COPPA and Student Data: What Parents Should Ask Any EdTech Company
July 2, 2026 · Talon Tutoring TeamEvery app your child uses for school collects something: names, ages, messages, learning history, sometimes photos of handwritten homework. Two federal laws set the floor for how that data must be handled — and knowing just enough about them turns you from a parent clicking 'agree' into a parent asking questions companies have to answer.
Here's the plain-English version, and the six questions worth asking any edtech company.
COPPA and FERPA in one minute
COPPA — the Children's Online Privacy Protection Act — governs online services collecting personal information from children under 13. Its core requirement is verifiable parental consent before collection, plus limits on how children's data can be used and a parent's right to review and delete it.
FERPA — the Family Educational Rights and Privacy Act — protects education records held by schools, and follows the data when schools hand it to vendors. Rough division of labor: COPPA protects your child as a consumer of apps; FERPA protects their school records. A K-12 product used both at home and through schools should be able to speak to both.
Six questions to ask any edtech product
One: how does a child under 13 get an account — is a parent involved, or can a nine-year-old self-serve with a fake birthday? Two: exactly what personal information is collected, and is any of it encrypted at rest? Three: is student data ever sold, shared with advertisers, or used to target ads? Four: who can read my child's messages or chat history? Five: can I review and delete my child's data, and how? Six: what happens to the data if I cancel — or if the company is acquired?
A serious company answers all six specifically. Vague answers to question three or six are where the trouble usually lives.
Red flags in a privacy policy
Watch for 'we may share data with partners' without naming categories or purposes; ad networks or data brokers anywhere in a children's product; consent language that treats the child's own click as sufficient; and no mention of encryption for personal information. None of these is necessarily illegal — that's rather the point. The law is a floor, and plenty of products live exactly on it.
The absence of a way to contact a human about privacy is its own signal. A company confident in its data practices puts an email address on them.
How Talon answers these questions
Minors join Talon through a parent-managed signup — a parent creates and links the account, which is also why the student signup flow deliberately skips one-click social login in favor of guardrails that hold up. Personally identifiable fields are encrypted at rest. Parents get a weekly digest summarizing what the tutor was used for — subjects, time, topics — rather than a transcript feed, which we think is the right privacy balance for the student too; the reasoning is laid out on our parents page.
Student data is never sold and never used for advertising. The full details live in our privacy policy, and questions reach a human at support@ifalcons.ai — which, per the paragraph above, is exactly the kind of thing you should expect any edtech company to offer.