EdTech compliance 2026 - FERPA, COPPA, and SOC2 requirements explained

By 2026, regulatory compliance in the EdTech sector is no longer a competitive differentiator. It has become a baseline requirement for participating in the education market. Schools, districts, and public institutions increasingly screen vendors out at the earliest stages of procurement if they fail to meet clearly defined legal and data security standards. In practical terms, this means addressing FERPA and COPPA obligations in parallel and demonstrating security maturity, most commonly through a SOC 2 audit.

This shift did not happen overnight. EdTech solutions have evolved far beyond digital textbooks or basic communication tools. Today’s educational platforms collect and process significantly more sophisticated data, including survey responses, learning progress, behavioral patterns, and, in some cases, information used to predict the performance of individual students or entire classrooms. As a result, the volume, sensitivity, and impact of student data have drawn sustained regulatory attention.

FERPA as the foundation of student data protection

At the core of student data protection in the United States is FERPA, the Family Educational Rights and Privacy Act. This federal law governs the handling of education records, defined as information that is directly related to a student and maintained by an educational institution or by a party acting on its behalf.

FERPA grants parents and eligible students specific, enforceable rights. These include the right to access records, request corrections, and limit further disclosure. While FERPA formally applies to educational institutions receiving federal funding, its practical reach extends further. Any EdTech vendor that receives access to student data becomes part of the broader compliance ecosystem.

A central mechanism enabling lawful data sharing with vendors is the school official exception. Under this framework, a school may disclose data to a third party provided that the vendor performs functions the school would otherwise carry out internally, remains under the school’s direct control with respect to data use, and restricts processing strictly to educational purposes. Consequently, without a clearly defined data processing agreement, there is no such thing as presumed FERPA compliance.

COPPA and protections for children under 13

Building on this foundation, COPPA, the Children’s Online Privacy Protection Act, regulates the collection of personal data from children under the age of 13 in online environments. The law applies to commercial operators whose services are directed at younger users or who knowingly collect their data.

COPPA operates under a notice-and-verifiable-consent model. Before any personal information is collected, parents must receive transparent notice and provide consent that can be reliably verified. Moreover, operators are required to maintain data security and allow parents to access and delete their child’s information.

In K–12 settings, COPPA often overlaps with FERPA. As a result, schools and EdTech vendors must clearly delineate which data falls under each regulatory framework and determine who is responsible for fulfilling specific obligations. Without this clarity, compliance gaps emerge, typically becoming visible only during audits or after a security incident.

State laws and the growing complexity of compliance

In addition to federal regulations, EdTech compliance is shaped by an expanding set of state-level laws. Many of these statutes are modeled on California’s SOPIPA and AB 1584, which impose detailed contractual requirements and strict limitations on how student data may be used.

In practice, these laws prohibit selling student data, using it for advertising or non-educational profiling, and require vendors to implement appropriate technical safeguards. They also mandate data deletion at a school’s request. By 2026, nearly every U.S. state has introduced legislation addressing student privacy, forcing EdTech providers to design compliance programs that account for multiple overlapping legal regimes.

SOC 2 as evidence of organizational maturity

Against this regulatory backdrop, SOC 2 has assumed a critical role. While not a legal requirement, it is an independent audit framework that assesses whether an organization actually implements effective data protection controls. SOC 2 evaluates areas such as security, confidentiality, and processing integrity.

Of particular importance is SOC 2 Type II, which examines not only whether controls exist, but whether they operate effectively over time. For schools and districts, a SOC 2 report provides objective assurance that a vendor takes data security seriously. For vendors, it streamlines procurement, supports lower cyber-insurance premiums, and strengthens trust with institutional buyers.

SOC 2+ in EdTech: extending SOC 2 beyond Privacy to COPPA or FERPA

SOC 2 is frequently used as a procurement-ready assurance mechanism, but it is not, by itself, a legal compliance certification for FERPA or COPPA. When customers require evidence aligned to a specific regulation or framework, many service organizations pursue what the market often calls SOC 2+.

In practice, SOC 2+ is a SOC 2 engagement that also addresses additional subject matter and/or additional criteriabeyond the Trust Services Criteria. This allows the SOC 2 report to remain the core assurance artifact (typically Security and, where relevant, Privacy), while extending the scope to a customer-driven requirement set—such as COPPA or FERPA—through structured mapping and testable control expectations.

For EdTech providers, the “plus” component is selected based on contractual commitments, procurement requirements, and the provider’s operating model:

• COPPA-focused SOC 2+ is most relevant where the service is directed to children under 13 or knowingly collects their data, and where consent/notice governance, data minimization, retention/deletion, access rights, and restrictions on non-educational or commercial use must be demonstrably controlled.

• FERPA-focused SOC 2+ is most relevant where the vendor processes education records on behalf of schools and must support the school’s disclosure conditions—especially constraints tied to legitimate educational interest, direct control over data use and maintenance, and limits on re-disclosure.

The practical value of SOC 2+ is consolidation: instead of responding to fragmented questionnaires and one-off regulatory attestations, the organization can present a single assurance report that combines SOC 2 control effectiveness with a targeted, customer-relevant alignment to FERPA or COPPA expectations—provided the additional criteria are defined clearly enough to be auditable.

Contracts as the center of the compliance framework

Across FERPA, COPPA, and state privacy laws, one element remains constant: the contract between the school and the EdTech provider. This agreement translates abstract legal requirements into concrete operational obligations.

Increasingly, procurement processes rely on the presence of a defined set of core contractual clauses. These include explicit recognition of school ownership of student data, prohibitions on marketing use, clearly documented data deletion procedures after contract termination, precise breach notification timelines, and audit rights. The absence of even one of these provisions is often enough to disqualify a vendor.

The scale of the challenge for schools

From the institutional perspective, scale presents a persistent challenge. A typical school district now relies on hundreds of EdTech tools, many of which were adopted independently by teachers or individual departments. This decentralized approach erodes visibility into contract terms, renewal timelines, and the scope of data access granted to vendors.

To regain control, schools increasingly turn to specialized privacy agreement management platforms. These systems centralize documentation, enable continuous compliance monitoring, support risk assessment, and allow rapid preparation of evidence for audits or regulatory reviews.

Compliance as a continuous process

By 2026, EdTech compliance expectations are increasingly shaped by three overlapping layers: FERPA-driven governance of education records, COPPA constraints for children under 13, and a growing patchwork of state student privacy laws. FERPA establishes how education records are handled and under what conditions schools may disclose them to vendors, which in practice requires vendors to operate under clear purpose limitations, documented controls, and demonstrable school oversight where applicable. COPPA adds a notice-and-consent regime for under-13 data collection, including strong requirements around parental rights, security, retention, and deletion, with important K–12 nuances around when schools may act in the consent flow in strictly educational contexts.

SOC 2 Type II has become the dominant mechanism for demonstrating that a provider’s controls operate effectively over time, but it does not automatically prove legal compliance with FERPA or COPPA. That gap is often addressed through SOC 2+—a SOC 2 engagement extended with additional criteria aligned to a specific regulation or framework. In EdTech, this allows organizations to retain SOC 2 as the core assurance artifact while adding auditable alignment to COPPA or FERPA expectations, driven by customer procurement requirements or the provider’s need to demonstrate maturity in regulated education contexts.

The operational takeaway is that compliance succeeds when contracts, control design, and evidence production function as one integrated system. When organizations rely on generic policies, unclear roles, or non-testable statements, the resulting misalignment becomes visible during vendor screening, audits, or after incidents. In contrast, organizations that treat regulatory obligations, operational controls, and assurance reporting as mutually reinforcing layers can reduce procurement friction, improve audit outcomes, and build durable trust with educational partners.