FERPA vs COPPA Compliance: A Practical Guide to Student Data Privacy in 2026

Why FERPA and COPPA Compliance Both Matter Now

If your organization handles student data — whether you are a school, a school district, an EdTech company, or a third-party vendor — you face a growing compliance challenge. Two federal laws govern student and children’s data privacy: the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). They overlap but are not interchangeable, and violating one is not excused by complying with the other.

The urgency is real. In March 2026, CalPrivacy (the California Privacy Protection Agency) issued a $1.1 million fine against PlayOn Sports — a digital ticketing platform used by about 1,400 California schools — for requiring students to consent to tracking before accessing event tickets, then using that data for targeted advertising. This was the first CPPA enforcement action specifically addressing student privacy, and it signals a new era of enforcement at the intersection of children’s privacy, education, and state consumer privacy laws.

On top of that, the FTC’s updated COPPA Rule takes effect April 22, 2026, with stricter consent requirements, new data retention limits, and expanded definitions of personal information. See our COPPA Compliance Guide for a full breakdown of the new rule.

This guide compares FERPA and COPPA, explains where they overlap and diverge, and addresses the third compliance layer: state privacy laws that increasingly apply to educational contexts.

FERPA: Protecting Education Records

FERPA is a federal law that protects the privacy of student education records. It applies to all schools and educational agencies that receive federal funding — which includes virtually every public K–12 school and most colleges and universities in the United States.

Key FERPA Requirements

Parental rights — Parents have the right to inspect and review their child’s education records, request corrections, and consent to disclosures of personally identifiable information (PII). These rights transfer to the student at age 18 or upon enrollment in postsecondary education.
Consent before disclosure — Schools generally must obtain written parental consent before disclosing PII from education records to third parties.
School official exception — Schools may share records with “school officials” who have a “legitimate educational interest.” This exception is how EdTech vendors typically access student data — the school designates them as school officials through a contract or policy.
Directory information — Schools can designate certain data as “directory information” (name, grade level, participation in activities) and share it without consent, provided parents are given the opportunity to opt out.

FERPA Enforcement

FERPA is enforced by the U.S. Department of Education’s Student Privacy Policy Office (SPPO). The penalty for violations is loss of federal funding — a severe but rarely imposed sanction. FERPA does not provide a private right of action, meaning individuals cannot sue for FERPA violations in court.

COPPA: Protecting Children Under 13 Online

COPPA is a federal law enforced by the FTC that regulates how operators of websites and online services collect personal information from children under 13. Unlike FERPA, COPPA is not limited to educational contexts — it applies to any online service directed at children or that knowingly collects data from children under 13.

Key COPPA Requirements

Verifiable parental consent — Operators must obtain verifiable parental consent before collecting, using, or disclosing a child’s personal information. The 2026 COPPA Rule amendments now require separate consent for third-party sharing and advertising.
Privacy notice — Operators must post a clear, comprehensive privacy notice on their site describing their data practices for children’s data.
Data minimization — Operators cannot condition a child’s participation in an activity on the child providing more personal information than is reasonably necessary.
Data retention limits (new in 2026) — Operators must establish a written data retention policy, retain children’s data only as long as necessary, and then delete it.
Data security — Operators must maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information.

COPPA Enforcement

The FTC enforces COPPA with civil penalties of up to $53,088 per violation (2026 amount, adjusted annually for inflation). State attorneys general can also bring COPPA enforcement actions. Recent FTC settlements have ranged from tens of thousands to hundreds of millions of dollars — the 2019 YouTube/Google settlement was $170 million.

FERPA vs COPPA: Key Differences

Dimension	FERPA	COPPA
Scope	Education records at federally funded schools	Online services directed at or knowingly collecting data from children under 13
Who it applies to	Schools and educational agencies	Website/app operators (including EdTech vendors)
Age threshold	All students (rights transfer at 18)	Children under 13 only
Consent requirement	Written parental consent for disclosure (with exceptions)	Verifiable parental consent for collection (limited exceptions)
Enforcer	U.S. Department of Education	FTC and state attorneys general
Penalties	Loss of federal funding (rarely imposed)	Civil fines up to $53,088 per violation
Private right of action	No	No
Data retention rules	Schools must maintain records but no deletion mandate	Must delete data when no longer necessary (2026 rule)

Where FERPA and COPPA Overlap

The critical overlap occurs when an online service used in a school setting collects personal information from students under 13. In this scenario, both laws may apply simultaneously:

The school is bound by FERPA and must ensure its vendors protect student records
The vendor (EdTech company, digital ticketing platform, learning management system) may be bound by COPPA if it collects data from children under 13

The FTC has clarified that schools can consent to the collection of student data on behalf of parents under COPPA — but only when the data is used for a school-authorized educational purpose. If the vendor uses student data for commercial purposes (such as advertising, profiling, or selling data to third parties), the school’s consent is not valid under COPPA, and the vendor must obtain direct parental consent.

This is exactly the scenario in the PlayOn Sports case: the platform was used by schools for event ticketing (a school-authorized purpose), but PlayOn deployed tracking technologies to serve targeted ads to ticketholders. Because the advertising use went beyond the school-authorized purpose, the COPPA consent exception did not apply — and CalPrivacy imposed a $1.1 million fine under the CCPA.

The Third Layer: State Privacy Laws

Beyond FERPA and COPPA, EdTech companies and school vendors now face a growing patchwork of state comprehensive privacy laws. As of 2026, 21 states have enacted consumer data privacy laws, and many specifically address children’s and student data:

California (CCPA/CPRA) — Prohibits processing data of consumers under 16 for targeted advertising without opt-in consent. The CalPrivacy enforcement against PlayOn demonstrates that state enforcement agencies will pursue EdTech companies.
Connecticut (CTDPA) — Requires consent before processing data of children under 13 for targeted advertising. The 2026 SB 4 amendments strengthen children’s protections.
Maryland (MODPA) — Bans the sale of sensitive data entirely, including data of minors. Enforcement began April 1, 2026.
Oregon — Prohibits processing data of children under 13 without consent, with no cure period since January 2026.
Texas (TDPSA) — Requires opt-in consent for processing data of children under 13 for targeted advertising.

Additionally, many states have enacted student-specific privacy laws (separate from their comprehensive privacy laws) that restrict how student data can be used by EdTech vendors. California’s Student Online Personal Information Protection Act (SOPIPA), for example, prohibits EdTech vendors from using student data for non-educational advertising purposes.

Use our Privacy Law Calculator to check which state privacy laws apply to your organization based on your user counts and revenue.

Compliance Checklist: Navigating FERPA, COPPA, and State Laws Together

If your organization handles student data or data from children under 13 in an educational context, use this checklist to assess your compliance posture across all three layers:

1. Determine Which Laws Apply

Does your organization receive federal education funding? → FERPA applies
Does your online service collect data from children under 13? → COPPA applies
Do you have users in states with comprehensive privacy laws? → Check each state. Use the Privacy Law Calculator
Are you an EdTech vendor contracting with schools? → Likely subject to FERPA (as a school official), COPPA, and applicable state laws simultaneously

2. Map Your Data Flows

What personal information do you collect from students and children?
How is it used? Distinguish educational purposes from commercial purposes (advertising, analytics, profiling)
Who receives the data? Identify all third-party recipients — ad networks, analytics providers, data brokers
Under the 2026 COPPA Rule, you must identify every third party by name in your direct notice to parents

3. Implement Proper Consent Mechanisms

For FERPA: obtain written consent from parents before disclosing student records, or ensure the school official exception applies with a proper contract
For COPPA: obtain verifiable parental consent before collecting children’s data. Schools can consent on behalf of parents only for school-authorized educational purposes
For COPPA (2026 rule): obtain separate consent for third-party sharing and advertising — bundled consent no longer works
For state laws: check whether each applicable state requires opt-in consent for processing children’s data for advertising. Most do.

4. Establish Data Retention and Deletion Policies

Under the 2026 COPPA Rule, you must have a written data retention policy specifying how long you keep children’s data and when it is deleted
State privacy laws grant consumers (including parents on behalf of children) the right to deletion
See our Data Retention Policy Guide for building a compliant retention schedule

5. Review Vendor Contracts

If you are a school: ensure your EdTech vendor contracts include FERPA-compliant provisions designating the vendor as a school official, limiting data use to educational purposes, and requiring data deletion after the contract ends
If you are a vendor: ensure your contracts with schools clearly define permitted data uses and comply with the data processing agreement requirements of applicable state laws
The Tractor Supply and PlayOn enforcement cases both involved inadequate vendor contracts — regulators are checking this

6. Prohibit Advertising Use of Student Data

Do NOT use student data collected under a school contract for targeted advertising, profiling, or any commercial purpose beyond the educational service
Do NOT deploy tracking technologies (cookies, pixels, fingerprinting) on educational platforms without proper consent
If your platform serves both educational and commercial users, implement technical controls to separate these data streams
This was the core violation in the PlayOn case — using school-authorized data for advertising without proper opt-out mechanisms

Lessons From the PlayOn Sports Enforcement

The March 2026 CalPrivacy enforcement against PlayOn Sports is a blueprint for future cases at the intersection of education and consumer privacy. Key takeaways:

School authorization does not cover advertising — A school’s agreement to use your platform does not constitute consent for you to use student data for advertising. The COPPA school consent exception is narrowly limited to educational purposes.
Opt-out friction is enforcement bait — PlayOn directed users to third-party ad industry opt-out tools instead of providing its own opt-out mechanism. CalPrivacy and dark pattern enforcement trends make clear that businesses must operate their own, easy-to-use opt-out.
State AGs will enforce even where the FTC does not — The PlayOn case was brought under the CCPA, not COPPA. State privacy laws give additional enforcers the power to pursue student privacy violations that might otherwise fall through federal enforcement gaps.
Student privacy is a multiplier — Violations involving children and students attract higher scrutiny, larger fines, and more public attention. The $1.1 million fine was significant for a company of PlayOn’s size.

For a detailed analysis of the PlayOn case, see our PlayOn Sports CCPA Fine guide.

What To Do Before April 22, 2026

With the updated COPPA Rule compliance deadline less than a month away, EdTech companies and school vendors should prioritize these actions:

Audit third-party data sharing — Identify every third party receiving children’s data and prepare to obtain separate consent for each
Update your privacy notice — Ensure it identifies third-party recipients by name and category, describes data retention periods, and explains the new separate consent requirements
Implement a data retention policy — Create a written policy specifying retention periods and deletion procedures for children’s data
Review consent flows — Ensure your consent mechanism collects separate consent for third-party sharing vs. data collection. Use our Cookie Consent Checker to verify your current approach
Disable advertising tracking on educational services — If you cannot obtain proper consent, disable all advertising-related tracking on platforms used by students

Frequently Asked Questions

Does FERPA apply to EdTech companies?

Not directly. FERPA applies to schools and educational agencies that receive federal funding. However, EdTech companies become subject to FERPA requirements when a school designates them as “school officials” under a contract. In that role, the vendor must use student data only for the school-authorized educational purpose and comply with the school’s FERPA obligations. If the vendor uses data for commercial purposes, it violates the terms of the school official designation.

Can schools consent to COPPA on behalf of parents?

Yes, but only for school-authorized educational purposes. The FTC has clarified that schools can act as agents for parents under COPPA when an online service is used for a legitimate educational purpose. This consent does NOT extend to commercial uses such as advertising, profiling, or selling data. If a vendor uses student data for any non-educational commercial purpose, it must obtain direct verifiable parental consent.

What is the penalty for violating both FERPA and COPPA?

The penalties differ. FERPA violations can result in loss of federal funding for the school. COPPA violations can result in FTC civil penalties of up to $53,088 per violation. In practice, COPPA fines have reached into millions of dollars for large-scale violations. Additionally, state privacy law violations add another layer — CalPrivacy’s $1.1 million PlayOn fine demonstrates that state-level fines for student privacy violations are significant and growing.

Do state privacy laws apply to student data?

Yes. Most state comprehensive privacy laws apply to student data unless it falls within the FERPA exemption. The FERPA data exemption in state laws (similar to HIPAA and GLBA exemptions) typically applies only to education records maintained by a FERPA-covered school or its designated school officials. Data collected by an EdTech company outside the FERPA framework is subject to state privacy laws. Check our state comparison tool to see how each state handles educational data exemptions.

Is the CCPA FERPA exemption the same as the COPPA exemption?

No. The CCPA exempts FERPA-protected education records at the data level — meaning those specific records are excluded from CCPA requirements. Separately, COPPA compliance does not exempt a company from the CCPA. The PlayOn case illustrates this: even though FERPA may have governed some of the student data in the school context, the advertising-related data collection fell outside both the FERPA framework and any CCPA exemption, making it subject to CalPrivacy enforcement.

Last updated: March 29, 2026.