If you’re building or managing a K–12 EdTech product, you’re not just thinking about features and user experience — you’re also handling some of the most sensitive data out there: student information. That means understanding and complying with key U.S. laws like FERPA and COPPA is essential. 

This post breaks down the basics and gives you a practical checklist to help you stay on the right side of compliance. 

1. What is FERPA?

FERPA (Family Educational Rights and Privacy Act) is a federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education — so, basically, every public school and many private institutions. 

If your product stores or accesses student education records including test scores, attendance, grades, or behavioral data, FERPA applies to you. 

According to the U.S. Department of Education, FERPA requires that: 

• Schools (and by extension, third-party vendors) must get written parental consent before disclosing personally identifiable information (PII) from a student’s education record. 

• Schools can share data with “school officials” (which can include contractors) under “legitimate educational interest,” but only if strict data protection protocols are in place. 

Checklist Item: 

• Ensure your product collects and shares student data only under clearly defined “legitimate educational interest” guidelines. 

• Have a data protection agreement (DPA) in place with every school or district you work with. 

2. What is COPPA?

COPPA (Children’s Online Privacy Protection Act) is another federal law, but this one is about online privacy for kids under 13. If your product is used by elementary or middle school students, COPPA is especially important. 

According to the FTC’s official guidance, COPPA requires that EdTech companies: 

• Get verifiable parental consent before collecting personal data from children under 13. 

• Provide a clear, concise privacy policy. 

• Only collect data that’s necessary to provide the service. 

Importantly, if a school is acting as the parent’s agent (for example during in-class instruction), you may not need to get direct parental consent, but the school must be fully informed. 

Checklist Item: 

• Post a clear, easy-to-understand privacy policy on your site. 

• Collect only essential personal data for functionality. 

• Provide a mechanism for schools to give consent on behalf of parents (and keep a record). 

3. State Level Student Data Privacy Laws 

Beyond federal laws, states are stepping up their own regulations. As of 2024, more than 130 state-level laws on student data privacy have been passed in the U.S., many of which go further than FERPA and COPPA. 

A few examples: 

• California’s SOPIPA (Student Online Personal Information Protection Act) prohibits EdTech vendors from using student data for targeted advertising or selling that data. 

• Connecticut, Colorado, and New York have robust student privacy laws requiring vendor contracts and breach notification procedures. 

The Student Privacy Compass is a fantastic resource for tracking state-specific laws and best practices. 

Checklist Item: 

• Stay up to date on state-specific privacy laws for each district you serve. 

• Include data breach response language in contracts. 

• Avoid any use of student data for commercial purposes. 

4. General Data Privacy Best Practices

Even if you’re compliant on paper, trust matters. Schools and parents expect transparency and care. Some best practices that go beyond the legal minimum: 

• Data minimization: Only collect what you absolutely need. 

• Encryption: Use encryption in transit and at rest. 

• User controls: Let schools control user accounts, access, and data deletion. 

• Audit trails: Keep logs of data access and changes. 

Organizations like the Future of Privacy Forum offer frameworks (like the Student Privacy Pledge) that help build credibility and go above and beyond compliance. 

Checklist Item: 

• Offer schools full control over account management and data deletion. 

• Publish a Data Governance Policy. 

• Sign the Student Privacy Pledge or similar public commitment. 

Quick EdTech Compliance Checklist 

How MRCC Can Help 

Navigating the maze of FERPA, COPPA, and state-level privacy laws can be overwhelming, especially when you’re focused on building a great product. That’s where MRCC comes in. With deep experience in K–12 educational publishing and EdTech solutions, MRCC helps product teams implement privacy-by-design principles, align with compliance requirements, and craft data governance frameworks that satisfy both legal standards and school district expectations. Whether you need support reviewing your privacy policy, updating your data handling processes, or preparing for district-level procurement, MRCC brings the expertise to keep your product safe, compliant, and trusted by educators.