COPPA 101 for EdTech Companies - iKeepSafe

COPPA 101 for EdTech Companies

The Children’s Online Privacy Protection Act of 1998 (COPPA) is a federal law designed to help parents remain in control of what personal information websites and other online services can collect from their young children. COPPA is administered by the Federal Trade Commission (FTC). It applies to operators of websites, apps, or other online services that collect, use, or disclose personal information from children under the age of 13, and to operators of general audience websites, apps, or online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13.


  • COPPA applies to commercial “operators” of websites, apps, or other online services that knowingly collect information from children under age 13.
  • When using educational technologies that collect COPPA protected personal information, schools act as intermediaries between vendors and students to obtain verifiable parental consent.

In sum, COPPA provides important protections for children’s personal information in the commercial space, and also recognizes the special role that schools may play in providing consent for the online collection of information from kids exclusively for educational services.


The definition of Personal Information that falls within COPPA compliance requirements includes: children’s names, nicknames, email addresses, telephone numbers, home addresses, and other geo-location information, social security numbers, photos, video, and audio files of the child, any persistent identifier or tracker that can be used to recognize an individual’s use over time and/or across different websites, as well as any information that enables physical or online communication or contact with a specific individual.


  1. Post a privacy policy.
  2. Provide direct notice to parents.
  3. Obtain verifiable parental consent.


Educational technology companies and products must have a prominently and clearly displayed privacy policy on the homepage or landing screen a nd at each area or page of the product or site that collects personal information. It is best practice to present the privacy policy before a download is allowed on a mobile device. It must include:

  • The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the product or website. For clarity and brevity in the policy, you may wish to place this list on another page through a prominent link. In this case readers should be directed to one operator who will respond to all parent inquiries concerning the policy.
  • A description of the information collected from children, what is done with the information, and whether or not and how it might be disclosed publicly.
  • An allowance for parents to review, remove, and cease the product’s collection of their child’s personal information.

The “collection of personal information” usually includes that through passive and persistent collection technology like cookies, IP addresses, GUIDs, etc.


It is the responsibility of the product or website operator to provide direct notice to parents prior to collecting personal identifiable information from a child under 13 years of age. Direct notice must inform the parents of the operator’s practices related to the collection, use, or disclosure of a child’s personal information. COPPA has very specific requirements as to what must be included in the direct notice.


Verifiable parental consent must be obtained before collecting personal information online from children under 13. There are a number of ways to obtain consent; however, the method used must be “reasonably calculated” to ensure the consent is actually being granted by the parent. Acceptable methods of verifiable parental consent include, but are not limited to:

  • Use of a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan.
  • Requiring the parent to complete a monetary transaction via a credit card, debit card, or other form of online payment system.
  • Use of a toll-free telephone number or video-conference tool whereby a parent connects to trained personnel.

In certain circumstances, schools may provide consent to the collection of student’s information on behalf of the parent. This ability to consent for the parent is limited to the educational context. The personal information collected must be for the use and benefit of the school, and cannot be used for any other commercial purpose. In order to get consent, the school must be provided with all the notices required under COPPA.



This COPPA 101 is not legal advice . Instead, we hope to introduce basic issues of COPPA and privacy, and help EdTech companies consider ways to build parent confidence and protections for personal information of young students.

COPPA Safe Harbor California Student Privacy Certified ATLIS Certified
To learn more about how we can help, leave us a message:

Subscribe to our monthly
Privacy & Security newsletter.
© 2024 iKeepSafe. All rights reserved.