What is the difference between FERPA and COPPA?

FERPA (Family Educational Rights and Privacy Act) governs education records at all federally funded educational institutions — it protects student records regardless of the student's age. COPPA (Children's Online Privacy Protection Act) governs online data collection from children under 13 — it applies to any website or online service that collects personal information from that age group, including ed-tech vendors. Both apply simultaneously in most K-12 deployments.

Does FERPA apply to third-party vendors that hold student data?

Yes. When a vendor holds or processes student data on behalf of a school or district, it is acting as a school official under FERPA and must operate under an agreement that limits data use to the authorized educational purpose. Schools are responsible for ensuring these agreements are in place before deploying any ed-tech tool that processes student information.

Can schools collect student data from children under 13 without parental consent?

Under COPPA's school consent exception, schools can authorize ed-tech vendors to collect data from students under 13 for educational purposes without individual parental consent. However, the school must review and approve the vendor's data practices, and the vendor may only use the data for the educational purpose the school authorized — not for advertising or other commercial uses.

What is a Data Processing Addendum and why does a school need one?

A Data Processing Addendum (DPA) is a contractual document that defines how a vendor may use student data provided by the school. It should limit data use to the stated educational purpose, prohibit re-disclosure without consent, require appropriate security measures, and specify data deletion timelines. FERPA requires that vendors handling student data operate under these kinds of contractual constraints.

How do FERPA and CIPA interact in a K-12 network environment?

CIPA requires monitoring of student online activity as a condition of E-Rate funding. The logs generated by content filtering systems may constitute education records under FERPA. Schools must ensure that monitoring systems collect only what is necessary, protect the data with appropriate security controls, and have compliant vendor agreements in place with filtering service providers.

E-Rate Funding

FERPA and COPPA: Student Data Privacy in K-12 and Libraries

Student data privacy is not one law — it is a stack. FERPA governs education records at all federally funded institutions. COPPA governs online data collection from children under 13. State privacy laws add additional layers. For E-Rate recipients, getting this right is both a federal compliance requirement and a trust obligation to the students and families they serve.

Talk to an E-Rate Expert
Start the 90-Day Proof

FERPA: Education Records and Who Can Access Them

The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) has governed student education records since 1974. Any school or school district that receives federal funding — including E-Rate discounts — is subject to FERPA. Public libraries are generally not FERPA-covered entities, though library systems that share data with school systems may touch FERPA-governed records.

What Counts as an Education Record

FERPA defines education records broadly: any record directly related to a student and maintained by an educational agency or institution, or by a party acting for or on behalf of the institution. This includes grades and transcripts, disciplinary records, financial records (financial aid, free and reduced-price lunch applications), special education and Section 504 plans, attendance records, and, critically, data held by third-party vendors that are acting as school officials.
When a school district contracts with a student information system (SIS), a learning management system, or a managed service provider that processes student data, those vendor systems hold education records. FERPA follows the data — not just the institution’s own servers.

Parental Rights Under FERPA

Parents and guardians have the right to inspect and review their child’s education records, request amendment of records they believe are inaccurate, and provide written consent before the school discloses records to third parties. These rights transfer to the student when they turn 18 or enroll in a post-secondary institution.
The written consent requirement has important exceptions that govern day-to-day school operations. Schools may disclose records to school officials who have a legitimate educational interest, to other schools where the student is transferring, and to state and federal education authorities for audit and evaluation purposes — without parental consent. Directory information (name, grade level, participation in activities) can also be disclosed without consent after parents have been notified and given the opportunity to opt out.

Vendor Agreements and FERPA

The most common FERPA compliance gap in K-12 technology procurement is the vendor agreement. When a district deploys a cloud-based tool that processes student data, FERPA requires that the vendor be operating under school official authority — meaning a contract that limits the vendor’s use of student data to the educational purpose for which it was provided, prohibits re-disclosure without consent, and includes appropriate security obligations.
These requirements are typically captured in a Data Processing Addendum (DPA) or Student Data Privacy Agreement. Organizations such as the Student Data Privacy Consortium provide model agreement templates that districts can use as a baseline. The gap Armorstack consistently finds: districts have deployed dozens of ed-tech tools, many of which were adopted by individual teachers without district-level review, and a significant portion lack compliant data agreements.

COPPA: Children Under 13 and Online Data Collection

The Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6506) applies to operators of websites and online services that collect personal information from children under 13. In the K-12 context, this means virtually every ed-tech platform that students use — Google Workspace for Education, Microsoft 365 for Education, learning management systems, reading platforms, math practice tools — is subject to COPPA when students under 13 are users.

The School Consent Exception

COPPA normally requires verifiable parental consent before collecting personal data from children under 13. The FTC’s COPPA Rule provides an exception: schools can provide consent on behalf of parents for ed-tech tools used for educational purposes. This exception is scoped narrowly. The school must review the service and determine that parental consent is appropriate. The vendor may only use the data for the educational purpose the school authorized — not for targeted advertising, building behavioral profiles, or any other commercial purpose.
The school consent exception does not grant vendors permission to use student data however they wish. It substitutes school judgment for parental judgment, which means the school accepts responsibility for vetting the vendor’s data practices before deployment.

What COPPA Prohibits

Vendors covered by COPPA cannot collect more personal information from children under 13 than is reasonably necessary for the service. They cannot condition participation on disclosing more data than necessary. They cannot retain data beyond the period needed for the educational purpose. And they cannot use student data for targeted advertising — a prohibition that several major ed-tech vendors have been investigated and fined for violating.
Districts should require any vendor serving students under 13 to confirm in writing that it complies with COPPA, does not use student data for advertising, and has a privacy policy that accurately describes its data collection practices.

State Student Data Privacy Laws

FERPA and COPPA establish federal floors. Many states have enacted additional student data privacy laws that impose requirements beyond what federal law requires. These vary significantly by state and are actively evolving — several states have passed new or amended legislation in each of the last five years.
Common elements in state laws include: explicit prohibitions on the sale of student data (beyond COPPA’s advertising restriction), requirements that vendor contracts include specific security provisions, breach notification obligations that go beyond what FERPA requires at the federal level, and data deletion requirements when a vendor contract ends.
For any district or library system operating across multiple states — including consortia and regional cooperative purchasing arrangements — the most restrictive applicable state law typically sets the de facto standard. Armorstack’s compliance review process accounts for state-level requirements and flags vendor agreements that do not meet applicable law.

How Student Data Privacy Connects to E-Rate and CIPA

The E-Rate program’s CIPA requirement creates a direct intersection with student data privacy. Content filtering systems generate detailed logs of student internet activity. These logs may constitute education records under FERPA. The monitoring obligation CIPA imposes must be balanced against the data minimization principles that FERPA and COPPA require.
Practically, this means the filtering and monitoring system must: limit data collection to what is necessary for CIPA compliance, protect the data with appropriate security controls, provide access only to school officials with a legitimate educational interest, and not retain data beyond what is needed. The vendor providing the filtering service must have a compliant data agreement in place.
For the full CIPA compliance framework, see our page on CIPA compliance for E-Rate recipients. For the cybersecurity controls that protect the systems holding student data, see our overview of K-12 cybersecurity.
The E-Rate application process itself also touches student data privacy — NSLP (National School Lunch Program) percentage data used to calculate discount levels is sensitive household economic information governed by applicable privacy laws. Armorstack handles this data under appropriate agreements throughout the Form 471 and funding request process.

Building a Student Data Privacy Program

A functional student data privacy program for a K-12 district has three operational components: a vendor inventory and review process, compliant data agreements, and ongoing monitoring of vendor practices.
The vendor inventory is typically the first surprise. When Armorstack conducts a data privacy review for a new district client, the number of third-party platforms processing student data is almost always larger than the technology director believed. Shadow ed-tech adoption — tools added by individual teachers without district IT review — is endemic in K-12 and creates FERPA and COPPA exposure the district does not know it has.
Armorstack’s CORE practice manages vendor agreement review, data processing addenda, and the ongoing monitoring that ensures vendors continue to comply with their contractual obligations. Our SENTRY practice provides the encryption, access controls, and monitoring that protect student data at the infrastructure level.
For districts beginning this work, our 90-day engagement establishes a baseline: vendor inventory, agreement gap analysis, and initial remediation priorities. Contact our team to begin. For the full E-Rate program context, return to the E-Rate hub.