Legal counsel for education technology

The legal landscape for edtech is shaped by the convergence of three regulatory regimes that don't always agree with each other: COPPA (federal children's privacy), FERPA (federal education records privacy), and a rapidly growing patchwork of state-level student-data privacy laws. Add the AI-in-classroom rules that arrived in 2024–2025 and the FTC's heightened enforcement posture, and edtech becomes one of the more regulated consumer sectors in tech.

COPPA applies whenever your service touches under-13 data

The COPPA Rule's 2025 amendments materially raised the bar. The FTC tightened acceptable methods of verifiable parental consent, expanded the definition of "personal information" to include persistent identifiers used for any purpose other than internal operations, and limited the kinds of analytics edtech products can perform on children's data without consent. If your product is "directed to children," COPPA applies by default — regardless of whether you ask for age at signup, because the FTC reads "directed to children" from the totality of the product, not just the age gate.

FERPA is education-records law, not children's privacy law

FERPA applies whenever schools share student data with vendors — even for students over 18. The "school official exception" is the legal basis most edtech vendors rely on, and it requires three things: a legitimate educational interest, school control over the data, and the same confidentiality obligations the school itself would have. If a school district signs a procurement contract with you, the FERPA terms are likely already inside it. Reading them carefully is the difference between a clean K-12 sales motion and a procurement reset.

State student-data laws have proliferated

California's SOPIPA (Student Online Personal Information Protection Act) was the template; New York Education Law 2-d, Illinois SOPPA, and the Texas student data privacy statute are now active, with many other states following. The pattern: prohibitions on selling student data, restrictions on advertising to students, mandated data-deletion timelines, and security requirements that often exceed FERPA's baseline. A national K-12 launch needs to comply with all the active state regimes, not just FERPA + COPPA.

District contracts are where the legal work is

Every K-12 sale eventually runs through a procurement office, and every procurement office has a data-processing addendum — often the Student Data Privacy Consortium model agreement, sometimes a state-specific template, sometimes a custom one from the district's general counsel. The DPA is non-negotiable in most districts; the practical work is reading it carefully, redlining the clauses that conflict with your actual product behavior, and getting comfortable with the rest. Plan DPA negotiation as a standard step in the sales cycle.

AI in classrooms is the new regulatory frontier

The 2024–2025 wave of state guidance on AI in K-12 has been highly variable. Some states require disclosure of AI use to parents; some require human review of AI-generated content shown to students; some prohibit training AI models on student data under any circumstance. The FTC has been clear it views AI-enabled features in child-directed services as COPPA-relevant. Practical guidance: be explicit in your privacy policy about what AI features your product uses, what data trains your models, and what the human-review path is.

The compliance posture is also a sales asset

Districts buy edtech from vendors they trust. A clean, current, actively-maintained privacy posture — public privacy policy, a published security overview, signed BAAs where applicable, evidence of compliance with state law — is one of the most direct routes to faster procurement cycles. Edtech founders who treat compliance as a sales investment rather than a cost center close faster.