EdTech security — COPPA + FERPA + AI tutoring data minimization
EdTech is regulatorily heavy: FERPA (educational records), COPPA (under-13 data), state-level student-data privacy laws (NY, CA, IL). AI tutoring adds prompt-injection + data minimization.
Top security risks
COPPA violation (under-13 data)
Collecting under-13 PII without verifiable parental consent = FTC fines + lawsuit risk.
FERPA breach
Educational records leaked to third party = institutional contract breach + Department of Education enforcement.
Prompt injection in AI tutoring
Student types adversarial input to manipulate the AI's response or extract other students' data.
BOLA on student records
/api/students/[id] without per-school + per-class scope leaks across institutions.
Regulatory context
FERPA (US educational records), COPPA (US under-13), GDPR-K (EU under-16), state laws (NY-Ed Law 2-d, CA SOPIPA, IL SOPPA), Section 504 / IDEA accessibility.
Checklist
- COPPA verifiable parental consent flow
- FERPA Section 99.31 disclosures documented
- Prompt-injection defense on tutoring AI
- Per-school + per-class BOLA scope
- Data-retention < 12 months for student records
- Annual third-party audit
School-district procurement asks for COPPA compliance + FERPA disclosure + state-law-specific DPAs + Securie-style automated security review on every release.