COPPA Compliance for Districts

The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and its implementing rule (16 CFR Part 312) regulate the online collection of personal information from children under 13. While COPPA primarily targets operators of commercial websites and online services, it has profound implications for K-12 school districts because students under 13 routinely use online services as part of their education.

The Federal Trade Commission (FTC) has issued guidance specifically addressing the school context. Under the FTC's 2014 guidance and subsequent updates, schools may consent to the collection of student information on behalf of parents — but only when the information is collected solely for a school-authorized educational purpose and for no commercial purpose. This is commonly referred to as the 'school consent exception.' It does not grant districts blanket authority to consent to any data collection; it is limited to educational uses.

Districts must understand that the school consent exception places affirmative responsibilities on them. When a district consents on behalf of parents, the district assumes the obligation to ensure the operator is collecting information only for the educational purpose, that the operator is not using the information for commercial purposes such as targeted advertising, and that the operator has reasonable security measures in place. If the operator violates these conditions, both the operator and the district may face FTC enforcement action.

The school consent exception permits a school to provide consent on behalf of parents for an operator to collect personal information from children under 13, but only within strict boundaries. The district's consent authority extends only to information collected for school-authorized educational purposes. If an online service also collects data for non-educational commercial purposes — such as behavioral advertising, data brokering, or building marketing profiles — the school consent exception does not apply, and direct parental consent is required.

Districts should establish a formal consent framework that distinguishes between three scenarios. In the first scenario, the online service collects data exclusively for the educational purpose authorized by the district — here, the district may consent under the school exception without individual parental consent. In the second scenario, the service collects data for both educational and commercial purposes — the district cannot consent under the school exception, and either the commercial data collection must be contractually prohibited or individual parental consent must be obtained. In the third scenario, the service is used outside the educational context (for example, a student voluntarily uses a service at home for non-school purposes) — the school exception does not apply and parental consent must come directly from the parent.

Documentation is critical. Districts should maintain records of each service for which they have exercised the school consent exception, including the educational purpose, the date consent was granted, the specific data elements collected, and the contractual provisions ensuring the data is used only for the educational purpose.

• Establish a formal review process before exercising school consent for any new online service
• Document the educational purpose for each service where school consent is exercised
• Verify that each vendor's data collection is limited to the authorized educational purpose
• Contractually prohibit commercial use of student data in all vendor agreements
• Maintain a register of all services operating under the school consent exception
• Notify parents annually about which services the district uses and the consent basis
• Provide parents the opportunity to review data collected and request deletion

Before approving any online service for use by students under 13, districts must evaluate the vendor's privacy practices to determine whether the service can operate in compliance with COPPA under the school consent exception. This evaluation should be systematic and documented.

Begin by reviewing the vendor's privacy policy. The policy should clearly disclose what personal information is collected from children, how the information is used, whether the information is shared with third parties and for what purposes, the data retention period, and the security measures in place. Red flags include vague language about 'business purposes,' references to sharing data with advertising networks, the absence of a specific section addressing children's data, and no mention of COPPA or student privacy.

Districts should assess whether the vendor has signed the Student Privacy Pledge (administered by the Future of Privacy Forum and The Software & Information Industry Association), which commits signatories to a set of principles around student data privacy. While the Pledge is voluntary and not a legal safe harbor, it indicates the vendor's awareness of student privacy obligations.

The evaluation should include a review of the vendor's security practices. Ask for SOC 2 Type II reports, penetration test summaries, encryption practices (at rest and in transit), access control documentation, and breach history. A vendor handling data of children under 13 must maintain 'reasonable security' under COPPA — the FTC has taken enforcement actions against companies with inadequate security regardless of their other compliance efforts.

• Review the vendor's privacy policy for COPPA-specific disclosures
• Verify that data collection is limited to what is necessary for the educational purpose
• Confirm no third-party data sharing for advertising or non-educational commercial purposes
• Check whether the vendor has signed the Student Privacy Pledge
• Request SOC 2 Type II reports or equivalent security documentation
• Review the vendor's data retention policy and deletion procedures
• Evaluate the vendor's breach notification commitments and history
• Document the evaluation findings and approval/denial decision

COPPA compliance in a school setting requires robust documentation to demonstrate that the district is meeting its obligations when exercising consent on behalf of parents. The FTC expects districts to maintain evidence that their use of the school consent exception is appropriate and that they are actively overseeing vendor compliance.

Districts should maintain a complete data inventory of all online services used by students under 13. The inventory should include the service name and vendor, the educational purpose served, the personal information collected, whether the district has exercised school consent, the date of approval and the approving authority, the data privacy agreement or contract in place, and the date of the most recent vendor evaluation.

Consent forms — whether used for direct parental consent or for informing parents about the district's school consent activities — should be retained. Even when direct parental consent is not required under the school exception, providing parents with notice about the services in use and the data collected is a best practice and may be required by state law.

Vendor agreements must be retained for the duration of the contract plus any post-termination data deletion period. These agreements should include specific COPPA-related provisions: the prohibition on commercial use, the limitation of data collection to the educational purpose, the vendor's security obligations, and the data deletion requirements at contract end.

• Maintain a centralized inventory of all online services used by students under 13
• Document the educational purpose and approval date for each service
• Retain all Data Privacy Agreements and vendor contracts
• Archive vendor evaluation records including privacy policy reviews and security assessments
• Keep copies of parent notification letters and consent forms
• Track parent opt-out requests and ensure compliance
• Update the data inventory when new services are adopted or existing ones are retired

Even with rigorous vendor evaluation and documentation, districts must monitor actual network activity to ensure that student data is flowing only to authorized services and that unauthorized applications are not collecting data from children without appropriate consent. This is where iboss CASB and SWG capabilities become essential.

The iboss Cloud Application Discovery feature analyzes network traffic to identify every cloud application and online service accessed by students and staff. This visibility is critical for detecting shadow IT — applications that staff or students use without district authorization. In many districts, teachers independently adopt free EdTech tools that may not have been evaluated for COPPA compliance. Without network-level visibility, these unapproved applications can collect student data without the district's knowledge or consent.

Once unauthorized applications are identified, the iboss SWG can block access to unapproved services or display a coaching page directing users to the district's application approval process. The CASB inline inspection capabilities can also detect and block unauthorized data collection activities, such as third-party tracking pixels, advertising SDKs, and cross-site tracking mechanisms embedded in web applications.

iboss content inspection can be configured to detect when personal information of children under 13 is being transmitted to non-approved destinations. By combining DLP policies with the approved vendor list, the district can create a policy that alerts on or blocks transmission of student PII (names, email addresses, student IDs) to any domain that is not on the district's sanctioned application list.

• Enable Cloud Application Discovery to identify all SaaS applications in use district-wide
• Cross-reference discovered applications against the approved vendor inventory
• Block or restrict access to unapproved applications that may collect student data
• Deploy coaching pages for unapproved applications directing users to the app approval process
• Configure inline content inspection to detect third-party tracking and advertising SDKs
• Create DLP policies that flag transmission of student PII to non-approved domains
• Generate monthly shadow IT reports for review by the technology and privacy teams

COPPA compliance requires ongoing vigilance. The FTC's guidance makes clear that the school consent exception is not a perpetual authorization — districts should periodically reassess whether the basis for consent remains valid and whether vendors continue to comply with their obligations.

Districts should conduct an annual review of all online services operating under the school consent exception. The review should verify that the service is still in active use for the authorized educational purpose, that the vendor has not materially changed its privacy practices, that the vendor is complying with data retention and deletion requirements, that no complaints or incidents have occurred, and that the service continues to meet the district's security standards.

Vendors that are no longer in use should be formally retired. The district should confirm that all student data held by the vendor has been deleted or returned per the terms of the data privacy agreement. A data deletion confirmation should be obtained in writing and retained in the compliance records.

The annual review should also assess whether any changes in FTC guidance, state law, or district technology strategy affect the district's COPPA compliance posture. The FTC periodically updates its COPPA FAQs and enforcement priorities, and state legislatures continue to enact new student data privacy laws that may impose additional requirements beyond federal COPPA.

• Schedule an annual review of all services operating under the school consent exception
• Verify continued educational purpose and active use for each approved service
• Confirm vendor privacy practices have not materially changed
• Retire services no longer in use and obtain data deletion confirmation
• Review FTC guidance updates and new state privacy legislation
• Update the data inventory and vendor evaluation records
• Report review findings to district leadership and school board if required

The following iboss configuration steps support COPPA compliance by providing visibility into online services, enforcing application controls, and preventing unauthorized data collection from students under 13. These settings should be applied specifically to student user groups or network segments serving elementary and middle school populations.

• Create a dedicated policy group for students under 13 (elementary and middle school) with age-appropriate controls
• Enable Cloud Application Discovery and schedule weekly cloud app inventory reports
• Build an approved application allow-list based on the district's vetted vendor inventory
• Configure a block or coaching action for cloud applications not on the approved list for under-13 groups
• Enable inline CASB inspection for sanctioned applications to detect policy changes or new data collection behaviors
• Configure content inspection to block third-party advertising trackers and data collection scripts
• Create DLP rules that detect student PII (name, email, student ID) in outbound requests to non-approved domains
• Set DLP action to BLOCK for PII transmission to unapproved destinations for under-13 user groups
• Enable HTTP header injection to signal approved services about the student context (e.g., Google Workspace age-based settings)
• Configure logging to capture all cloud application access and DLP events for under-13 user groups
• Set log retention to a minimum of 3 years for COPPA-related events
• Generate a monthly COPPA Compliance Report and route to the district privacy officer