Short answer: it depends on the app — and on how your school uses it. A classroom points app can support FERPA compliance when it collects very little student data, limits who can see that data, and is covered by a Data Privacy Agreement with your district. There is no such thing as an app that is "FERPA certified" on its own; compliance is a shared responsibility between the vendor and the school. This guide explains what FERPA and COPPA actually require and gives you a checklist to vet any tool. (This is general information for teachers, not legal advice — always defer to your district's policies and technology office.)
What is FERPA, in plain English?
FERPA stands for the Family Educational Rights and Privacy Act, a U.S. federal law administered by the U.S. Department of Education. It protects the privacy of student education records at any school or district that receives federal funding — which is nearly all public schools and many private ones.
In practice, FERPA gives parents (and students once they turn 18) the right to access and control the sharing of their child's records, and it restricts how schools — and the vendors schools hire — can disclose personally identifiable information from those records.
So where do classroom apps fit? Most edtech tools operate under FERPA's "school official" exception. When a district designates a vendor as a school official performing a service it would otherwise do itself, the vendor can handle student data — but only under the district's direct control, only for the agreed purpose, and without re-sharing the data. This arrangement is typically spelled out in a Data Privacy Agreement (DPA). Many districts use a standardized DPA from the Student Data Privacy Consortium (SDPC), often called the National Data Privacy Agreement (NDPA), so they don't have to negotiate each contract from scratch.
What about COPPA and students under 13?
FERPA isn't the only law in play. The Children's Online Privacy Protection Act (COPPA) governs online services that collect personal information from children under 13. Normally COPPA requires verifiable parental consent — but in a school setting, a school can provide that consent on parents' behalf when a tool is used solely for a legitimate educational purpose.
The takeaways for teachers:
- FERPA is about the school's education records.
- COPPA is about an online service collecting data from younger children.
- A tool used with elementary students may need to satisfy both — which is another reason a signed agreement and minimal data collection matter.
What makes a classroom app more or less compliant?
Compliance isn't a single switch. It's the sum of many design choices. Generally, the more sensitive data an app collects and shares, the more it depends on careful contracts and safeguards to stay compliant. The less it collects, the lower the risk to begin with.
Here's what moves the needle:
| Factor | Lower privacy risk | Higher privacy risk |
|---|---|---|
| Data collected | First name or initials only | Full names, birthdates, grades, addresses |
| Student accounts | No student logins | Individual student logins and profiles |
| Photos / media | No student photos | Photos, videos, or voice recordings of students |
| Third-party sharing | None; no advertising | Data shared with advertisers or analytics brokers |
| Agreements | Signed DPA with your district | No agreement; consumer terms of service only |
| Access controls | Teacher-only, role-based access | Broad or unclear access |
The principle that matters most: data minimization
If you remember one idea, make it this: data minimization. The simplest way to protect student privacy is to collect less data in the first place. Information that an app never gathers can't be breached, sold, leaked, or accidentally shared. Many privacy frameworks — and plain common sense — point to the same conclusion: don't collect what you don't need.
When you evaluate a tool, ask "why does this app need that?" If a points or behavior app is asking for last names, birthdays, photos, or parent contact details, pause and consider whether all of it is truly necessary for the job you're using it to do.
A checklist for vetting any classroom app
Before you put a single student name into a new tool, walk through these questions. (When in doubt, your district's technology office is the right place to take them.)
- What student data does it collect? First name only, or full names, photos, and more?
- Do students need logins or accounts? Fewer student accounts means a smaller footprint of personal data.
- Does it store photos, video, or audio of students? These are especially sensitive.
- Who can see the data, and who is it shared with? Look for "we don't sell data" and "no third-party advertising."
- Is there a signed Data Privacy Agreement with my district? Check whether it's on your district's approved-tools list or in a registry like SDPC.
- Can data be deleted, and what happens at year's end? You want a clear answer.
- Is the privacy policy readable? A clear, specific policy is a good sign; vague boilerplate is a warning.
If an app checks these boxes — and your district has signed off — you're on solid ground. If it doesn't, that's worth a conversation before you use it.
How a data-minimal app reduces FERPA risk
This is exactly the model behind Chou Chou Teach. Students exist in the app as nothing more than a first name and an avatar — no last names, no photos, no birthdates, no addresses, and no student logins. There are no parent accounts and no parent messaging. Because the app simply doesn't collect sensitive student data, there's far less data that could ever be exposed in the first place — data minimization built into the design rather than bolted on.
That doesn't replace your district's process, but it makes the vetting conversation a short one. You can read more on our privacy page and, if you're evaluating for a building or district, our schools page covers how we approach Data Privacy Agreements.
A final reminder: this article is general guidance to help you ask better questions, not legal advice. Privacy laws and district policies vary, so when something is unclear, your school or district technology office is always the right call.
For related reading, see how to run a positive, low-data classroom in Positive Reinforcement in the Classroom, or browse the full Classroom Management topic.
References
- U.S. Department of Education — Student Privacy Policy Office. studentprivacy.ed.gov
- Family Educational Rights and Privacy Act (FERPA), U.S. Department of Education. studentprivacy.ed.gov/ferpa
- Children's Online Privacy Protection Act (COPPA), U.S. Federal Trade Commission. ftc.gov
- Student Data Privacy Consortium (SDPC) — National Data Privacy Agreement. privacy.a4l.org
Frequently asked questions
Are classroom points apps FERPA compliant?
What is FERPA in simple terms?
Does FERPA or COPPA apply to apps for kids under 13?
What is data minimization and why does it matter for FERPA?
How can a teacher tell if a classroom app is safe to use?
The Chou Chou Team
Classroom Coaches
We build privacy-first tools that help K-12 teachers run warmer, calmer, more positive classrooms.



