AI in EdTech: FERPA, COPPA, and State Student Privacy Laws When Your App Adds AI Features
When your EdTech app adds AI tutoring, grading, or content generation, three regulatory layers apply at once: FERPA, COPPA's updated 2026 rule, and 100+ state student privacy laws restricting profiling and automated decision-making.
Your EdTech app was built for a world of quizzes, gradebooks, and learning management. Now you are bolting on an AI tutor that adapts to each student, an automated grading system that evaluates essays, or a content generator that produces personalized worksheets. Those features are powerful, and they are also a compliance minefield. The moment your app processes student data through an AI model, you trigger a thicket of federal and state privacy laws that most EdTech founders have never fully mapped.
Three regulatory layers apply simultaneously. FERPA governs how schools share student education records with vendors. COPPA governs how you collect and process data from children under 13, and the FTC's updated rule — with a compliance deadline of April 22, 2026 — raises the bar for AI features in child-directed apps. And beneath both sits a patchwork of over 100 state student privacy laws that restrict profiling, targeted advertising, and automated decision-making in ways that directly collide with how AI works. This guide walks through each layer and what your team needs to do before shipping AI features to schools.
FERPA: When It Applies to EdTech Vendors and the School Official Exception
FERPA — the Family Educational Rights and Privacy Act, codified at 20 U.S.C. § 1232g and 34 CFR Part 99 — protects the privacy of student education records. It applies to educational agencies and institutions that receive federal funding, which means virtually every public K-12 school and most colleges. FERPA does not directly regulate vendors. It regulates schools — but it controls how schools can share data with vendors, and that is where EdTech companies enter the picture.
Under FERPA, a school can disclose personally identifiable information from education records without parental consent to outside parties who constitute "school officials" with "legitimate educational interests." This is the school official exception, and it is the primary mechanism by which EdTech vendors receive student data. The Department of Education's regulations at 34 CFR § 99.31(a)(1) permit this disclosure when the outside party performs a service for which the school would otherwise use its own employees, the school maintains direct control over the use and maintenance of the records, and the school ensures the outside party uses the data only for the authorized purpose.
For AI features, each condition matters. If your AI tutor processes student records — names, grades, learning profiles, behavioral data — the school must have a contract with you that satisfies FERPA's "direct control" requirement. That contract needs to specify exactly how you will use the data, prohibit secondary uses, and include a data deletion requirement: when the contract ends, you must return or destroy the student data. The regulations at 34 CFR § 99.33 limit redisclosure — once you receive FERPA-protected data, you cannot share it with subprocessors unless they agree to the same restrictions, and you cannot use it for any purpose beyond what the school authorized.
The AI-specific tension is this: AI models learn from data. If your model is trained on student records the school shared with you under the school official exception, and that training persists after the contract ends, you have not truly "deleted" the data — it is baked into the model's weights. The Department of Education's FERPA guidance does not explicitly address model training, but the statute's deletion requirement is unambiguous. EdTech vendors deploying AI must be prepared to demonstrate that student data is not retained in model weights, or that any retained data has been sufficiently de-identified that it no longer constitutes an education record.
COPPA: Age-Gating, Consent, and the 2026 Rule Update
If your app is directed to children under 13 — or if you have actual knowledge that you are collecting data from children under 13 — COPPA applies. The FTC's Children's Online Privacy Protection Rule, codified at 16 CFR Part 312, requires operators to provide notice to parents, obtain verifiable parental consent before collecting personal information, and give parents the ability to review and delete their children's data. For EdTech apps deploying AI, every one of those obligations is triggered by common AI features.
An AI tutor collects the text a student types, processes it through a model, and generates a response. That collection is "personal information" under COPPA if it is linked to a child's identity — which it almost always is in a school context. Voice-based AI features collect voiceprints, which the updated COPPA Rule now expressly classifies as personal information. The FTC's amended rule, published April 22, 2025 and effective June 23, 2025, gives operators until April 22, 2026 to comply with several new requirements that directly affect AI-powered educational apps:
- Expanded definition of "personal information" — now includes biometric identifiers (fingerprints, voiceprints, facial templates, genetic data) and government-issued identifiers (state ID numbers, birth certificate numbers). If your AI feature uses voice recognition or facial detection, those data types are now squarely within COPPA's scope.
- Written information security program — operators must now establish and maintain a written data retention policy and implement a comprehensive information security program. For AI systems that process children's data, this means documenting how the model is secured, how long training data is retained, and what happens to model outputs.
- Separate consent for targeted advertising — the amended rule requires separate parental consent for targeted advertising to children, distinct from consent for other uses. If your AI system personalizes content in a way that could be classified as targeted advertising, you need a distinct consent flow.
- Enhanced notice requirements — operators must identify third-party recipients by name and category in their online notices and include data retention policies. Parents need to know not just that you collect data, but who you share it with and how long you keep it.
For mixed-audience apps — those used by both children under 13 and older students — the amended rule introduces a new definition of "mixed audience website or online service" that permits limited data collection before age determination, but only for narrow purposes (parental notice, responding to a child's request, protecting safety). You cannot use that data for AI model training during this pre-age-gating window.
The compliance deadline of April 22, 2026 is not advisory. The FTC has made children's privacy an enforcement priority, and the January 2025 Genshin Impact settlement — which included children's privacy violations alongside lootbox concerns — signals that the Commission will pursue companies that fail to obtain proper consent for data collection from minors, including data collected through AI-powered features.
The State Student Privacy Law Patchwork
Federal law sets the floor. State law sets the ceiling — and the ceiling varies dramatically depending on where your school customers are located. Over 100 state student privacy laws are now on the books, and several impose restrictions that directly affect AI features.
California SOPIPA
California's Student Online Personal Information Protection Act (SOPIPA), codified at Cal. Bus. & Prof. Code § 22584, prohibits operators of websites and online services designed for K-12 school purposes from engaging in targeted advertising to students or their parents, using student data to create a "behavioral profile" of a student for non-educational purposes, or selling student data. For AI features, the profiling restriction is the critical one: if your AI tutor builds an adaptive learning profile — which it must, to function — that profile is permissible only if it directly supports educational purposes. Using the same profile for marketing, product recommendations outside the educational context, or licensing to third parties for commercial purposes would violate SOPIPA.
Texas Education Code § 32.151 (House Bill 2087)
Texas's student privacy law — often called the Texas Student Privacy Act — was enacted as House Bill 2087 in 2017 and is codified at Texas Education Code Chapter 32, § 32.151. (Note: some summaries reference "SB 1784" as a student privacy bill, but that legislation actually concerns open educational resources, not student data privacy.) The Texas law applies to "operators" — providers of online platforms used for school purposes — and restricts how they handle "covered information," which includes student PII such as names, grades, test scores, and online activity.
Key provisions for AI vendors: operators cannot use covered information for targeted advertising, cannot create non-educational student profiles, and cannot sell or rent student data. The law also requires operators to maintain reasonable security measures and to delete student data when the contract with the school terminates. The Texas Attorney General can investigate violations and impose penalties. For AI systems, the profiling restriction mirrors SOPIPA's: adaptive learning profiles are permissible for educational personalization, but the same data cannot be repurposed for commercial profiling or marketing.
Other State Laws and the Automated Decision-Making Trend
Beyond California and Texas, states including New York, Colorado, Illinois, and Virginia have enacted student privacy legislation with varying restrictions on data use, retention, and sharing. A growing subset of these laws — and broader consumer privacy statutes like the Colorado Privacy Act and the California Consumer Privacy Act — restrict automated decision-making and profiling, particularly when it produces legal or similarly significant effects. AI grading tools that assign scores influencing student advancement, AI systems that track student behavior for disciplinary purposes, and AI recommendation engines that steer students toward particular courses or programs may all fall within these automated decision-making restrictions, depending on the jurisdiction and the stakes of the decision.
The practical challenge for EdTech vendors is that compliance is not a single checklist — it is a matrix. An AI feature that complies with FERPA and COPPA at the federal level may still violate a state law's profiling restriction, and a feature that passes in California may fail in a state with different definitions of "covered information" or "operator." The Student Privacy Pledge, a voluntary industry commitment endorsed by the Future of Privacy Forum and the Software & Information Industry Association, requires signatories to use student data only for educational purposes, prohibit targeted advertising, and provide security commitments — aligning with the most restrictive state laws. While the Pledge is not a legal safe harbor, it is a useful baseline that many school districts look for in vendor contracts.
Practical Compliance Steps for EdTech Founders Deploying AI
Before you ship an AI feature to a school, work through these steps. Each one addresses a specific regulatory layer, and skipping any of them creates exposure.
- Map your data flows — Document exactly what student data your AI feature collects, processes, and retains. Include model training data, inference inputs, and model outputs. If you cannot answer "what student data is in this model?" you cannot demonstrate FERPA compliance to a school's procurement team.
- Build data isolation into your architecture — Separate student data used for AI inference from data used for model training. If a school asks you to delete student data at contract termination, you need to be able to do so without affecting your base model. This may mean fine-tuning per-school or per-district rather than on a shared training corpus.
- Update your school contracts — Your data processing agreement with each school must specify the school official exception's requirements: the specific educational purpose, your use restrictions, your data security measures, and your deletion obligation. The contract should explicitly address whether and how student data may be used for AI model training.
- Implement COPPA-compliant consent flows — If your app is used by children under 13, ensure you have verifiable parental consent for the collection of personal information through AI features, including any biometric data. The updated COPPA Rule's April 22, 2026 compliance deadline means you should be building these flows now, not next quarter.
- Establish a written information security program — The updated COPPA Rule requires it, and school procurement teams increasingly demand evidence of it. Document how you secure student data in transit, at rest, and during model inference. If you use cloud-based AI APIs, your security program must cover the vendor's handling as well.
- Audit for state law compliance by jurisdiction — Identify the states where your school customers operate and map your AI features against each state's student privacy law. Pay particular attention to profiling restrictions, automated decision-making rules, and data retention limits. If you cannot comply with the most restrictive state where you operate, you may need to limit features by jurisdiction.
- Consider signing the Student Privacy Pledge — It signals to school buyers that you have committed to the highest common denominator of student data protection, and it forces your team to align practices with the most stringent state requirements rather than the federal floor.
For a broader framework on how to build internal AI governance policies — including vendor vetting, employee training, and regulatory compliance appendices — see our guide on building an AI use policy for 2026. And for the ethical obligations that apply when legal professionals themselves use AI tools in education law practice, our deep dive on AI ethics rules for lawyers covers the competence, confidentiality, and supervision duties that now apply.
Actionable Next Steps
Compliance is not a one-time audit — it is a design constraint that should be in your product roadmap before the first school pilot. Here is what we recommend doing before you deploy AI features in an educational context:
- Conduct a FERPA data flow audit before any school deployment. Document what student data enters your AI pipeline, where it is stored, how long it is retained, and whether it is used for model training. If the answer to that last question is yes, design a mechanism to exclude or de-identify that data on contract termination.
- Build COPPA consent flows that account for the updated rule's April 2026 deadline. If your app collects biometric data through AI features — voice, face, behavioral patterns — you need separate parental consent for that collection, and you need a written information security program documenting how it is protected.
- Map your AI features against state student privacy laws in every state where you have or plan to have school customers. The profiling and automated decision-making restrictions in California, Texas, and a growing number of other states will determine whether your AI tutor, grader, or content generator can ship as designed — or whether it needs to be rearchitected for specific jurisdictions.
- Update your vendor contracts and school data processing agreements to explicitly address AI model training, data retention, and deletion. School procurement teams are increasingly asking whether student data is used to train AI models, and "we'll figure it out" is not an answer that survives a compliance review.
- Engage counsel early — not after a school district's privacy officer flags your product for review. The cost of restructuring your AI architecture before launch is a fraction of the cost of doing it after a contract is signed and a school is waiting.
If your EdTech company is building AI features for schools, we can help you navigate FERPA, COPPA, and the state privacy law patchwork before you deploy — not after a compliance issue surfaces. Just as we help game studios navigate children's privacy enforcement, we work with EdTech founders on data privacy compliance, vendor contracts, and regulatory risk from the product design stage forward.
Building AI features for an EdTech app? Promise Legal helps EdTech companies navigate FERPA, COPPA, and state student privacy laws — from data flow design to vendor contracts to regulatory compliance review.