AI in your classrooms is governed by FERPA — whether you have a policy or not.
From AI tutors to plagiarism detection to admissions algorithms, education AI now sits at the intersection of FERPA, COPPA, and Department of Education guidance. Districts and institutions are publishing AI policies; the question is whether yours will hold up.
Federal regulations and ED guidance now in force
Each item below is already in force or has a confirmed enforcement date. Sources are named so your compliance team can verify in minutes.
FERPA (Family Educational Rights and Privacy Act)
Protects PII in student education records. AI vendors that access education records must qualify as 'school officials' or have signed parental consent.
Source: 20 U.S.C. § 1232g; 34 CFR Part 99
COPPA (Children's Online Privacy Protection Act)
Imposes notice, consent, and data-handling obligations when AI tools collect personal information from children under 13.
Source: 15 U.S.C. §§ 6501-6506; 16 CFR Part 312
U.S. Department of Education AI Guidance
ED's Office of Educational Technology has published 'AI and the Future of Teaching and Learning' (2023) and a 'Designing for Education with AI' toolkit (2024).
Source: U.S. Department of Education, OET (2023, 2024)
EU AI Act — High-Risk: Education and Vocational Training
Annex III lists AI for admissions, evaluation, and student assessment as high-risk. Obligations apply from August 2, 2026.
Source: EU AI Act, Annex III
These dates are not theoretical
Two enforcement deadlines have already passed. The next major one — EU AI Act high-risk obligations — is live below.
The Regulatory Clock Is Running
Two EU AI Act deadlines have already passed. The next — August 2, 2026 — applies to High-Risk AI across healthcare, finance, HR, education, and insurance. Full enforcement begins that date.
Source: European Commission AI Act Service Desk
Next Enforcement Deadline
2 August 2026 — High-Risk AI Full Compliance
45
Days
00
Hours
18
Minutes
07
Seconds
2 February 2025
PassedProhibited AI practices banned + AI Literacy (Article 4) obligations began.
If you have not acted, you are already non-compliant.
2 August 2025
PassedGPAI model obligations + governance infrastructure required.
If you have not acted, you are already non-compliant.
2 August 2026
NextHigh-Risk AI systems (Annex III) must be fully compliant. Article 50 Transparency rules apply. Full enforcement begins.
2 August 2027
UpcomingHigh-Risk AI embedded in regulated products (medical devices, aviation).
October 24, 2024
ED 'Designing for Education with AI' toolkit
Provides expectations for districts and EdTech developers; increasingly cited in state guidance.
Source: U.S. Department of Education OET (2024)
Ongoing
State AI in education laws
Multiple states (CA, NY, IL, VA, and others) are publishing K-12 and higher-ed AI guidance and bills.
Source: State legislature trackers, 2024
August 2, 2026
EU AI Act high-risk education AI
Admissions and evaluation AI must meet documentation, oversight, and bias-testing obligations.
Source: EU AI Act, Article 113
The cost of getting this wrong is no longer theoretical
Real cases. Named parties. Public records. These are the precedents your board, your auditors, and your insurer will reference.
Edmodo (FTC enforcement)
$6 million suspended civil penalty + COPPA bans
FTC action over collecting children's data and using it for advertising without verifiable parental consent — applies the same logic to AI EdTech.
Source: FTC press release, May 22, 2023
Amazon Alexa COPPA settlement
$25 million
FTC penalty for retaining children's voice data — a direct warning to voice-AI tools used in classrooms.
Source: FTC press release, May 31, 2023
Dartmouth-Hitchcock and other FERPA actions
Loss of federal funding eligibility (statutory remedy)
FERPA's enforcement mechanism is loss of Department of Education funding — existential for many institutions.
Source: 20 U.S.C. § 1232g(b)
Mapped to the NIST AI Risk Management Framework
Every engagement is structured around the four NIST AI RMF Core functions. Your auditors and clients already recognize this language.
NIST AI RMF — Govern
District/institution AI policy, board-level accountability, parent/student transparency.
NIST AI RMF — Map
Inventory AI tools by classroom, by data type, by student age (COPPA scope).
NIST AI RMF — Measure
Bias testing, accuracy evaluation, equity impact across demographics.
NIST AI RMF — Manage
Vendor 'school official' agreements, parental consent flows, incident response.
AI Governance & Compliance Studio
Two ways to start. One clear path forward.
Whether you need a fast read on your exposure or a deeper conversation about your governance strategy, NeuralEdge gives you a structured next step — never a sales pitch.
Free AI Readiness Snapshot
A 5-minute interactive self-assessment scored against the NIST AI RMF Core. See your readiness level immediately.
Get Your Free AI Readiness Snapshot30-Minute Compliance Review
A working session with a NeuralEdge consultant. Bring your questions, leave with a clear action list.
Book a 30-Minute Compliance ReviewFrequently asked questions
Can a teacher use ChatGPT with student work under FERPA?
Only if no PII from education records is shared, or if the vendor qualifies as a 'school official' under FERPA's exception with appropriate contractual controls. Most consumer AI tools do not qualify by default.
Does COPPA apply to high schoolers?
COPPA covers under-13 only. For 13+, FERPA and state student-privacy laws (e.g., California SOPIPA) apply. Both must be addressed in your AI vendor contracts.
What about AI in admissions decisions?
High-risk under the EU AI Act and increasingly scrutinized in the US. Document your model, validate for bias, and maintain human oversight of admit/deny decisions.
How fast can we publish a defensible AI policy?
A district or institution baseline (policy, vendor due-diligence checklist, classroom-use guidance, parent communication) typically takes 4–8 weeks.