On August 13, 2025, the Federal Trade Commission issued an amicus brief-- a filing by a “friend of the court” that is meant to provide expertise the court may lack– that details how the FTC, the federal agency charged with enforcing the Children’s Online Privacy Protection Act (COPPA), advises courts to interpret that law. 

That may sound complicated (and I’ll explain more below), but this is a BIG DEAL. In fact, it is the FTC’s most definitive statement yet on what COPPA does and does not allow, and has enormous implications for schools and EdTech companies. 

What does this mean for EdTech and schools? Big changes are coming.

As many parents are well aware, with the start of the school year comes the annual (and often vague) “parental consent form” that permits schools to provide students with internet-connected technology in the form of 1:1 devices, EdTech platforms, and learning management systems.

Depending on your school system or district, such “consent” might look like an online form that asks parents to “check a box”; a paper form that comes home with your child; or sometimes a blanket consent form that covers your child’s use of district-issued tools…indefinitely!? Parents are also often expected to acknowledge that their child’s misuse of the device will be the parent’s responsibility, should the device get damaged or broken.

Not only is this problematic (the schools are the ones providing the devices, not the parents), but rarely do these “consent” forms go into detail about one important safety risk that really matters–how the data collected about a child at school will be used. 

And up until last week’s filing, many EdTech companies have sought permission only from schools–and not from parents, as COPPA requires–as to what information is collected about students and how that information may be commercialized.  

This was based on, at best, a misunderstanding, and at worst, a willful misreading of the law, but in any event, this new amicus brief signals a paradigm shift. 

Let’s back up. In order to understand the significance of this brief, we need to briefly review:

1. What is COPPA, the primary federal law protecting children online;

2. How COPPA applies at school; 

3. What this amicus brief means for parental consent to corporate data collection;

4. The impact the brief could have on both EdTech companies; and

5. Why this matters for schools.

#1: What is COPPA? 

The Children’s Online Privacy and Protection Act (COPPA) was enacted by Congress in 1998 to protect the online privacy of children under age 13 by ensuring that parents control the collection, use, and disclosure of their children’s personal information. Parents will likely have heard about COPPA in the context of social media platforms and children: any platform that potentially reaches children under age 13 has in their terms of use something to the effect of “You must be 13 years old to use this service.” 

The Federal Trade Commission (FTC) is the administrative agency that enforces COPPA. Broadly speaking, COPPA prevents websites or online services from collecting, using, or distributing personal information about children under age 13 without first:

1. Providing adequate notice of the type, use, and potential disclosure of the information to be collected;

2. Obtaining verifiable consent of the child’s parents; and 

3. Establishing reasonable measures to ensure the security of the collected data.

Of course, we know that Meta, Snap, YouTube, and others etc. all have users under 13, but they try to avoid application of the law by turning a blind eye to those users. So while COPPA is the law, it is one that has been under-enforced and frequently ignored.

#2: How does COPPA apply to education?

COPPA does not include any carve outs with respect to internet platforms that are used at school. This means that COPPA applies with equal force whether a child is using an app at school or at home. 

However, schools and the EdTech industry have long relied on comments that were made when the law was passed to follow an incorrect theory of “school consent” that is found nowhere in the text of COPPA or its implementing regulations. In other words, schools and EdTech companies have claimed they can consent as though they were a child’s parents for children to use digital tools in and for school. EdTech companies have been happy to go along with this.

Here is how one EdTech company puts it:

If a student’s school or teacher elects to utilize Student Accounts in school or otherwise sets up a Student’s Account, the school will be responsible for providing parental consent under COPPA. Teachers may provide parental consent through what is commonly referred to as “school consent” under COPPA, where teachers have certified that they are acting as the agent of the parent and consenting on the parent’s behalf to create the Student Account on behalf of the student and let students use the Service for educational purposes.

However, this FTC amicus brief establishes that “school consent”  is not and has never been the law.

#3: What does the amicus brief say? What does it mean?

This brief was written by the Federal Trade Commission, which is the federal administrative agency responsible for enforcing COPPA. An amicus brief is a legal document submitted to a court regarding a case (in this instance, the class action case Shanahan, et al vs. IXL Learning, Inc.), the purpose of which is to “educate” the court on a matter related to the case. In this situation, the FTC is advising the court about how to interpret and apply COPPA and going into far more depth about how to do so than previous cases or briefs have done.  

This amicus brief establishes that schools can no longer stand in the shoes of parents for the purpose of consenting to data collection.

According to the brief, in order to provide products or services in schools, the FTC advises that COPPA requires EdTech companies to obtain “actual informed consent” from parents of kids under age 13 if they wish to collect data about them.

Significantly, this means that EdTech companies must now ensure that they have informed consent from a child’s parent, and that those “check a box” forms will no longer suffice. 

#4: What does this amicus brief mean for parents and schools?

THIS IS HUGE. While lacking the force of law, this brief is extremely persuasive and judges will read it and use it in their assessments on current cases. 

Parents must be informed that:

1. Schools must now get parents’ informed consent to EdTech terms; 

2. Schools cannot force parents to “consent” to those terms (either explicitly or implicitly, such as by threatening kids’ ability to participate in school experiences or citing COPPA as a reason); and

3. Schools may not subject children to the data practices of EdTech companies (in other words, use their products) without first obtaining informed, voluntary, express parental consent.

COPPA was written to strengthen parents’ rights over their children’s information, not undermine them.  What EdTech companies currently do in the way in which they collect children’s data without informed and meaningful parental consent– or the way schools allow them to do so– will no longer cut it. More significantly, a company's responsibility to collect informed parental consent is suddenly a much bigger deal.

#5: Why does this matter for schools?

A school district that says it can consent on behalf of parents for students to use EdTech products is not providing effective consent. If your school or district was or is compelling you to consent to the use of an EdTech product or platform and citing COPPA as a reason, they can no longer make this claim.

What should parents do with this information?

The FTC’s brief emphasizes that the burden of obtaining informed parental consent rests, as it always has, with EdTech companies themselves. However, these companies may be  unwilling to take on this task themselves and will require that schools manage this process, including by contractually obligating schools to do so. This is allowed per the FTC’s brief, as schools may serve as an intermediary, but only to transmit the actual consent of a student’s parent to an EdTech company. Schools are not authorized to substitute their own consent for that of parents. 

In other words, schools and EdTech companies can no longer rely on the “school consent” loophole.

This likely means that EdTech companies will enlist and expect schools to obtain actual, voluntary, informed consent to what information each individual EdTech product, platform, curricula, game, or tool collects about students under 13. 

Parents will want to share the FTC’s brief with their schools because “check a box” consent no longer counts in the eyes of the court. Additionally, schools that fail to obtain informed parental consent expose themselves to legal risk because if an EdTech company relies on schools to obtain this consent and they fail to do so, the company could sue for breach of contract.

Unfortunately for schools, if they don’t make intentional changes now to how they obtain parental consent, they may face litigation later. And with this new amicus brief, “later” could actually mean “sooner.”

**If you’re a member of our T.I.M.E. Collective, you can access two new letter templates that will help you convey this information to your child’s school.**

As schools learn more about the implications of this amicus brief, legal support may be required. We recommend the EdTech Law Center for all your legal questions. You can read the amicus brief in full here.