Skip to main content

We often get questions about how the Children’s Online Privacy Protection Act applies in the school setting. The COPPA Rule gives parents control over what information “an operator of a Web site or online service” – yes, that includes apps – can collect from their kids under 13. Among other things, COPPA requires entities covered by the law to notify parents and get their approval before they collect, use, or disclose personal information from children. So how does COPPA apply to schools? Here’s the short answer: Schools – which are usually part of the local government – don’t fall within the legal definition of who’s covered by COPPA because they aren’t commercial “operators.” That said, schools sometimes allow, or even require, students to use sites and services that are covered by COPPA and which must provide notice and get verifiable parental consent.

This question isn’t new. When the FTC issued the original COPPA Rule in 1999, it addressed how schools may serve as an intermediary between operators and parents in the notice and consent process or as the parent’s agent, acting on the parent’s behalf. Here’s what we said about the subject back then in the Statement of Basis and Purpose for COPPA:

“Numerous commenters raised concerns about how the Rule would apply to the use of the Internet in schools. Some commenters expressed concern that requiring parental consent for online information collection would interfere with classroom activities, especially if parental consent were not received for only one or two children. In response, the Commission notes that the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process. For example, many schools already seek parental consent for in-school Internet access at the beginning of the school year. Thus, where an operator is authorized by a school to collect personal information from children, after providing notice to the school of the operator’s collection, use, and disclosure practices, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.”

(Need the citation for that? It’s 64 Fed. Reg. 59888, 59903.)

However, the school’s ability to consent on a parent’s behalf is limited to the educational context – in other words, it applies only when an operator collects personal information from students just for an educational purpose, and for no other commercial purpose. Thus, in addition to the central role schools play in creating an engaging learning environment, they also have a part to play in protecting student privacy.

Recently, FTC staff received questions about whether COPPA covers providers of online tests – in particular, tests that two consortia of state educational agencies are developing. The Partnership for Assessment of Readiness for College and Careers (PARCC) is a nonprofit that describes itself as “an alliance of states working together to develop common assessments serving nearly 24 million students.” The Smarter Balanced Assessment Consortium is made up of member states and other government agencies. The idea is that the tests will be given online to school kids across the country. While we encourage all types of entities to respect children’s privacy, the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits. So these specific consortia, and the development and administration of their tests, are not covered by COPPA. It’s important to keep in mind that schools administer tests for many reasons – to evaluate students’ and schools’ performance, for example – but also, in many cases, schools must comply with legal mandates to test students under federal, state, and local laws.

More broadly, however, the goal of COPPA is to protect children’s privacy with respect to the online collection of personal information by commercial entities. Many parents care deeply about their children’s privacy, and rightly expect their schools to protect it. But COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission. That holds true even when that information is collected online.

Of course, under the Family Educational Rights and Privacy Act (FERPA), educational agencies and institutions have specific obligations to protect student privacy, including protecting personal information from children’s education records from further disclosure or uses without the written consent of the parent, unless permitted to do so under FERPA.

In sum, COPPA provides important protections for children’s personal information in the commercial space, and also recognizes the special role that schools may play in providing consent for the online collection of information from kids exclusively for educational services – for example, online testing.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates