From the team
COPPA's 2026 amendments: what schools should ask every edtech vendor
The amended COPPA Rule's compliance date arrived April 22, 2026. What changed, what it means for school-authorized consent, and the questions districts should ask every edtech vendor.
As of April 22, 2026, every edtech vendor that collects personal information from children under 13 must comply with the amended Children’s Online Privacy Protection Rule — the first major update to COPPA since 2013. The amendments turn several things that used to be good practice into legal obligations: a written information security program, a written retention policy that bans indefinite retention, expanded protections for biometric data including voice recordings, and stricter limits on what third parties can do with children’s data.
For schools, the practical consequence is simple: the questions you ask vendors during procurement need to change. A vendor who was compliant in 2024 is not automatically compliant today, and “we comply with COPPA” on a sales slide tells you nothing about whether they’ve done the new work.
This article covers what actually changed, what it means for the school-authorization consent model most districts rely on, and the specific questions — with the evidence a compliant vendor should be able to produce — to ask before you sign.
What actually changed
The FTC finalized the amendments on January 16, 2025; the final rule was published in the Federal Register on April 22, 2025, with full compliance required one year later. The changes that matter most to schools:
| Change | What the amended rule requires | Where it lives |
|---|---|---|
| Written information security program | A documented program with a designated coordinator, risk assessments at least annually, safeguards matched to the sensitivity of children’s data, and written assurances from every third party that touches it | § 312.8 |
| Written retention policy | A public, written policy stating what’s collected, why, and when it’s deleted. Indefinite retention is prohibited — data may be kept only as long as reasonably necessary for the purpose it was collected for | § 312.10 |
| Biometric identifiers | The definition of personal information now explicitly covers biometric identifiers that can be used for automated recognition — including voiceprints and facial templates | § 312.2 |
| Third-party disclosure | Disclosing children’s data to third parties (beyond integral service providers) requires separate, specific consent — and targeted advertising to children effectively requires an opt-in nobody in K-12 should be granting | § 312.5 |
| Direct notice | Notices must identify the categories of third parties receiving data and the purposes — vague “trusted partners” language doesn’t survive | § 312.4 |
The full amended text is in the Electronic Code of Federal Regulations, 16 CFR Part 312.
The school-authorization model, restated
Most classroom software operates under the FTC’s long-standing school-authorization guidance: instead of collecting verifiable parental consent child-by-child, the school consents on parents’ behalf — but only where the data is collected for the use and benefit of the school, and strictly for an educational purpose, never a commercial one. The FTC’s COPPA FAQ for businesses and schools spells out the conditions.
Two things follow that procurement teams sometimes miss:
- The school takes on a duty when it consents. If your district authorizes a tool, your district is vouching that the operator’s collection is limited to educational purposes. You can only vouch for what you’ve verified.
- The authorization has to be real and recorded. A vendor relying on school consent should be able to show you where and how that authorization was captured — not just assert that using the product implies it.
The questions to ask every vendor
Each question below pairs with what a compliant vendor should be able to show — not say, show. We answer each one for ourselves as we go, because we think vendors who’ve done the work should be willing to put their answers in writing in public. Ours are documented in more depth on our security and compliance page.
1. “Can you prove consent, or just claim it?”
What to look for: consent records with document versions and timestamps, not a checkbox memory. If the terms or privacy notice change, what forces re-acceptance?
How we answer it: no adult account on Storytime AI can be created without affirmatively accepting the current Terms and Privacy Notice, and every acceptance is recorded in an append-only ledger — document version, actor, timestamp. When legal terms change, every user must re-accept before continuing. School and district authorizations are recorded at the organization level, so the school-consent chain is inspectable.
2. “What exactly do you collect from students — and what do you deliberately not collect?”
What to look for: a data inventory that’s short on purpose. The amended rule’s minimization expectations make “we collect what the feature needs” the only defensible posture.
How we answer it: students on our platform have no email address, no full last name, no birthdate, and no photos. Persistent identifiers on the student surface exist solely for sign-in and security — the internal-operations exception under § 312.5(c)(7) — and no advertising or analytics SDKs load on student surfaces at all.
3. “What’s your written retention schedule — per data class?”
What to look for: an actual document with stated timeframes for each category of data. “We retain data as long as necessary” without timeframes is exactly the indefinite retention § 312.10 now prohibits.
How we answer it: our retention policy states timeframes per data class and bans indefinite retention. The most sensitive class — child audio — has the shortest clock (next question).
4. “How do you handle student voice recordings?”
This is the question for any reading platform, and the amended rule’s biometric language raises the stakes: voiceprints are now explicitly personal information. The FTC has treated children’s audio as sensitive since its 2017 enforcement policy statement on voice recordings, which expected prompt deletion of audio collected in place of written words.
What to look for: when recordings happen, who can trigger them, how long they live, what mechanism deletes them, and whether they ever feed AI training.
How we answer it: on Storytime AI, recordings exist only when a teacher assigns a reading-fluency activity. They are never used to train AI — contractually prohibited with every vendor in our chain, attested in writing. And they are automatically and permanently deleted 30 days after capture by infrastructure-level policy — a storage lifecycle rule, not application code that can fail silently. A deletion mechanism that depends on app code running correctly is a promise; one enforced by the storage layer is a property.
5. “Can a parent exercise their rights without going through you?”
What to look for: self-service. The rule has always given parents the right to review, delete, and refuse further collection; the practical question is whether exercising those rights requires emailing a support alias and waiting.
How we answer it: parents can review, export, request deletion, and refuse further collection from their own portal — today, without a ticket. Refusing audio recording deletes stored audio immediately and the server rejects any future capture before a single byte is stored. Deletion requests don’t wait out a retention window. More on the parent experience on our families page.
6. “Show me your written information security program.”
What to look for: § 312.8 now requires a written program with a named coordinator, at-least-annual risk assessments, and written assurances from every third party handling children’s data. Ask for the document — or at minimum its table of contents — and ask who the coordinator is.
How we answer it: our WISP names a coordinator, commits to annual risk assessments, and maintains written assurances from every vendor that touches children’s data. It ships with our security questionnaire response during procurement.
7. “Who are your sub-processors, and what happens when the list changes?”
What to look for: the amended direct-notice rules require identifying categories of third parties and purposes. “Trusted partners” is not a category. You also want change notification in writing.
How we answer it: our sub-processor list is short, disclosed under NDA with the security questionnaire, and districts get 30 days’ notice before any change. Details on /security.
8. “What do schools receive for the COPPA paper trail?”
What to look for: a vendor relying on school authorization should hand the school what it needs to do its part: a COPPA direct notice written for schools, and something parents can actually read.
How we answer it: a dedicated COPPA Direct Notice ships as part of our procurement package alongside the NDPA, and teachers can print a branded parent notice for every student. See how we work with districts.
Red flags, briefly
- “We’re COPPA certified.” Unless they name an FTC-approved Safe Harbor program, there’s no such thing as generic COPPA certification — and implying government endorsement is itself a problem.
- Retention answered with a shrug. “Industry standard retention” and “as long as the account is active, plus backups” are 2013 answers to a 2026 question.
- Audio with no lifecycle. If a vendor records children and can’t tell you the deletion mechanism and clock, the recordings live forever somewhere.
- Analytics SDKs on student surfaces. Ask directly. The honest answer is auditable from the network tab.
- Consent that can’t be produced. If the consent record is “they clicked through onboarding at some point,” there is no consent record.
What this means for your next adoption cycle
The April 2026 compliance date quietly re-opened every vendor evaluation. Tools adopted years ago were vetted against the old rule; the new obligations — the WISP, the retention policy, the biometric definitions — are exactly the kind of thing that doesn’t show up in a renewal unless someone asks. Adding the eight questions above to your standard security questionnaire costs one page and tends to sort vendors quickly: the ones who’ve done the work answer in specifics, and the ones who haven’t answer in adjectives.
We’ve published our own answers because we think that should be normal. If your district wants the full package — NDPA, COPPA Direct Notice, sub-processor disclosures, WISP — it’s all part of our standard procurement set: start with a conversation.
This article describes the amended COPPA Rule as it applies to our corner of edtech and isn’t legal advice — for adoption decisions, loop in your district’s counsel.
About the authors
Written and edited by the Storytime AI founding team.
Brian Carlson
Co-founder & CEO
Co-founder and CEO of Storytime AI. Leads the company from Baltimore, building a literacy platform that meets every reader where they are — anchored to the Science of Reading.
LinkedIn
Scott Quinlan
Co-founder & CTO
Co-founder and CTO of Storytime AI. Owns engineering, product infrastructure, and the agentic growth pipeline — from the platform's AI generation engine to the structured-literacy content surface district leaders evaluate.
LinkedIn
Kate Dwyer
Co-founder & CMO
Co-founder and Chief Marketing Officer at Storytime AI. Translates Science-of-Reading research and product capability into language teachers, parents, and district leaders can act on. Based in the Washington DC–Baltimore area.
LinkedIn
Storytime AI
Personalized literacy practice for every reader.
Free to start. Decodable library + on-demand book generation aligned to your curriculum's scope and sequence. ORF assessment, Skill Tree analytics, and adaptive journeys for every student.