Cookie Consent for Education Websites: FERPA, COPPA, and Student Privacy in 2026

Why Education Sites Face Unique Cookie Consent Challenges

Most websites treat cookie consent as a single regulatory problem: GDPR in Europe, CCPA in California. Education websites don't get that simplicity. A school district's domain serves parents, teachers, students aged 6 through 18, and the general public. A university portal handles admissions marketing, enrolled student records, and alumni fundraising. An EdTech vendor's LMS operates inside dozens of districts, each with its own contracts.

The result is a layered compliance problem. FERPA governs education records and limits how schools share them with vendors. COPPA imposes strict rules when children under 13 are involved. State laws like California's SOPIPA and New York's Education Law 2-d add vendor-specific obligations beyond federal requirements. And if your platform serves EU or UK students, GDPR and ePrivacy still apply on top.

A marketing pixel that's legal on a retail site can violate multiple laws simultaneously on a school website. This guide walks through each layer so IT administrators and compliance officers can build a consent architecture that holds up.

FERPA and the School Official Exception

The Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) applies to all educational institutions receiving U.S. Department of Education funding — virtually every public K-12 school and university. FERPA protects education records: any records directly related to a student maintained by the school or a party acting on its behalf.

Here's the critical distinction most guides miss: FERPA binds schools, not EdTech vendors directly. A vendor doesn't violate FERPA by collecting student data through cookies. The school violates FERPA by disclosing education records to a vendor without proper authorization. The compliance obligation sits with the institution.

The Exception and Its Hard Boundary

Under 34 CFR §99.31(a)(1), a school may disclose education records without parental consent to "school officials" with a "legitimate educational interest." Since the 2008 regulations, this includes outside contractors and service providers — but only when the vendor performs a function the school would otherwise staff internally, is under the school's direct control regarding education records, and complies with FERPA's redisclosure restrictions (34 CFR §99.33(a)).

This is how most EdTech vendors access student data legally. But there's a hard boundary: the school official exception doesn't cover advertising, behavioral profiling, or third-party tracking. None of those constitute a "legitimate educational interest." Cookies for session management, authentication, and learning progress within the LMS qualify. Cookies for advertising, cross-site analytics, or profiling do not.

COPPA in the School Context

COPPA applies to commercial websites directed at children under 13 or that knowingly collect their personal information. Most K-12 EdTech tools fall within scope. The FTC's amended COPPA Rule (finalized January 2025, full compliance required by April 22, 2026) now requires separate verifiable parental consent before disclosing a child's data to third parties, including for advertising. For a full overview of these amendments, see our guide on children's privacy and cookie consent.

When Schools Can Consent for Parents

COPPA allows schools to consent on behalf of parents, but only when data collection serves an educational purpose and is limited to the contracted service. The school acts as the parent's agent without needing COPPA's formal verification mechanisms (credit card, government ID). However, the school must ensure the vendor uses data solely for the authorized educational purpose, verify no commercial use occurs (advertising, profiling), and document which services students use and why.

This school consent doesn't extend to commercial activity. If an EdTech platform sets advertising or behavioral targeting cookies, the school's consent doesn't cover them. In practice: those cookies shouldn't exist on the platform at all.

State Student Privacy Laws

Federal law sets the floor. Several states have built higher ceilings.

California SOPIPA

The Student Online Personal Information Protection Act (Business and Professions Code §22584, effective 2016) directly regulates EdTech operators — any site, service, or app designed or used primarily for K-12 purposes, regardless of whether a school contract exists. SOPIPA imposes flat prohibitions: no targeted advertising to K-12 students, no commercial profiling, no sale of student data. It's not a consent regime — it says don't do it, period. Advertising cookies can't load for authenticated K-12 sessions, no matter what a consent banner says.

New York Education Law §2-d

NY's approach (Part 121 regulations, effective January 2020) emphasizes contractual obligations. Third-party contractors handling student data must sign agreements including a Parents' Bill of Rights, encryption requirements for PII in transit and at rest, prohibitions on selling or advertising with PII, and data destruction terms. Violations carry civil penalties up to $10,000. For EdTech vendors, this means demonstrating that no student PII flows to unauthorized parties through client-side tags.

Over 40 states now have student privacy laws. If you serve schools nationally, assume advertising and profiling cookies are off-limits for student sessions. For state-by-state details, see our guide on US state privacy laws.

LMS and EdTech Vendor Cookies

Google Workspace for Education

Google contractually agrees to act as a "school official" under FERPA and commits that Core Services (Classroom, Drive, Gmail, Meet) won't serve advertising or use student data for ad targeting. The school remains responsible for obtaining parental consent where COPPA applies.

The catch: Additional Services (YouTube, Maps, Search) have broader data collection and aren't covered by the same commitments. A teacher embedding YouTube in Classroom may expose students to standard tracking cookies. IT administrators should disable Additional Services for student accounts or use restricted "supervised" mode.

Canvas, Blackboard, and LTI Integrations

LMS platforms set session cookies and authentication tokens that are functionally necessary. The risk is in third-party LTI integrations — a publisher's homework tool, an embedded video platform, or a virtual lab may bring its own tracking. Each LTI integration is a potential source of unauthorized cookies. Audit all integrations for cookie behavior, require vendor disclosure in contracts, and prohibit advertising use of student data collected through them.

Analytics on Education Sites: What's Permitted Without Consent

The US has no general cookie consent law comparable to ePrivacy. But sectoral laws create constraints that function similarly:

• FERPA: If analytics data is tied to an identified student, it's an education record. GA4 on an authenticated student portal sends identifiable browsing data to Google — and Google doesn't sign FERPA-specific agreements for GA4 (distinct from Workspace for Education). Running GA4 behind student authentication is risky.
• COPPA: Persistent identifiers used for analytics on under-13 users are "personal information." Third-party analytics with persistent cookies require consent; first-party analytics without cross-session identifiers may qualify under internal operations exceptions.
• SOPIPA: Analytics are permitted if data isn't used for advertising or profiling.

If your school serves EU/UK students, the ePrivacy Directive requires consent for non-essential cookies including analytics, with no education carve-out. GDPR Article 8 adds higher consent ages for minors (13-16 depending on member state).

Bottom line: US-only schools can run self-hosted, first-party analytics without a consent banner if they avoid advertising use and comply with COPPA for under-13 users. Any international student population requires consent infrastructure.

Parent vs. Student Consent: The Age-Dependent Ladder

Figuring out who gives consent depends on the student's age and the applicable law.

Under 13 (Elementary): COPPA governs. Consent belongs to the parent or guardian. Schools may act as the parent's agent for educational purposes only — not for commercial use. Practically: don't set commercial cookies on elementary school platforms at all.

Ages 13-17 (Middle and High School): COPPA's strict requirements fall away at 13, but FERPA still gives parents the privacy rights for K-12 students regardless of age. The safest approach: apply the same restrictive policy as under-13. A blanket "no commercial tracking for minors" policy is easier to implement and defend than age-segmented consent.

18+ and Higher Education: At 18, or upon postsecondary enrollment (whichever comes first), FERPA rights transfer to the student. Universities need the student's own consent for non-essential cookies, not the parent's. Public-facing pages (admissions, marketing) can run standard consent flows, but authenticated portals, LMS pages, and grade access should still restrict tracking to what's educationally necessary under the school official exception.

How CookieBeam Handles Education Compliance

Strict blocking defaults. CookieBeam blocks all non-essential scripts before the banner appears. No tracking fires in the gap between page load and consent interaction — critical for education sites where younger students may never interact with a banner.

Context-aware rules. CookieBeam's regional rules engine supports different consent behaviors by context. Enforce "necessary only" for authenticated student sessions while allowing standard consent flows on public marketing pages, all within a single deployment.

Category-based blocking. Cookie categories separate necessary, analytics, and marketing. Disable marketing entirely for student-facing pages — no advertising cookies load regardless of consent choices.

Automated scanning. CookieBeam's scanner detects every cookie and tracking technology on your domain, including from LTI integrations, embedded videos, and widgets added without compliance review. Regular scans catch unauthorized tracking before it becomes a FERPA or COPPA incident.

Consent Mode v2. For pages where you run Google Analytics (public admissions, for example), CookieBeam integrates with Google Consent Mode v2 so consent decisions are respected by Google's tags.

Consent records. Every consent interaction is logged with a timestamp and specific choices. When a parent or auditor asks how student data was handled, you have a verifiable record.