Home / Blog / COPPA 2026: The Vendor Audit …
Compliance

COPPA 2026: The Vendor Audit Every Microschool Needs Now

NavEd Team 9 min read

A microschool founder we spoke with last month had done exactly what a thoughtful operator is supposed to do. She built a spreadsheet of every EdTech tool her students touch, opened each vendor's website, and checked the box next to "COPPA compliant." Twelve tools. Twelve badges. Job done.

Except that badge on the vendor's footer may have been issued in 2022 — years before the FTC published its final amended COPPA rule on April 22, 2025. And two specific changes took effect on April 22, 2026, that most of those badges do not account for.

First: biometric identifiers — including facial templates generated by photo-based recognition software — are now personal information under COPPA. Second: sharing data with any third party requires separate verifiable parental consent that cannot be bundled into your enrollment paperwork.

COPPA applies to children under 13. If your cohort includes any students under that age, the rest of this post applies to you.

What follows walks through both changes and gives you three questions to audit every tool in your stack.

FERPA and COPPA Are Not the Same Shield

If your vendor passed your FERPA checklist, that does not make them COPPA-compliant. These are two different statutes, enforced by two different agencies, protecting two different things.

Most school leaders we work with have absorbed FERPA thoroughly. COPPA gets treated as a footnote. That was survivable under the old rule. It is not survivable now.

FERPA COPPA
What it covers Education records maintained by schools Online collection of personal information from children under 13
Who it protects Students of any age Children under 13 specifically
Who enforces it U.S. Department of Education Federal Trade Commission
School's role Rights holder over existing records Operator with active compliance obligations at point of data collection

FERPA places obligations on the school regarding records that already exist. COPPA places obligations at the moment data is collected. A vendor can be fully FERPA-approved and still violate COPPA by generating a facial template from a photo-based attendance scan without proper consent.

The two frameworks are complementary, not redundant. Vetting for one does not vet for the other. A signed FERPA data-sharing agreement does not answer the question of whether the vendor is collecting biometric identifiers, and it does not address the third-party consent carve-out.

For FERPA fundamentals, see our Student Data Privacy: FERPA for Small Schools guide. This post covers what FERPA does not.

Now let's look at what actually changed in April 2026.

What Changed on April 22, 2026

The COPPA statute itself is from 1998. The rule implementing it was last meaningfully amended in 2013. The FTC's final rule published on April 22, 2025 — effective April 22, 2026 — is the first major overhaul in 12 years, and it addresses a decade of unregulated data practices in EdTech.

Two changes matter most for microschools.

Change 1: Biometric identifiers are now personal information.

The amended rule expanded the definition of personal information to explicitly include five new categories:

  • Facial templates, including those generated by photo-based recognition software
  • Voiceprints
  • Fingerprints
  • Retina and iris patterns
  • Gait patterns

Read that first bullet again. A facial template generated by photo-based recognition software is a biometric identifier. You do not need a dedicated biometric scanner to be collecting one.

Practical translation: if your check-in app takes a photo and matches it to a student record, that software is generating a facial template. If your AI tutoring platform records voice responses to deliver adaptive feedback, it may be generating voiceprints. Neither was regulated under the original rule. Both are regulated now.

Change 2: Third-party data sharing requires separate verifiable parental consent.

Under the old rule, the school-authorization exception allowed a school to consent on behalf of parents in a bundled way. The 2026 amendment carved out a specific exclusion: data collected under school authorization that is shared with a third party — for any purpose beyond delivering the educational service — requires its own, separate verifiable parental consent.

It cannot be bundled in general terms of service. It cannot be assumed from a signature on the enrollment form. It has to be its own explicit consent step.

The practical implication is uncomfortable: most EdTech vendors' consent flows predate this carve-out. If the vendor designed their architecture before April 2025, it almost certainly does not account for this requirement. Their "COPPA compliant" workflow was built against a rule that no longer exists.

The School-Authorization Exception: What It Covers, What It Doesn't

The school-authorization exception lets schools consent on behalf of parents. That is true. But it comes with a boundary that the April 2026 rule made explicit.

What the exception covers: a school may authorize a vendor to collect personal information from students under 13 without obtaining individual parental consent for each child, as long as the vendor uses the data solely to provide the educational service to the school and for no other purpose.

That last clause is the whole ballgame.

What the exception explicitly does NOT cover:

  • Commercial advertising or marketing
  • Training the vendor's AI models using student interaction data
  • Sharing data with analytics sub-processors for product improvement
  • Any use that serves the vendor's business interests rather than the school's educational mission

Consider a category example — no vendor named. An AI tutoring platform improves its recommendation engine by aggregating student response data. That is using student data beyond the educational service delivered to your school. The school-authorization exception does not cover this secondary use. If the vendor's terms of service permit it, your school cannot rely on the exception. You need separate verifiable parental consent for that specific use, or a contractual prohibition that binds the vendor from using the data that way.

You need to read your vendor contracts for data use clauses, not just data collection clauses. The collection might be covered. The use might not be. And under the amended rule, the difference between the two is exactly where enforcement lives.

This is exactly what the three-question audit is designed to surface.

The Three-Question Vendor Audit

Run every EdTech tool your under-13 students touch through these three questions. If any answer is "I don't know" or "I need to check the contract," stop and find out before the next student logs in.

Question 1: Does this tool collect, generate, or derive any biometric identifier from students under 13?

The key word is "generate." You do not need a fingerprint scanner in the classroom. If a photo-based attendance app creates a facial template to match a student to their record, it has generated a biometric identifier under the amended rule.

Ask the vendor directly, in writing. Categories worth checking closely: photo-based attendance tools, video platforms with attention monitoring, voice-interactive AI tutoring systems, any app that uses a camera or microphone in a way that processes individual physical characteristics.

Question 2: Does the vendor share, sell, or use student data for any purpose beyond delivering the educational service to your school?

The answer needs to be in the contract or data processing agreement — not the marketing page, not the FAQ, not a sales rep's verbal reassurance. Red-flag language to watch for: "improve our services," "aggregate research," "model training," "third-party analytics partners," "usage data."

Any of these phrases may indicate uses outside the school-authorization exception's scope. If the answer is yes to any secondary use, that use now requires separate verifiable parental consent under the 2026 amendment. Bundling it into enrollment paperwork does not satisfy this requirement.

Question 3: When was this vendor's COPPA compliance certification or privacy policy last updated, and does it explicitly reference the April 2026 amendments?

A "COPPA compliant" badge or privacy policy issued before April 22, 2025 was certified against the old rule. It does not account for biometric identifier classification or the third-party consent carve-out.

Look for explicit references to the 2026 amendments and updated definitions of "personal information" that include biometric data. If a vendor's privacy policy has not been updated since 2024, ask them directly about their April 2026 posture. Silence is a red flag.

These three questions will not catch every possible exposure — nothing replaces a legal review of your specific contracts. But they will surface the vendors most likely to put your school in a compliance gap.

What a Compliant Written Assurance Must Actually Say

The 2026 rule introduced a new obligation: operators must obtain written assurances from any third party that receives children's data, confirming that the third party will maintain appropriate data security. Your school inherits this obligation when it relies on the school-authorization exception.

"Third party" is broad. It includes any sub-processor your vendor uses — cloud storage providers, analytics services, content delivery systems, any platform that touches student data downstream of your primary vendor.

A written assurance that satisfies the 2026 rule needs to specify all of the following:

  1. The specific categories of data being shared — not "student records" as a catch-all, but actual data types, including whether biometric identifiers are included in the transfer.
  2. The security standard the third party commits to maintaining. A defined standard such as NIST or SOC 2 Type II is meaningful. Vague "industry standard" language is not.
  3. The permissible uses of the data, with an explicit prohibition on commercial use, AI model training, and further sharing without separate consent.
  4. The retention period and deletion schedule for that specific data. This must be consistent with your school's written retention policy.
  5. A breach notification commitment. The third party must notify the operator — meaning your vendor, and by extension your school — in the event of unauthorized access.

Most vendor data processing agreements do not contain all five elements. If yours do not, you have remediation work to do. That work is asking the vendor for an updated DPA, or replacing the vendor if they cannot produce one.

Data Retention: Indefinite Is Non-Compliant

The amended rule requires operators to maintain a written data retention policy that specifies a retention period. "We keep data as long as reasonably necessary" is not sufficient. The policy must state a specific period, and it must appear in the privacy notice — not just be linked to a separate document.

Operational implication: if a student leaves your program, their data cannot remain in a vendor's system indefinitely. The retention policy must address off-boarding timelines.

A retention period tied to a defined event works well operationally. For example: graduation, withdrawal, or the student's 13th birthday (whichever comes first), plus a defined buffer period for necessary record-keeping. Whatever the period you choose, it must be in writing, and your vendor contracts must bind the vendor to the same schedule. If you retain records for two years post-withdrawal and your vendor retains them for five, that mismatch is your problem, not theirs.

The FTC has identified indefinite retention as an enforcement priority under the amended rule.

Your Action List

If reading this post surfaced gaps, here is the sequenced action list. Start with your own documentation before approaching vendors — you cannot ask a vendor to align with a policy you have not written yet.

  1. Confirm your student age distribution. COPPA applies only to students under 13. If your cohort is entirely 13 and older, your COPPA obligations are minimal. If any students are under 13, your obligations are absolute — there is no partial application.

  2. Pull your current privacy notice and check for a written data retention period. If the policy references a separate document, or contains no retention period at all, that is your first remediation task. Fix it before any vendor conversations.

  3. Run the three-question audit on every tool your under-13 students touch. Prioritize photo-based attendance apps, AI tutoring platforms, and video conferencing tools with any attention-monitoring or face-detection features.

  4. Request updated written assurances from any vendor that shares data with third parties. Ask explicitly whether their DPA reflects April 2026 requirements. If it does not, ask for an updated version. If they cannot produce one, that is a decision point.

  5. Check the date on every vendor's COPPA compliance certification and privacy policy. Anything predating April 22, 2025 needs to be re-evaluated against the amended rule.

  6. Document what you did. Good-faith compliance effort is a relevant factor if the FTC investigates. Ignorance is not a defense. Demonstrated diligence is.

A Note on Penalties

Civil penalties under COPPA currently run up to $53,088 per violation under the FTC's inflation-adjusted schedule.

"Per violation" means per child, per incident. One non-compliant tool interacting with 30 under-13 students is potentially 30 violations. The math scales quickly and unpleasantly.

The FTC does not scale enforcement leniency based on operator size. The statute does not contain a small-operator carve-out. A microschool with 40 students has the same obligations as a district with 40,000.

This section is not here to frighten. It is here to calibrate the urgency of the action list above.

Where NavEd Fits In

No platform can do this compliance work for a school. Verifying vendors, writing retention policies, obtaining separate parental consent where required — those are the school's responsibilities, and they should be.

What NavEd does handle: student records, attendance, and family communication in a single system with defined retention policies, rather than data distributed across a dozen vendor ecosystems. Fewer systems touching under-13 data means fewer audit questions, shorter vendor lists, and a smaller surface area to defend.

If you are building or refining your microschool's student data infrastructure, start a free trial to see how NavEd centralizes what matters.

NavEd Team
Back to Blog