RuleSync
Enterprise

AI Governance for EdTech

Educational technology handles student data protected by FERPA and COPPA. AI rules must encode student privacy, age-appropriate content, accessibility requirements, and learning data protection.

6 min read·July 5, 2025

Student data is protected by FERPA, COPPA, and state privacy laws. AI rules must prevent any unauthorized exposure.

Student PII classification, age-appropriate design, WCAG accessibility, learning analytics privacy, and data deletion

Student Data Is Heavily Protected

Educational technology handles some of the most protected data: student records. FERPA (Family Educational Rights and Privacy Act): protects student education records. Schools must have written consent before disclosing personally identifiable information (PII) from education records. COPPA (Children's Online Privacy Protection Act): applies to children under 13. Requires verifiable parental consent before collecting personal information. Applies to all EdTech products used by children under 13, regardless of whether the product targets children.

The AI governance challenge: EdTech products serve students from age 5 to adult. The same platform may need: COPPA compliance for elementary students, FERPA compliance for all K-12 students, and standard privacy practices for adult learners. AI rule: 'Every user-facing feature: check the user's age/grade context. Under 13: COPPA applies (no personal data collection without parental consent). K-12: FERPA applies (no PII disclosure without school authorization). The AI must generate age-appropriate data handling.'

State student privacy laws: beyond FERPA and COPPA, many states have additional student privacy laws (California SOPIPA, New York Education Law 2-d, Illinois SOPPA). These often add: restrictions on targeted advertising using student data, data deletion requirements when the contract ends, transparency requirements for data practices. AI rule: 'Check applicable state laws for the deployment states. The strictest applicable standard is the minimum baseline.'

Student Data Classification and Handling

Student PII under FERPA: names, addresses, student ID numbers, grades, attendance records, disciplinary records, special education records, behavioral assessments. Directory information (name, grade level, enrollment status): may be disclosed unless the parent opts out. Non-directory PII: requires consent. AI rule: 'Classify every student data field. Directory information: accessible with opt-out check. Non-directory PII: requires authorization. Never expose grades, disciplinary records, or special education data without explicit authorization.'

Learning analytics: EdTech platforms collect detailed learning data (time on task, question responses, navigation patterns, collaboration interactions). This data improves learning outcomes but creates privacy risks. AI rule: 'Learning analytics: aggregate before sharing. Individual student analytics: visible only to the student, their parents, and authorized educators. Never use individual learning data for purposes other than improving that student's educational experience. No advertising targeting.'

Data minimization: collect only the data necessary for the educational purpose. AI rule: 'Before generating a data collection feature: ask what educational purpose this data serves. If no clear educational purpose: do not collect it. EdTech products should not collect: device location (unless educational purpose), browsing history outside the platform, social media connections, or biometric data (unless specifically authorized for accessibility).'

⚠️ Learning Analytics Are Not for Advertising

A student's learning data (which problems they got wrong, how long they spent on each topic, where they struggled) is educational data protected by FERPA. Using this data for advertising targeting, selling it to third parties, or sharing it beyond the educational purpose: violates FERPA and most state student privacy laws. The AI must never generate features that use learning analytics for non-educational purposes.

Accessibility and Age-Appropriate Content

Accessibility is a legal requirement: Section 508 (federal), ADA (Americans with Disabilities Act), and state laws require educational technology to be accessible. WCAG 2.1 Level AA: the standard for EdTech accessibility. AI rule: 'Every UI component: WCAG 2.1 AA compliant. Keyboard navigable, screen reader compatible, sufficient color contrast (4.5:1 for text), alt text for images, captions for video, and proper heading hierarchy. The AI must generate accessible HTML/components by default.'

Age-appropriate design: content and interactions should match the user's developmental level. For elementary students (K-5): simple language, large touch targets, limited text input, visual/audio feedback, no social features without moderation. For middle school (6-8): age-appropriate vocabulary, structured interactions, moderated social features. For high school (9-12): more autonomy, collaborative features, academic vocabulary. AI rule: 'Check the target age group. Generate UI complexity appropriate to the grade level. Error messages for young children: friendly and constructive, not technical.'

Content safety: EdTech platforms must ensure content is appropriate for the audience. AI-generated content (summaries, explanations, practice problems): must be reviewed for age-appropriateness. User-generated content (discussion posts, uploads): must be moderated. AI rule: 'Content moderation: all user-generated content in K-12 platforms requires moderation (automated + human review). AI-generated content: apply content safety filters appropriate to the grade level.'

💡 Accessibility Is Not Optional in EdTech

Unlike consumer apps where accessibility is a best practice, EdTech accessibility is a legal requirement. Section 508 (for federally-funded schools, which is nearly all of them) and ADA require accessible technology. A school district cannot adopt an inaccessible EdTech product. The AI should generate WCAG 2.1 AA compliant components by default — not as an afterthought, but as the baseline for every UI element.

Vendor Agreements and Data Deletion

School district contracts: EdTech vendors sign data processing agreements with school districts that specify: what data is collected, how it is used, who has access, security requirements, and data deletion timelines. AI rule: 'The data processing agreement is the source of truth for data handling. Before generating features that collect new data types: verify the DPA allows it. The AI should not generate features that expand data collection beyond the contracted scope.'

Data deletion: when a school district ends the contract, all student data must be deleted within the agreed timeframe (typically 30-90 days). AI rule: 'Implement tenant-level data deletion capability. When a district offboards: delete all student data, learning records, and analytics. Verify deletion completeness. Provide a deletion certificate. The AI should generate soft-delete with hard-delete after the grace period.'

Third-party integrations: EdTech platforms often integrate with LMS platforms (Canvas, Google Classroom), assessment tools, and content providers. Each integration that shares student data: requires the third party to have their own DPA with the school district. AI rule: 'Before sharing student data with a third-party integration: verify the third party has authorization. Never send student PII to a service without a DPA. Use de-identified data for analytics integrations where possible.'

ℹ️ District Offboarding = Total Data Deletion

When a school district ends the contract: all student data must be deleted. Not archived, not anonymized — deleted. The district owns the student data, and the vendor is a custodian. The AI should generate data deletion capabilities that can remove all data for a specific district (tenant) including: student records, learning analytics, uploaded content, discussion posts, and assessment results. Provide a deletion certificate to the district.

EdTech AI Governance Summary

Summary of AI governance rules for educational technology development teams.

  • FERPA: student PII protected. Directory info with opt-out check. Non-directory PII needs consent
  • COPPA: under-13 users need parental consent for personal data collection
  • Learning analytics: aggregate before sharing. Individual data visible only to student/parent/educator
  • Data minimization: collect only what serves an educational purpose. No advertising targeting
  • Accessibility: WCAG 2.1 AA required. Keyboard, screen reader, contrast, alt text, captions
  • Age-appropriate: UI complexity matches grade level. Content moderation for all UGC
  • Data deletion: district offboarding triggers full student data deletion within contract period
  • Third-party: no student PII to services without a Data Processing Agreement

Related articles

AI Governance for HealthcareAI Governance for SaaSEnterprise AI Governance RulesAI Rules for HTML Accessibility