The Children's Online Privacy Protection Act (COPPA) is the federal floor for collecting personal information from students under 13. For a K-12 school, COPPA shows up everywhere: the enrollment form, the homework portal, the photo release, and every vendor that touches a student record. The good news is that COPPA does not require legal heroics — it requires consistent practice. This checklist walks through what to verify, who owns it, and how Borderset helps make it routine instead of stressful.
Map every place student data flows
Before you can defend COPPA compliance, you need a single inventory of student data. List every system that stores names, photos, contact details, IDs, behavior notes, or assessment results. Mark which fields apply to children under 13, who can read them, and how long the data lives. Centralizing student records in a school management system like Borderset shrinks that map dramatically — instead of chasing twelve spreadsheets, you can point auditors to one source of truth.
Data minimization, in practice
COPPA expects you to collect only what is reasonably necessary. Audit your intake forms once a year: every field should map to a stated educational purpose. If a field exists "just in case," remove it. The same rule applies to role-based access — front-desk staff should not see counselor notes by default, and substitute teachers should not see custody flags they do not need.
Parent consent records that hold up
Verifiable parental consent is the heart of COPPA. The school standard exception lets districts consent on behalf of parents for educational use only, but you still need a written record of which vendor, which purpose, and which date. Tie consents to the student record so renewals, withdrawals, and grade transitions are obvious. The same workflow strengthens health forms and field-trip consent downstream.
Vet your vendors like a COPPA auditor
Every edtech vendor with access to student records becomes a COPPA partner. Before you sign, ask for: a plain-language privacy notice, a description of what personal information is collected, a list of subprocessors, retention periods, and a documented deletion process. Compare those answers against Borderset's security and compliance page and privacy policy so families can see the standard you are holding others to.
Operationally, COPPA is the same muscle that protects FERPA and state laws. If your parent portal communication is already segmented by role and your audit log captures every export, you are most of the way there. Borderset bakes these controls into the default workflow so a small school office is not forced to choose between speed and rigor.
Communicate the program to families in plain language. A short, parent-facing notice that names which categories of data are collected, why the school collects them, and how a family can request access or deletion does more for trust than a twenty-page legal document. Post the notice in the same place families look for the enrollment forms, and refresh it whenever the vendor list materially changes. Borderset customers often pair this with a one-page annual privacy summary the principal can send home each fall, which doubles as a forcing function to keep the underlying inventory current.
Train staff on the small habits that make COPPA real: never paste student names into a public AI tool, never email full rosters to a personal account, and never grant a substitute admin-level access "just for today." Those everyday choices are where compliance is won or lost. A short, repeated training each semester — fifteen minutes during the staff meeting — outperforms an annual hour-long course nobody remembers in March.
Finally, schedule a yearly COPPA review the same week you renew your major contracts. Update the inventory, retire dormant integrations, and confirm that deletion requests from families are processed within the window your policy promises. Treat COPPA as a living routine, not a one-time form — and Borderset will keep the receipts your board needs.