NEWSADA Title II web deadlines: April 24, 2026 (50k+ pop) · April 26, 2027 (under 50k) — Is your site compliant?ADA Title II: April 2026 & 2027 deadlinesLearn more →
COPPA · 16 CFR Part 312

How Angstroma complies
with COPPA.

We don’t collect data from children. Districts authorize us under the school-consent exception and the FTC’s 2024–2025 Final Rule. Here’s exactly how that works.

Effective rule date: April 22, 2026 · Compliance posture: school-authorized agent

What COPPA actually requires

The Children’s Online Privacy Protection Act (1998) and its implementing rule (16 CFR Part 312) apply to operators of websites or online services directed at children under 13, or that have actual knowledge they are collecting personal information from children under 13. Operators must:

  • Provide a clear privacy notice describing what is collected and how it is used
  • Obtain verifiable parental consent before collecting personal information from a child
  • Give parents the ability to review, delete, and refuse further collection of their child’s data
  • Maintain reasonable security and limit retention to the minimum necessary
  • Avoid conditioning a child’s participation on disclosure of more information than is reasonably necessary

The school-consent exception lets schools stand in for parents when (and only when) the operator uses the data solely for the use and benefit of the school and for no other commercial purpose.16 CFR § 312.5(c)(6)

What changed in the 2024–2025 Final Rule

On January 16, 2025, the FTC published the first major COPPA rule update since 2013. Most provisions take effect April 22, 2026. The headline changes:

Separate consent for advertising

Operators must obtain a separate, specific opt-in consent before disclosing personal information to third parties for targeted advertising. Bundled consent is no longer valid.

Expanded definition of personal information

Biometric identifiers and government-issued identifiers (other than persistent identifiers) are now explicitly covered. Combinations of data that could identify a child are also in scope.

Stricter retention limits

Operators must retain personal information only as long as reasonably necessary for the specific purpose collected. Indefinite retention is prohibited; written retention policies are mandatory.

Stronger security requirements

Written information security program, annual review, and contractual obligations on third-party processors to maintain equivalent safeguards.

School-consent exception clarified

The FTC formalized the long-standing FAQ guidance into 16 CFR § 312.5(c)(6): schools can authorize collection on behalf of parents when the operator processes data solely for the use and benefit of the school and for no other commercial purpose.

Our COPPA posture, in plain language

Angstroma is built so the COPPA question never has to be answered with “it depends.” Four hard architectural constraints make our position unambiguous.

Districts contract; we never serve children directly

Angstroma is sold to school districts and institutions, not to families. Our consumer surface (angstroma.com) is age-gated to 13+ and never collects data from anyone under 13 outside the school context.

School-authorized agent under 16 CFR § 312.5(c)(6)

A signed Schools Data Processing Agreement (SDPC v2.0 + state exhibits) formalizes the district as the consenting authority. We process student data only on the district’s documented instructions, only for accessibility delivery.

Zero child PII at rest

IEP source files are deleted after parsing. We retain only opaque student IDs and accommodation type codes — no names, no addresses, no birth dates, no SSNs, no medical narratives, no biometrics.

No advertising. No commercial use. Ever.

Student data is never used for targeted advertising, profile building, behavioral analysis, or sale. There is no “data for free service” trade. Districts pay; data stays with the district.

The school-consent exception, step by step

The exception only works if every link in the chain holds. We engineered the product so it does.

The district signs a written DPA

SDPC National DPA v2.0 plus the relevant state exhibit (CA SOPIPA, IL SOPPA, NY Ed Law § 2-d, TX SB 820, FL HB 1547). The DPA names Angstroma as a school-authorized agent for COPPA purposes.

The district provides parental notice

We provide a parental-notice template you can customize and send. The notice describes the categories of student data processed and the purpose (accessibility delivery).

Angstroma processes only on documented instructions

Our IEP, teacher, and LTI pipelines are server-side gated. Without an active SchoolDpaAgreement row, every student-linked endpoint returns 403 with the controlling citation.

No commercial use, no advertising, no resale

Hard-coded into the data layer. No analytics SDK on student-touching surfaces. No third-party trackers. No ad-tech integrations possible without a code change — there is no toggle.

Parents retain rights through the school

Parents address review / deletion / refusal requests to the district. The district has API endpoints to export, delete, and disable processing for any student.

What districts must do (and avoid)

The school-consent exception puts a few responsibilities on the district. Most of them are one-time setup; a few are ongoing.

Do

  • Sign the Schools DPA before enabling IEP, teacher, or LTI features
  • Provide written parental notice (we supply a template) describing what data is processed
  • Honor parental review and deletion requests within 30 days (we provide an export + delete API)
  • Limit Angstroma access to staff with a legitimate educational interest
  • Disable the Angstroma tenant when the district contract ends — all student data is purged within 30 days

Don’t

  • Allow children under 13 to register direct accounts on angstroma.com
  • Use Angstroma student data for marketing, advertising, or any commercial purpose unrelated to accessibility
  • Skip the DPA and try to enable IEP features — the API enforces a server-side gate (403 with citation)
  • Send raw IEP PDFs to anyone outside the district’s authorized staff
  • Retain student data after a student leaves the district — the retention clock starts at deletion

How COPPA and FERPA work together

For K–12, both laws apply at the same time. They cover different things and we satisfy both through the same DPA.

COPPA

Federal consumer-protection law. Governs collection of personal information from children under 13 by online services. Enforced by the FTC. Penalties: up to $51,744 per violation (2024 cap).

FERPA

Federal education-privacy law. Governs disclosure of student education records by schools to third parties. Enforced by the U.S. Department of Education. Penalty: loss of federal funding.

Our solution: One DPA covers both. The district consents under COPPA’s school exception and designates Angstroma as a FERPA “school official with a legitimate educational interest.”34 CFR § 99.31(a)(1)(i)(B)

Not legal advice

This page describes our compliance posture and product behavior. It is not a substitute for guidance from your district’s counsel. The 2024–2025 Final Rule has provisions that take effect on April 22, 2026; a few delayed provisions extend into 2027. Districts should review their parental notices and internal data-governance policies with counsel before the effective date.

Ready to formalize the relationship?

Sign the Schools DPA in your portal. Our IEP, teacher, and LTI 1.3 surfaces unlock the moment the agreement is recorded.

Back to Schools overview State-by-state lawsRead FERPA detail