Guide to COPPA compliance for career-assessment platforms serving under-13 students.

The Children’s Online Privacy Protection Act (COPPA, 15 USC §6501-6506) was enacted in 1998 and is enforced by the Federal Trade Commission under the COPPA Rule at 16 CFR Part 312. The Rule was significantly revised in 2013 and again under proposed amendments published in January 2024 that broaden the definition of personal information and tighten consent requirements; operators should treat the 2024 amendments as effectively in force for design decisions even where final adoption is pending. COPPA applies to operators of websites or online services directed to children under 13, and to operators with actual knowledge that they are collecting personal information from children under 13, regardless of the service’s general audience. “Personal information” under §312.2 is broad: full name, home or other physical address (including street name and city or town), online contact information, screen name or username when functioning as online contact information, telephone number, Social Security number, persistent identifier (cookies, device IDs, IP addresses) used for tracking, photographs, voice or video recordings containing the child’s image or voice, geolocation precise enough to identify a street name and city, and combinations of the above. For a career-assessment platform the typical collection set — a username, age band, response data, possibly an email for parent communication, and an IP address for session continuity — puts you in scope the moment you direct the service to under-13 students or accept under-13 enrollment from a known-school context. The general FTC compliance posture has six pillars: notice, verifiable parental consent (with the school-authorization exception below), parental review and deletion rights, retention and security obligations under §312.8 / §312.10, limits on tracking children for behavioral advertising under §312.5(c), and the prohibition on conditioning participation on disclosure of more information than reasonably necessary under §312.7.

The FTC’s school-authorization framework, set out in the COPPA Rule FAQs and the 2014 FTC guidance updated through 2023, allows a school to provide consent on behalf of parents for the limited purpose of using an online educational service in the school context. The exception is not in the statute itself but is grounded in the FTC’s interpretation that a school acting as parent’s agent can authorize collection of personal information from students under 13 when the data is used solely for educational purposes and the school maintains direct control over the operator’s use of the data. Five conditions are critical. First, the service must be operated for the use and benefit of the school and not for any commercial purpose unrelated to providing the educational service. This means no behavioral advertising, no profile-building for non-educational purposes, no monetization of the data through third-party data sales. Second, the school must reasonably understand and agree to the operator’s data practices through a contract or terms-of-service that documents the educational use, the data the operator collects, the data retention period, deletion practices, and parental review rights. Third, parents must still receive notice of the operator’s data practices through the school’s own privacy notice or a direct notice from the operator routed through the school. Fourth, the data may be used only for the authorized educational purpose; secondary use requires direct verifiable parental consent. Fifth, parents retain the right to review the information collected from their child and request deletion under 16 CFR §312.6, even when the school authorized the original collection. For a career-assessment platform deployed through a school district, the school-authorization route is generally the operationally cleanest path. The operator should provide a clearly written data-practices appendix that the district reviews, and a parent-notice template the district distributes with the start-of-year privacy packet.

When the operator collects personal information from a child under 13 outside the school context, the operator must obtain verifiable parental consent (VPC) before collection under §312.5. The Rule does not specify a single method but requires that the method be “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.” The FTC has identified, in the Rule and in subsequent guidance, several acceptable methods. The signed-consent-form method requires a signed parental-consent form returned by mail, fax, or electronic scan. The credit-card-or-online-payment method involves a small charge to the parent’s payment card with the financial institution providing notification of the transaction. The toll-free telephone method involves a parent calling a trained operator. The video-conference method involves a real-time video link with a trained operator who verifies parent identity. The government-ID method involves checking a form of government-issued identification against a database. The knowledge-based authentication method asks the parent dynamic questions that only the parent would be likely to answer correctly. The 2024 FTC amendments added a sixth: knowledge-based authentication using the parent’s answers to questions drawn from a database of personal information. The operationally cheapest methods (signed form, credit-card charge) require infrastructure that is overkill for a free assessment platform; the more sophisticated methods (KBA, government-ID) require a third-party VPC vendor (e.g., kidSAFE, Privo, SuperAwesome) at $0.30-$1.50 per consent. For a career-assessment platform serving direct-to-consumer under-13s the economics typically push you to either (a) hard-gate enrollment at age 13 and route under-13s through a school deployment, or (b) integrate a VPC vendor for the small minority of legitimate direct-consumer cases. JobCannon’s production posture is option (a): direct-consumer enrollment is gated at 13, and under-13 deployment requires a school or district partnership with the school-authorization framework.

FERPA (Family Educational Rights and Privacy Act, 20 USC §1232g; 34 CFR Part 99) and COPPA cover overlapping but distinct ground. FERPA applies to education records held by educational agencies and institutions receiving federal funds, and gives parents rights of access, amendment, and consent for disclosure. COPPA applies to operators of online services directed to children. When a career-assessment platform operates under a school contract, the data the platform holds is typically considered education records under FERPA the moment the school directs the collection and the school has access to the data. That triggers the FERPA school-official exception under 34 CFR §99.31(a)(1)(i)(B), which permits disclosure of education records to a school official without parental consent if the official has a legitimate educational interest. To qualify as a school official under the exception the operator must be performing a service or function the school would otherwise perform with its own employees, must be under the direct control of the school with respect to the use and maintenance of the records, and must be subject to the same FERPA requirements that apply to other school officials. Practically this means the school-platform contract must specify these conditions, restrict the operator’s use of the data to the contracted educational purpose, prohibit redisclosure without authorization, and impose deletion requirements. COPPA’s school-authorization framework and FERPA’s school-official exception are designed to work together: the school authorizes the COPPA collection and the platform becomes a FERPA school official. State student-data-privacy laws layer on top — California AB 1584 (Ed. Code §49073.1), New York Education Law §2-d, Colorado SB 16-128, Connecticut Public Act 16-189, and similar laws in roughly twenty other states impose additional contract terms, breach notification, and parental rights. A defensible deployment requires a single data-processing agreement that satisfies all three layers — COPPA, FERPA, and the relevant state student-data-privacy statute.

The FTC’s enforcement actions over the last decade map a clear set of practices to avoid. First, behavioral advertising tracking using persistent identifiers — the FTC has treated persistent identifiers as personal information under the 2013 Rule revision, and the 2019 settlement with TikTok’s predecessor Musical.ly ($5.7M civil penalty) and the 2022 Epic Games settlement ($275M civil penalty) both included behavioral-advertising-related counts. Career-assessment platforms should not embed third-party advertising trackers (Facebook Pixel, Google Ads remarketing, X/Twitter conversion pixel) on under-13-accessible pages, and should avoid Google Analytics 4 in its default tracking configuration where the property is configured for advertising integrations. Second, voice and video recording without explicit consent — the 2024 amendments treat these as personal information regardless of how briefly retained. If your platform offers any voice-input feature, hard-gate it for known-under-13 users. Third, geolocation — IP-based country detection is generally acceptable as not-precise; precise geolocation (GPS, fine-grained IP geolocation matching to street level) requires consent and a strong educational rationale. Fourth, social-feature collection — a feature that lets students invite friends or share results to social networks effectively collects friend contact information and is hard to defend under COPPA. Fifth, retention beyond educational purpose — the FTC and most state laws expect operators to delete data when no longer needed for the authorized purpose, typically interpreted as the school-year boundary plus a reasonable wind-down (often 12 months). Sixth, third-party data sales or uplift sharing — the COPPA Rule §312.4(d)(3) requires the operator to disclose all third parties to whom personal information is disclosed, and many state laws prohibit selling student data for commercial purposes outright. JobCannon’s production posture excludes all six: no third-party advertising trackers in under-13 deployments, no voice / video, no precise geolocation, no peer-share feature, deletion on contract end plus 12-month wind-down, and no third-party data sales under any tier.

A defensible evaluation has eight checkpoints. First, identify your applicable state student-data-privacy law and obtain the state’s required contract addendum or template (in NY this is the §2-d agreement with Education Law §2-d Bill of Rights; in CA this is the AB 1584 §49073.1 terms; in CT this is the contract requirements under Public Act 16-189; check your state). Second, confirm the platform’s data-processing agreement explicitly establishes the operator as a FERPA school official under §99.31(a)(1)(i)(B) and incorporates the COPPA school-authorization framework. Third, request and review the platform’s SOC 2 Type II report or equivalent independent security attestation. Fourth, inspect the platform’s data-collection inventory — what specific personal information is collected, what is optional, what is retained, for how long, and for what purpose. Fifth, confirm subprocessor disclosure — the platform should provide a list of subprocessors (cloud hosting, email service, analytics, error tracking) and their purposes. Sixth, confirm deletion mechanisms — the platform must support both contract-end bulk deletion and per-student parental deletion requests within a contractually committed timeframe (typically 30 days). Seventh, confirm the platform does not use student data to train AI models without explicit district authorization — this is increasingly contentious as platforms add AI features. Eighth, confirm breach-notification commitments meeting both FERPA expectations and your state’s specific breach-notification timeline (varying from 30 to 90 days). For JobCannon specifically, current production excludes precise geolocation, voice and video, behavioral advertising, third-party data sales, and AI training on student data. A district-tier deployment includes a contract addendum tuned to the district’s state law, a 30-day deletion SLA, breach-notification within 72 hours of confirmed compromise, and a published subprocessor list reviewable on request.