COPPA and Student Data: What Parents Should Ask Any EdTech Company

July 2, 2026 · Talon Tutoring Team

Every app your child uses for school collects something: names, ages, messages, learning history, sometimes photos of handwritten homework. Two federal laws set the floor for how that data must be handled — and knowing just enough about them turns you from a parent clicking 'agree' into a parent asking questions companies have to answer.

Here's the plain-English version, and the six questions worth asking any edtech company.

COPPA and FERPA in one minute

COPPA — the Children's Online Privacy Protection Act — governs online services collecting personal information from children under 13. Its core requirement is verifiable parental consent before collection, plus limits on how children's data can be used and a parent's right to review and delete it.

FERPA — the Family Educational Rights and Privacy Act — protects education records held by schools, and follows the data when schools hand it to vendors. Rough division of labor: COPPA protects your child as a consumer of apps; FERPA protects their school records. A K-12 product used both at home and through schools should be able to speak to both.

Six questions to ask any edtech product

One: how does a child under 13 get an account — is a parent involved, or can a nine-year-old self-serve with a fake birthday? Two: exactly what personal information is collected, and is any of it encrypted at rest? Three: is student data ever sold, shared with advertisers, or used to target ads? Four: who can read my child's messages or chat history? Five: can I review and delete my child's data, and how? Six: what happens to the data if I cancel — or if the company is acquired?

A serious company answers all six specifically. Vague answers to question three or six are where the trouble usually lives.

Red flags in a privacy policy

Watch for 'we may share data with partners' without naming categories or purposes; ad networks or data brokers anywhere in a children's product; consent language that treats the child's own click as sufficient; and no mention of encryption for personal information. None of these is necessarily illegal — that's rather the point. The law is a floor, and plenty of products live exactly on it.

The absence of a way to contact a human about privacy is its own signal. A company confident in its data practices puts an email address on them.

How Talon answers these questions

Minors join Talon through a parent-managed signup — a parent creates and links the account, which is also why the student signup flow deliberately skips one-click social login in favor of guardrails that hold up. Personally identifiable fields are encrypted at rest. Parents get a weekly digest summarizing what the tutor was used for — subjects, time, topics — rather than a transcript feed, which we think is the right privacy balance for the student too; the reasoning is laid out on our parents page.

Student data is never sold and never used for advertising. The full details live in our privacy policy, and questions reach a human at support@ifalcons.ai — which, per the paragraph above, is exactly the kind of thing you should expect any edtech company to offer.


Related reading

← Back to the blog