Your IT director reviews the district's new AI writing assistant and notices the privacy policy mentions "data sharing with third-party analytics partners." The superintendent asks if this complies with student privacy laws, but the policy documents read like legal contracts. Understanding which protections apply and what questions to ask shouldn't require a law degree, and educators deserve clear explanations that honor their professional expertise, cultural knowledge, and the diverse communities they serve.
FERPA and COPPA work together to protect student information, but they focus on different areas. When your district implements AI tools, both laws shape what data you can collect and how vendors must handle it. This guide breaks down what has changed so far and provides practical steps to ensure your district's AI infrastructure protects student privacy.
These steps also help districts examine how privacy protections can advance equity, particularly for students whose data has historically been misused, misunderstood, or undervalued.
These two federal laws serve complementary yet distinct roles in protecting student privacy. FERPA focuses on educational records your schools already maintain, while COPPA governs what happens when students interact with online platforms and services. Knowing where each applies helps your administrative team ask the right questions when evaluating AI tools and drafting vendor agreements.
It also empowers teams to consider how these laws protect the identities of students, especially those who have been historically underserved in a widening technology/digital achievement gap.
FERPA protects education records at any school that receives federal funding. It gives parents the right to access their children's records, request corrections, and control who sees this information. Gradebooks, attendance records, and disciplinary notes are all protected under FERPA.
These records also hold important narratives about students' experiences; protecting them ensures families retain agency over how their children's stories are shared and interpreted.
COPPA regulates how websites and online services collect personal information from children under 13. When students log in to an AI tutoring platform or submit assignments through a digital tool, COPPA determines what data these services can collect and how they must obtain parental consent.
Educators can use this as an opportunity to teach students critical digital literacy, helping them understand who designs digital tools, whose perspective shapes them, and how to navigate online spaces responsibly.
The 2025 amendments shifted the default from opt-out to opt-in consent. Vendors must now obtain specific parental permission before using student data for advertising or sharing it with third parties. They also need to document every consent decision and justify any data they retain beyond immediate educational purposes.