At minimum edtech developers should know about these 5 laws:

  • FERPA,
  • COPPA,
  • CCPA, and
  • GDPR.


The Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 with the goal of giving students and parents greater control over their educational records. The law applies to any school in the US which receives federal funding from the Department of Education. FERPA grants parents and eligible students (those who are 18 years or older) the following rights:

  1. The right to inspect and review their records maintained by the school;
  2. The right to request that inaccurate or misleading records be changed; and,
  3. The right to restrict how the schools releases your records. Generally, schools must have written permission from the parent or student in order to release any information from their record.

FERPA does have several exceptions, specifically about the release of student information to certain persons without consent from the student or parent. Under FERPA, schools may release directory information about students publicly. Schools may also release records to officials with legitimate education interest, which includes third-party companies and employees that work with schools to handle student data.

FERPA does not include provisions for students or parents who are impacted by improper record releases to sue offending schools or companies. Students who believe that their records have been improperly released can contact the Department of Education, who will investigate the problem and issue guidance for offending schools.


The Children's Online Privacy Protection Act (COPPA) was enacted in 1998 and applied to the online collection of information about children under the age of 13. According to the law, website operators may not collect personally identifiable information (PII) about children under 13 without verifiable consent from their parents. PII includes information such as full names, email addresses, and even IP addresses. COPPA allows the FTC to fine offending companies up to $42,000 per each individual violation.


The Student Online Personal Information Protection Act (SOPIPA) is a California law that prevents companies from collecting data about K12 students for marketing purposes. Specifically, SOPIPA restricts companies from using PII to advertise to students. Companies may also not release PII or educational records unless it is to abide by a lawful request (e.g. FERPA). The law applies to any company that stores data for any student who is a resident of California.


The California Consumer Privacy Act (CCPA) is a state law which is intended to give users greater control over how companies store and use their data. The CCPA requires companies to provide users a method to opt out of the sale of personal data. Additionally, parental consent must be obtained in order to collect data about users under the age of 13 (similar to COPPA). The CCPA covers for-profit entities that collect personal information, do business in California, and meet one of the following thresholds:

  1. Have an annual revenue over $25 million;
  2. Collect the information of over 50,000 consumers per year;
  3. Earn 50% or more of its annual revenue from selling personal information.

Non-profit entities, such as public schools are universities, are not covered under the CCPA. However, companies that work with schools and universities should still be cognizant of how they store user data and to only release information when legally required to do so (e.g. for SOPIPA or FERPA compliance).


The General Data Protection Regulation (GDPR) is the European Union's law on data protection and privacy. GDPR impacts any company with an online presence that has customers who are citizens of the EU. Under GDPR, data processors must only collect data when there is a lawful basis for doing so.

Data subjects must be allowed to request the erasure of their data unless the processor has a legal obligation or is collecting data for a public task. Organizations must reply to the request to erase a user's data within one month. Data subjects are also allowed to request a copy of their data which has been collected with their consent.

Any organization in the education sector (e.g. universities, schools, software vendors, etc.) that does business with residents of the EU must be aware of what data they are collecting and how they are ensuring that personal data is being protected.

If you’re interested to learn more about Edlink’s Unified API, here’re other articles we’ve written.

If you're looking for a partner to guide you through developing integrations like these, then let us introduce ourselves. We're Edlink!