If you teach students under 13, COPPA is the law you need to know. The Children's Online Privacy Protection Act governs how websites and apps collect data from children — and it applies directly to the AI tools you bring into your classroom.
Most teachers already understand FERPA's role in protecting student education records. COPPA is different. Where FERPA focuses on education records held by schools, COPPA focuses on commercial operators — the companies building the apps and websites your students interact with. If an AI tool collects personal information from children under 13, COPPA kicks in regardless of whether the school uses it.
This guide breaks down what COPPA actually requires, how to evaluate AI tools for compliance, and why TeachTools was built to sidestep the problem entirely.
What Is COPPA and Why Does It Matter for AI Tools?
The Children's Online Privacy Protection Act (COPPA) was enacted in 1998 and is enforced by the Federal Trade Commission (FTC). It applies to any commercial website, app, or online service that:
- Is directed at children under 13, or
- Has actual knowledge that it collects personal information from children under 13
"Personal information" under COPPA is broad. It includes names, email addresses, screen names, photos, voice recordings, geolocation data, and persistent identifiers like cookies or device IDs that can be used to track a child across websites.
Why This Matters Now More Than Ever
AI tools present new COPPA risks that didn't exist five years ago. When a student types a prompt into an AI chatbot, that input may contain personal details — their name, their school, their reading level, even their emotional state. If the tool stores those prompts (and most do, at least temporarily), that's personal information collection under COPPA.
The FTC has been increasingly aggressive about enforcement. In 2023, they fined Epic Games $275 million for COPPA violations related to Fortnite. In 2024, they took action against multiple ed-tech companies. The message is clear: if your tool touches kids' data, COPPA compliance isn't optional.
COPPA vs. FERPA: What's the Difference?
Teachers often confuse these two laws. Here's the key distinction:
| FERPA | COPPA | |
|---|---|---|
| Who it regulates | Schools and districts | Commercial operators (companies) |
| What it protects | Education records | Personal information from children under 13 |
| Enforced by | Dept. of Education | Federal Trade Commission (FTC) |
| Penalties | Loss of federal funding | Fines up to $50,120 per violation |
| Consent mechanism | School acts as agent for parents | Verifiable parental consent required (school can consent on behalf of parents for educational use) |
The critical overlap: When a school selects an AI tool for classroom use, it can provide COPPA consent on behalf of parents — but only if the tool limits its data collection to what's strictly necessary for the educational purpose. If the tool collects data beyond the school's authorization (like using it for advertising), the school's consent doesn't cover that.
For a deeper dive into FERPA requirements, see our FERPA Compliance Checklist for K-12 AI Tools.
What COPPA Actually Requires from AI Tools
Under COPPA, any AI tool used by children under 13 must:
1. Post a Clear, Comprehensive Privacy Policy
The policy must specifically describe what information is collected from children, how it's used, and whether it's disclosed to third parties. Vague language like "we may collect usage data" doesn't cut it — the FTC requires specificity.
2. Obtain Verifiable Parental Consent Before Collecting Data
Before collecting any personal information from a child, the operator must get consent from a parent or guardian. In a school context, the school can provide this consent — but only for educational purposes, not for commercial use.
3. Minimize Data Collection
The tool can only collect information that is reasonably necessary for the child to participate in the activity. An AI worksheet generator doesn't need a child's birthday, home address, or photo to generate a math worksheet.
4. Protect the Confidentiality and Security of Children's Data
Reasonable security measures are required — encryption, access controls, secure storage. This applies to the data at rest and in transit.
5. Retain Data Only as Long as Necessary
Once the data is no longer needed for its collected purpose, it must be deleted. Indefinite storage of children's information violates COPPA.
6. Never Condition Participation on Unnecessary Data Collection
A tool cannot require a child to provide more information than necessary to use the service. If an AI quiz tool demands the student's full name, school, and grade to generate a quiz — that's a COPPA red flag.
The AI Tool COPPA Compliance Checklist
Before approving any AI tool for students under 13, run through this checklist:
Privacy Policy Review
- Does the tool have a COPPA-specific privacy policy? Look for explicit mentions of children's data, not just a generic policy.
- Does it describe exactly what data is collected from children? Vague language is a red flag.
- Does it explain how children's data is used? "To improve our services" is not specific enough.
- Does it disclose all third parties that receive children's data? Including AI model providers, analytics services, and ad networks.
Data Collection Practices
- Does the tool require student accounts or logins? Tools that require children to create accounts collect more data by design.
- What happens to student inputs (prompts, answers, writing)? Are they stored? For how long? Used for model training?
- Does the tool use cookies or persistent identifiers? These count as personal information under COPPA.
- Does the tool collect more data than necessary? A worksheet generator doesn't need a student's name or photo.
Consent and Control
- Does the tool support school-based consent? It should have a mechanism for districts to consent on behalf of parents for educational use.
- Can parents review and delete their child's data? COPPA requires this right.
- Can the school revoke consent at any time? The tool must honor this and delete the data.
Security and Retention
- Is data encrypted in transit and at rest? TLS for transmission, AES-256 or equivalent for storage.
- Does the tool have a clear data retention policy? How long is children's data kept?
- Is there a data deletion process? Can the school request deletion at any time?
- Does the vendor sign a Data Processing Agreement (DPA)? This is increasingly standard for school procurement.
Red Flags vs. Green Flags: What to Look For
FERPA-compliant worksheets — zero student data collected
Try the Worksheet Generator →| Red Flags | Green Flags |
|---|---|
| Requires students to create individual accounts | Teacher-only accounts; students never interact directly |
| No mention of COPPA in the privacy policy | Explicit COPPA compliance section in the privacy policy |
| Uses student data to train AI models | Contractual guarantee that data is never used for training |
| Collects name, email, grade, school from students | Collects zero student PII by design |
| Vague data retention: "we may retain data indefinitely" | Clear retention policy with automatic deletion |
| Third-party ad trackers or analytics on student-facing pages | No advertising; analytics only on teacher-facing pages |
| No Data Processing Agreement (DPA) available | DPA available and ready for district review |
| Students type prompts directly into the AI | Teacher generates content; students receive finished materials |
How TeachTools Handles COPPA Compliance
TeachTools was designed from the ground up to avoid COPPA triggers entirely. Here's how:
No Student Accounts, No Student Data
Only teachers create accounts and interact with TeachTools. Students never log in, never type prompts, and never provide any personal information. This is the simplest and most effective approach to COPPA compliance — if you don't collect children's data, COPPA's requirements don't apply.
Teacher-Only AI Interaction
The teacher enters the topic, grade level, and parameters. TeachTools generates the worksheet, quiz, or lesson plan. The teacher reviews and distributes the finished material to students. At no point does a student interact with the AI system.
Zero Student PII by Design
TeachTools doesn't ask for — and doesn't need — student names, emails, IDs, grade levels, or any other identifying information. The teacher's account contains only the teacher's own information.
No Data Training
Content processed through TeachTools is never used to train AI models. We use OpenAI's API, which contractually guarantees that API data is not used for model training. Teacher inputs are processed, the output is generated, and that's it.
Encryption and Security
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Teacher accounts use bcrypt-hashed passwords. The infrastructure is hosted on SOC 2 Type II compliant servers with automatic backups.
Data Processing Agreements
School districts can request a formal DPA that documents our data handling practices, retention policies, and compliance commitments. Contact support@teachtools.co for district contracts.
Common Questions About COPPA and AI Tools
Can a teacher use ChatGPT directly with students under 13?
No. ChatGPT's terms of service require users to be at least 13 (or 18 without parental consent in some regions). If a teacher has students type prompts into ChatGPT, that's a COPPA violation because OpenAI is collecting personal information from children without verifiable parental consent.
What if I use the AI tool but students don't directly interact with it?
This is the safest approach and exactly how TeachTools works. If only the teacher interacts with the AI tool and distributes finished materials to students, no student data is collected by the tool. COPPA concerns are eliminated at the architecture level.
Does my district need to get parental consent for every AI tool?
If the tool collects personal information from children under 13, yes — unless the school consents on behalf of parents for a strictly educational purpose. But this puts the burden on the school to verify that the tool truly limits its data use. It's far simpler to choose tools that don't collect student data at all.
Are AI-generated worksheets and quizzes subject to COPPA?
The worksheets themselves are not. COPPA governs the collection of personal information, not the distribution of materials. If a teacher generates a quiz using AI and prints it for students, there's no COPPA issue. The concern arises when the AI tool requires student data as input.
What about state student privacy laws?
Many states have enacted their own student privacy laws that go beyond COPPA and FERPA. California's SOPIPA, New York's Education Law 2-d, and Illinois' SOPPA are examples. When evaluating AI tools, check your state's specific requirements in addition to federal law.
The Bottom Line
COPPA compliance doesn't have to be complicated. The simplest path is to choose AI tools that don't collect student data in the first place. When only teachers interact with the AI and students receive finished materials, the privacy equation is straightforward.
For schools evaluating AI tools, use the checklist above. Ask vendors direct questions. Look for explicit COPPA compliance statements, not vague privacy promises. And when in doubt, choose the tool that collects less data — not more.
Read our companion guide: FERPA Compliant AI Tools: 2026 K-12 Checklist & Guide
Evaluating specific tools? See our side-by-side comparison of 10 free AI worksheet generators with FERPA and COPPA compliance ratings for each.
For the complete guide to AI and student privacy, visit our FERPA Resource Hub — including competitor comparisons and a teacher's privacy checklist.