Navigating Updates on COPPA and Beyond: What K–12 Technology Leaders Need to Know

The Children’s Online Privacy Protection Act (COPPA) has been shaping how companies handle children’s data since 1998. While the law applies to vendors, not schools, districts play a critical role in how compliance works in practice—often acting on behalf of parents to provide consent for education technology tools.

The latest COPPA updates, adopted unanimously by the FTC in January 2025, are some of the most comprehensive revisions to date. They broaden the definition of personal information, raise expectations for vendor security, and clarify the responsibilities of districts when approving edtech tools for classroom use.

This podcast builds on a CoSN webinar held on February 12, 2025, hosted by:

• Linnette Attai, Director, CoSN’s Student Data Privacy and Trusted Learning Initiatives

• Reg Leichty, Founder, Foresight Law + Policy PLLC

Inside the Podcast

In this episode, we explore how the new COPPA rules change the landscape for K–12 technology leaders:

• Broader definition of personal information – Now includes biometrics, government IDs, and mobile numbers, reflecting the reality of modern devices and platforms.

• New parental consent options – Text messaging can be used to verify consent, in addition to older methods like email.

• Direct notices required – Vendors must provide clear, plain-language disclosures about what data is collected, how it’s used, and with whom it’s shared. Parents can approve educational uses while denying advertising.

• Stronger security requirements – Vendors must create written security plans, assign staff, conduct annual risk assessments, and test protections regularly.

• Vendor ecosystem accountability – Providers must ensure subcontractors also meet COPPA requirements, backed by written assurances in contracts.

• Data retention rules – Vendors must publish retention policies and delete data when it’s no longer needed for its original purpose.

• District responsibilities – Consent should come from the district level, not individual teachers, when approving tools on behalf of families.

• What didn’t change – Proposed edtech-specific rules, like mandatory written agreements or bans on commercial use of student data, were not finalized—though they may resurface in future legislative updates.

Timeline for Compliance

The FTC’s new rules will take effect after publication in the Federal Register, followed by a 60-day waiting period and then a one-year compliance window. This gives districts and vendors time to prepare, but the message is clear: start now.

District leaders should:

• Review vendor contracts.

• Monitor privacy policies and direct notices.

• Ensure consent processes flow through the district office.

• Align COPPA responsibilities with other privacy laws like FERPA and state-specific biometric protections.

Key Takeaways

• COPPA applies to vendors, not schools—but schools play a vital role in ensuring compliance.

• Expanded definitions and security requirements mean stronger protections for children’s data.

• District-level consent is essential; teachers should not serve as the point of legal approval.

• Transparency is the new norm: parents must be given clear, plain-language notices about data use.

• Now is the time to prepare: update contracts, policies, and training before the compliance deadline arrives.

Additional Resources

• CoSN Student Data Privacy Toolkit

• CoSN Trusted Learning Environment Seal Program

• CoSN 2025 National Student Data Privacy Report

• Webinar Recording ⁠Free for CoSN Members

• For a complete listing of all CoSN’s webinars, please visit:⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.cosn.org/⁠⁠⁠⁠⁠

Subscribe to edCircuit to stay up to date on all of our shows, podcasts, news, and thought leadership articles.