third parties who may access it, along with the reasons for sharing.
Make it clear that parents can consent to internal data use without agreeing to share their child’s information with outside companies unless sharing is essential for your service to function.
3. Obtain verifiable parental consent
"Verifiable" means you've confirmed you're dealing with a parent or guardian, not the child or an unrelated adult. The 2025 amendments provide more ways to verify parents’ identities, including:
- Signed forms (paper or digital).
- Credit card confirmation.
- Video calls.
- Security questions a child couldn't answer.
- Photo ID from the government.
- Text message plus a follow-up call or letter.
Schools get an exception. They can consent on the parent’s or carer’s behalf when it comes to educational tools, but they need documentation showing which services students use and why those services are educationally necessary.
4. Honor parents' data requests
Parents can ask what you've collected about their child. They can also demand you delete it and tell you to stop collecting data. To meet COPPA compliance, you need to respond directly within 45 calendar days when these requests arrive.
5. Ensure data protection
The 2025 COPPA amendments added something new: a written security program specifically for children's information.
Your program needs these elements:
- Protections matched to how sensitive the data is.
- Someone responsible for running the program.
- Risk assessments covering internal and external threats.
- Safeguards that address those risks.
- Regular testing to verify the safeguards work.
- Annual reviews and updates.
Match your security program to your organization's size and operations. A small after-school club using one app needs different protections than a school district managing dozens of platforms. But both need secure storage, access controls, encryption where it makes sense and regular security checks.
The 2025 amendments also addressed data retention. Your school, and AI vendors who have access to protected information, can't hold onto children's information governed by COPPA indefinitely. For example, student assignments should be retained only as long as necessary for educational and administrative purposes. In addition, make sure to check how long a vendor retains student information after your district stops working with them. The best approach is that they delete data as soon as the contract is over, but some vendors might need up to 30-60 days to complete the process.
How a document management system (DMS) supports COPPA compliance
Document management software enables schools and organizations to meet these needs by providing secure storage, customizable access controls, automated retention schedules and comprehensive audit trails. For instance, solutions like DocuWare support the creation of tamper-proof logs that record every action and event linked to each user and document, resulting in a complete, time-stamped record.
The features referenced above make it easier for schools to maintain robust oversight of sensitive student data and to provide reliable documentation for audits or reviews. DocuWare can be configured to enable organizations to meet the recordkeeping and security requirements outlined by regulations such as FERPA and COPPA.
What to look for in document management software
- Can it route consent forms to the right approvers automatically?
- Does it track who accessed records and when they did it?
- Will it remind you when data needs to be deleted?
- Can you control who sees sensitive information and who can edit it?
- Does it connect to the student information systems you already use?
- Does it provide 256-bit AES encryption?
- Is it SOC2 certified?
Tools and resources for managing children's personal information
Further resources for COPPA guidance
The FTC has resources worth reading, including:
- Complying with COPPA: Frequently Asked Questions provides detailed guidance on specific compliance scenarios.
- The full COPPA Rule text includes all regulatory requirements and amendments.
DocuWare’s blog post on understanding FERPA compliance outlines how privacy regulations overlap in educational settings.
COPPA Safe Harbor programs
Safe Harbor programs let industry groups create their own compliance guidelines, but the FTC has to approve them first. If your organization joins an approved program and follows its rules, you’ll deal with the program's discipline process instead of direct FTC enforcement if violations occur.
FTC-approved programs include:
Joining means audits of your privacy policies and practices, ongoing monitoring and annual reviews. The 2025 amendments have added more requirements: programs now publish their member lists and report disciplinary actions to the FTC. They also have to update the FTC on their technological capabilities.
COPPA compliance checklist
Educational institutions and service providers face growing complexity. Each new platform creates additional consent requirements, vendor oversight obligations, and data retention responsibilities that must be tracked carefully.
Here's what your organization needs to do:
Write a privacy policy parents can understand. Send them direct notice before you collect data from their children.
Get parental consent before collecting personal information. When parents ask to see or delete their child's data, follow their request.
Create a written security program and test it regularly.
Monitor your third-party vendors. If they're processing student data for you, they need to follow COPPA too.
Keep your documentation organized. When auditors ask questions, you need answers.
Review your policies every year. The FTC updates guidance as technology changes, so it’s vital to keep pace with current legislation.
If your organization collects information from children, a document management system will help you stay on track. DocuWare handles the centralized records, automated workflows, and audit trails that COPPA and FERPA require.
Frequently Asked Questions (FAQs)
What is COPPA compliance?
Meeting COPPA compliance means telling parents what data you're collecting and obtaining parental consent before you collect it. Minimize what you gather — don't collect more than necessary — and delete it when you don't need it anymore.
Who does COPPA apply to?
COPPA covers operators of websites, apps, online services, and IoT devices aimed at children under 13. It applies when you're collecting data from this age group, even if you didn't design your service for them. Schools fall under COPPA when they use platforms that collect student data from children under 13.
Where can I find information about COPPA?
The FTC publishes comprehensive guidance on COPPA regulations. Their website has detailed resources, and you can order printed copies from the FTC's bulk order site.
What are COPPA compliance penalties?
The FTC charges $43,280 per violation. Each piece of data you collect improperly counts as one violation. That can add up to millions of dollars for organizations collecting data from many children across multiple platforms.
Beyond fines, you risk lawsuits, damaged reputation, and regulatory orders forcing you to change how you operate. In severe cases, individuals responsible for violations can face criminal charges.
How can schools maintain COPPA compliance?
Schools need written privacy policies and documents outlining every instance of parental consent. It’s also important to run regular security audits and set schedules for when data gets deleted. Use a document management system like DocuWare to keep everything organized.
Don't forget vendor contracts, either. When a third-party processes student data for you, you're still on the hook for COPPA compliance, so review agreements regularly.
The information in this blog post is intended for educational purposes only. If you have specific questions, consult your compliance officer, legal department or outside counsel.
