Drafting Direct Notice Under COPPA: What EdTech Operators Need in Their Disclosure
COPPA requires a direct notice separate from your privacy policy — two documents with two different legal functions. Here's what EdTech operators must include, from the statutory checklist to the 2025 amendments.
Table of contentsLoading the Elevenlabs Text to Speech AudioNative Player...
What Direct Notice Is and Why It's Different from Your Privacy Policy
16 CFR 312.4 establishes two legally distinct documents for operators subject to COPPA: a privacy policy posted on your platform, and a direct notice delivered to parents before collecting any personal information from a child under 13. These are not the same instrument serving the same function. The privacy policy is a public-facing disclosure of your general data practices. The direct notice is a targeted, pre-collection communication to the specific parent whose child's data you are about to collect — and it must meet its own content requirements under the rule.
Conflating the two is not a technicality the FTC overlooks. In the FTC's 2023 action against Edmodo, the agency treated the operator's reliance on its privacy policy as a substitute for a proper direct notice as a standalone violation — separate from any underlying data-handling failures. Edmodo's privacy policy existed and was accessible; that was irrelevant. The FTC's theory was that the direct notice obligation creates an independent duty that a posted policy cannot discharge, no matter how comprehensive it is.
The financial exposure attached to that distinction is significant. Current FTC civil penalty authority under COPPA runs to $53,088 per violation per day. For an EdTech platform with hundreds of thousands of student users, a systemic failure to provide proper direct notice may produce separate violations for each affected child — an exposure that compounds at scale. Understanding what the direct notice must actually contain, and why it cannot simply point parents to your privacy policy, is the starting point for building a defensible COPPA compliance program.
Which EdTech Operators Must Provide Direct Notice
16 CFR 312.4 imposes direct notice obligations on three distinct operator categories, each with its own trigger point. Operators of services directed to children must provide notice before collecting any personal information. General-audience operators face the requirement the moment they gain actual knowledge that a specific user is under 13. Mixed-audience operators — platforms that offer child-directed portions alongside general content — must treat the child-directed segments as fully subject to COPPA regardless of how the rest of the service is structured.
The "directed to children" classification is the category most EdTech operators misjudge. Under 16 CFR 312.2 and the 2025 COPPA amendments, the FTC applies a multi-factor test that goes well beyond content subject matter. Animated characters, visually child-appealing design, marketing to schools or families, or positioning a product in educational app stores can each weigh toward classification — independently of whether the platform's core functionality is "for kids." An EdTech operator that pitches its product to district procurement offices and uses bright, gamified UI cannot credibly claim it had no reason to expect child users.
Schools can stand in for parents under the school authorization exception at 16 CFR 312.4(c), but the exception is narrower than operators commonly assume. A school or LEA may authorize data collection only for legitimate educational purposes within the school context. The authorization does not extend to commercial data uses, behavioral advertising, or any data processing that benefits the operator outside the educational relationship.
What the Direct Notice Must Contain
16 CFR 312.4(b) sets the statutory floor for the direct notice's content. At minimum, the notice must identify the operator (name and contact information), specify the types of personal information collected, explain how that information will be used, disclose whether and to whom it will be shared with third parties, and describe the rights parents hold — including the right to review, refuse further collection, and request deletion. Missing any single element is a facial violation; operators cannot cure a structurally deficient notice by pointing to a comprehensive privacy policy elsewhere.
The definition of "personal information" reaches further than most operators assume. 16 CFR 312.2 extends coverage beyond name and email to passive collection: cookies, device identifiers, IP addresses, geolocation data, and behavioral tracking all qualify. EdTech platforms that draft notices limited to account registration fields — and say nothing about the session analytics, fingerprinting, or location services running in the background — are leaving their largest exposure unaddressed.
The FTC's 2025 COPPA amendments added two disclosure requirements that did not exist before: operators must now name the specific third parties receiving children's data (not just acknowledge that sharing occurs), and must state a concrete data retention policy. Any direct notice drafted before April 22, 2026 is facially deficient on both counts. The rule change does not grandfather existing notices — operators need to audit and reissue.
Consent Mechanics: What Changed on April 22, 2026
The FTC's 2025 COPPA Final Rule took effect on April 22, 2026, with no grace period. Operators who had not updated their direct notices and consent flows by that date were out of compliance the following morning. The FTC has identified the new requirements as an enforcement priority, which means the question is not whether scrutiny is coming — it is which platform draws the first action.
The most operationally disruptive change is the unbundled consent requirement. Operators can no longer fold COPPA-required parental consent into a general terms of service acceptance flow. Bundling consent — even if the parental authorization language appeared somewhere in a longer agreement — is now an independent violation ground. EdTech platforms that present parents with a single "I agree to the Terms of Service and Privacy Policy" checkbox need to restructure that flow before collecting any personal information from child users.
The 2025 Rule also expanded the permitted methods for obtaining verifiable parental consent to include electronic ID verification and video or audio verification. Operators must document which verification method was used for each consent obtained — a recordkeeping obligation that requires backend changes, not just updated disclosure language.
One expansion deserves specific attention for EdTech products: biometric identifiers, including voice prints and facial geometry, are now explicitly personal information under COPPA. Any platform using voice assistants, speech-to-text features, or facial recognition must obtain verifiable parental consent before collection begins — and the direct notice must disclose that collection. Products that went live before April 22 with those features active are collecting biometric data without a compliant consent basis.
Building a Compliant Direct Notice: What to Audit Before You Ship
The FTC's $6 million settlement against Edmodo — the largest COPPA enforcement action against an EdTech company to date — signals that regulators treat notice failures as material violations, not paperwork technicalities. Before any COPPA-covered feature ships, operators need a structured pre-publication audit against the full statutory standard.
16 CFR § 312.4 and the 2025 amendments define eight discrete checkpoints that a compliant direct notice must satisfy:
No single element dominates — regulators assess the notice as a whole. An operator who names third parties but buries passive collection disclosures, or who uses unbundled consent but fails to document the verification method, remains exposed. The April 22, 2026 compliance deadline applies to all of these requirements simultaneously, and the FTC has not indicated any post-deadline grace period.
EdTech operators navigating this audit — particularly those updating existing notices to meet the 2025 amendments — should work through each checkpoint against their live data flows, not just their drafted language. If your current notice was built before the amendments, schedule a COPPA compliance review with Promise Legal to identify gaps before they become enforcement targets.