“[...] kids as young as kindergarteners had Edmodo accounts and the company estimated that around 600,000 students under 13 used its platform in 2020 alone. In other words, according to the complaint, Edmodo gathered all that data without parental permission and without complying with the requirements of the COPPA Rule.” - The FTC 


Massive fines to the tune of $6M USD and 2 years later, Edmodo was issued a permanent injunction. In 2023, the FTC issued a joint motion to Edmodo which responded by shutting down all US operations. Safe to say protecting the privacy of young users is paramount for education technology (EdTech) companies, that means complying with the Children’s Online Privacy Protection Act (COPPA) meticulously.

Enacted to protect the privacy of children under 13, COPPA imposes strict regulations on how companies can collect, use and share information about young users. Failure to comply with COPPA leads to hefty fines, damaged reputations, and the loss of trust from schools, parents and communities. The primary challenge is that it is much easier to articulate than to implement. In fact, the issue most founders face isn’t the lack of a desire for compliance, it’s that new laws require constant updates to policies, and it’s the full-time job of an entire legal team in-house just keeping up, let alone bringing best practices to fruition. Staying on top of and identifying ever-changing interpretations of COPPA and implementing required adaptations in practices is a monolithic task for even the most diligent teams.

high resolution watercolor painting of a desk with a drafted privacy policy resting on top

The five essential aspects of COPPA every EdTech company should know:

Understand What Data is Covered by COPPA

COPPA specifically protects personal information about children under the age of 13, which includes more than just names and email addresses.

Under COPPA, “personal information” covers a range of data types, including:

  • Full name, address, and contact information
  • Photos, videos, and voice recordings
  • Geolocation information
  • Persistent identifiers such as IP addresses, cookie IDs, and device identifiers
  • Behavioral data collected through user tracking and profiling
  • It’s essential for EdTech companies to understand these data types and ensure that their data collection practices respect COPPA’s boundaries.

It’s essential for EdTech companies to understand these data types and ensure that their data collection practices respect COPPA’s boundaries.

Get Verifiable Parental Consent

Before collecting any personal data from children under 13, COPPA requires companies to obtain verifiable parental consent. This means companies must take steps to ensure that consent is genuinely obtained from a parent or guardian, not from the child.


Common methods include:

  • Providing a consent form for parents to sign and return
  • Using a credit card or payment system to verify the adult’s identity
  • Verifying identity through video call or a government-issued ID

Failing to secure this consent before data collection is one of the most common COPPA violations, and it is crucial for any EdTech company working with students under 13


Create a Clear and Accessible Privacy Policy

A well-crafted privacy policy isn’t just a compliance requirement—it’s a transparency tool that builds trust.
COPPA mandates that companies provide a clear, accessible, and understandable privacy policy detailing:

  • What information is collected
  • How the information is used
  • Who the information is shared with
  • Parental rights regarding data review, deletion, and consent withdrawal

Privacy policies must be written in plain language, free of legal jargon, so that parents and guardians can understand them quickly and fully.

a high resolution watercolor of a child reading in a library in front of a window

Only Use Data for Educational Purposes

COPPA strongly discourages the collection or use of children’s data for advertising, targeting, or any other non-educational purpose. For EdTech companies, this means data collection should focus solely on supporting educational activities and improving the learning experience. Using or selling student data for other purposes not only risks a COPPA violation but can also breach school and district contracts, jeopardizing long-term partnerships. In fact, simply retaining student data for longer than necessary also constitutes a violation of COPPA. 

When working with schools, ensure your data use aligns strictly with the educational services you provide.

Stay Updated on COPPA Guidance and State Privacy Laws

COPPA compliance isn’t a “set it and forget it” policy. The FTC frequently updates its COPPA guidelines, and as privacy awareness grows, states are introducing their own privacy laws that may impact COPPA compliance. California’s Student Online Personal Information Protection Act (SOPIPA), for instance, goes beyond COPPA and restricts the use of student data for non-educational purposes.

Monitoring these changes and regularly reviewing compliance practices is essential for any EdTech company. A shift in the interpretation of COPPA led to controversy surrounding Edmodo resulting in $6M in fines and an injunction in 2023. A worthy lesson for any founder within the educational or kidtech space is to note that the FTC does not take a lapse in regulatory privacy compliance lightly. 


According to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, “This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education. Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”

Common Sense Privacy helps keep your company up to date with evolving privacy regulations and the best practices your customers have come to expect.

high resolution watercolor image of advocates with signs saying: COPPA, Privacy for Kids and Child Protection Laws‍

Back to Basics:

Navigating COPPA compliance is essential for any EdTech company that collects information from children under 13. By understanding what data COPPA covers, securing parental consent, providing clear privacy policies, using data responsibly, and staying informed on regulatory changes, EdTech companies can not only ensure compliance but also build trust with parents, educators, and schools.

Compliance with COPPA isn’t just about avoiding penalties—it’s about protecting the privacy and well-being of the students who use your tools.

Stay ahead of COPPA compliance. As an EdTech founder, don’t delay. Reach out for your free Privacy Policy Assessment today.