Classroom Management

Are Classroom Points Apps FERPA Compliant? What Teachers Should Know

A plain-English guide to FERPA, COPPA, and student data privacy — plus a practical checklist for vetting any classroom app before you put student names in it.

The Chou Chou Team

The Chou Chou Team

Classroom Coaches

June 25, 2026 · 6 min read
Illustrated fox teacher holding a glowing shield that protects a row of happy woodland-animal students

Short answer: it depends on the app — and on how your school uses it. A classroom points app can support FERPA compliance when it collects very little student data, limits who can see that data, and is covered by a Data Privacy Agreement with your district. There is no such thing as an app that is "FERPA certified" on its own; compliance is a shared responsibility between the vendor and the school. This guide explains what FERPA and COPPA actually require and gives you a checklist to vet any tool. (This is general information for teachers, not legal advice — always defer to your district's policies and technology office.)

What is FERPA, in plain English?

FERPA stands for the Family Educational Rights and Privacy Act, a U.S. federal law administered by the U.S. Department of Education. It protects the privacy of student education records at any school or district that receives federal funding — which is nearly all public schools and many private ones.

In practice, FERPA gives parents (and students once they turn 18) the right to access and control the sharing of their child's records, and it restricts how schools — and the vendors schools hire — can disclose personally identifiable information from those records.

So where do classroom apps fit? Most edtech tools operate under FERPA's "school official" exception. When a district designates a vendor as a school official performing a service it would otherwise do itself, the vendor can handle student data — but only under the district's direct control, only for the agreed purpose, and without re-sharing the data. This arrangement is typically spelled out in a Data Privacy Agreement (DPA). Many districts use a standardized DPA from the Student Data Privacy Consortium (SDPC), often called the National Data Privacy Agreement (NDPA), so they don't have to negotiate each contract from scratch.

What about COPPA and students under 13?

FERPA isn't the only law in play. The Children's Online Privacy Protection Act (COPPA) governs online services that collect personal information from children under 13. Normally COPPA requires verifiable parental consent — but in a school setting, a school can provide that consent on parents' behalf when a tool is used solely for a legitimate educational purpose.

The takeaways for teachers:

  • FERPA is about the school's education records.
  • COPPA is about an online service collecting data from younger children.
  • A tool used with elementary students may need to satisfy both — which is another reason a signed agreement and minimal data collection matter.

What makes a classroom app more or less compliant?

Compliance isn't a single switch. It's the sum of many design choices. Generally, the more sensitive data an app collects and shares, the more it depends on careful contracts and safeguards to stay compliant. The less it collects, the lower the risk to begin with.

Here's what moves the needle:

Factor Lower privacy risk Higher privacy risk
Data collected First name or initials only Full names, birthdates, grades, addresses
Student accounts No student logins Individual student logins and profiles
Photos / media No student photos Photos, videos, or voice recordings of students
Third-party sharing None; no advertising Data shared with advertisers or analytics brokers
Agreements Signed DPA with your district No agreement; consumer terms of service only
Access controls Teacher-only, role-based access Broad or unclear access

The principle that matters most: data minimization

If you remember one idea, make it this: data minimization. The simplest way to protect student privacy is to collect less data in the first place. Information that an app never gathers can't be breached, sold, leaked, or accidentally shared. Many privacy frameworks — and plain common sense — point to the same conclusion: don't collect what you don't need.

When you evaluate a tool, ask "why does this app need that?" If a points or behavior app is asking for last names, birthdays, photos, or parent contact details, pause and consider whether all of it is truly necessary for the job you're using it to do.

A checklist for vetting any classroom app

Before you put a single student name into a new tool, walk through these questions. (When in doubt, your district's technology office is the right place to take them.)

  • What student data does it collect? First name only, or full names, photos, and more?
  • Do students need logins or accounts? Fewer student accounts means a smaller footprint of personal data.
  • Does it store photos, video, or audio of students? These are especially sensitive.
  • Who can see the data, and who is it shared with? Look for "we don't sell data" and "no third-party advertising."
  • Is there a signed Data Privacy Agreement with my district? Check whether it's on your district's approved-tools list or in a registry like SDPC.
  • Can data be deleted, and what happens at year's end? You want a clear answer.
  • Is the privacy policy readable? A clear, specific policy is a good sign; vague boilerplate is a warning.

If an app checks these boxes — and your district has signed off — you're on solid ground. If it doesn't, that's worth a conversation before you use it.

How a data-minimal app reduces FERPA risk

This is exactly the model behind Chou Chou Teach. Students exist in the app as nothing more than a first name and an avatar — no last names, no photos, no birthdates, no addresses, and no student logins. There are no parent accounts and no parent messaging. Because the app simply doesn't collect sensitive student data, there's far less data that could ever be exposed in the first place — data minimization built into the design rather than bolted on.

That doesn't replace your district's process, but it makes the vetting conversation a short one. You can read more on our privacy page and, if you're evaluating for a building or district, our schools page covers how we approach Data Privacy Agreements.

A final reminder: this article is general guidance to help you ask better questions, not legal advice. Privacy laws and district policies vary, so when something is unclear, your school or district technology office is always the right call.

For related reading, see how to run a positive, low-data classroom in Positive Reinforcement in the Classroom, or browse the full Classroom Management topic.

References

  • U.S. Department of Education — Student Privacy Policy Office. studentprivacy.ed.gov
  • Family Educational Rights and Privacy Act (FERPA), U.S. Department of Education. studentprivacy.ed.gov/ferpa
  • Children's Online Privacy Protection Act (COPPA), U.S. Federal Trade Commission. ftc.gov
  • Student Data Privacy Consortium (SDPC) — National Data Privacy Agreement. privacy.a4l.org

Frequently asked questions

Are classroom points apps FERPA compliant?
It depends on the app and how your school uses it. An app can support FERPA compliance when it limits the student data it collects, restricts who can see it, and is covered by a Data Privacy Agreement with your district. No app is 'FERPA certified' on its own — compliance is a shared responsibility between the vendor and the school.
What is FERPA in simple terms?
FERPA, the Family Educational Rights and Privacy Act, is a U.S. federal law that protects the privacy of student education records at schools that receive federal funding. It gives parents (and students 18 or older) rights over those records and limits how schools and their vendors can share them.
Does FERPA or COPPA apply to apps for kids under 13?
Often both. FERPA governs education records at the school, while COPPA (the Children's Online Privacy Protection Act) governs online services that collect personal information from children under 13. Schools can consent to data collection on parents' behalf under COPPA when a tool is used for a legitimate educational purpose, which is why a signed agreement matters.
What is data minimization and why does it matter for FERPA?
Data minimization means collecting only the information you actually need and nothing more. It matters because data that is never collected can never be breached, misused, or improperly shared — making it one of the simplest and strongest ways to reduce student privacy risk.
How can a teacher tell if a classroom app is safe to use?
Check what student data it collects, whether students need logins, whether it stores photos, who it shares data with, and whether your district has a signed Data Privacy Agreement with the vendor. When in doubt, ask your school or district technology office before entering any student information.
The Chou Chou Team

The Chou Chou Team

Classroom Coaches

We build privacy-first tools that help K-12 teachers run warmer, calmer, more positive classrooms.

Keep learning

Catch them being great

Bring positive reinforcement to life with points that only go up and a creature for every student. Privacy-first and FERPA compliant.

Start your free trial