EdTech security — FERPA, COPPA, and student-data protection

Products used in K-12 handle minors' PII under COPPA + FERPA. Higher-ed products handle FERPA-covered student records. International EdTech also faces GDPR-Kids, India's DPDP Act, and more.

Top security risks

Student data in shared training sets

FERPA limits what you can do with student data. Training AI on it without explicit consent is a reportable violation.

Parent-consent missing for minors

COPPA requires verifiable parental consent for under-13 data collection.

Cross-border data transfer

Student data crossing borders triggers GDPR + regional child-protection rules.

Regulatory context

FERPA (US higher ed + K-12), COPPA (US under-13), SOPPA (Illinois), GDPR-Kids (EU), India DPDP Act, state laws.

Checklist

Parental-consent flow for under-13 users (COPPA)
Student Data Privacy Agreement available (SDPA)
Data minimization — only what education requires
Opt-in rather than opt-out for optional data collection
Teacher / school-admin dashboard for data access
Annual SDPA/DPA review with school districts

What your buyers look for

School-district buyers require signed SDPAs and often a published Student Data Privacy Pledge. Reference: studentprivacypledge.org.