Why Education Websites Face Stricter Cookie Rules
School districts, universities, and edtech vendors operate under privacy obligations that most commercial websites never encounter. A standard cookie banner built for GDPR or CCPA compliance may fall short when the visitors are students, and the data qualifies as an education record or belongs to a child under 13.
Two federal laws sit at the centre of this problem: FERPA (the Family Educational Rights and Privacy Act) and COPPA (the Children's Online Privacy Protection Act). Each imposes distinct rules on how personal information can be collected, stored, and shared. When a school website drops a _ga analytics cookie or loads a _fbp tracking pixel, those rules apply.
The stakes are real. The FTC can impose civil penalties of up to $53,088 per COPPA violation, and FERPA non-compliance risks federal funding. State-level student privacy statutes - now active in more than 40 states - add further layers.
FERPA: What It Covers and Where Cookies Fit
FERPA applies to any educational institution that receives funding from the U.S. Department of Education. It gives parents (and eligible students over 18) control over access to education records, which include any records directly related to a student and maintained by the school or a party acting on its behalf.
Cookies themselves are not mentioned in FERPA. The risk arises when cookies or tracking scripts collect data that qualifies as part of an education record - or when a third-party vendor receiving cookie data is not covered by a proper agreement.
The school official exception allows institutions to share student data with third-party service providers, but only when those providers are under the school's direct control and use the data solely for authorised purposes. If your school website sends analytics data to Google via _ga cookies without a compliant agreement, that data sharing may violate FERPA's disclosure restrictions.
Practical FERPA Requirements for School Websites
Every third-party script on a school website that receives student-identifiable information needs a written agreement specifying the provider's role, permitted data use, and retention limits. This includes analytics platforms, learning management systems, and any embedded content that sets cookies.
Schools must also maintain a record of disclosures. If cookies facilitate data transfers to vendors, those transfers should be documented and auditable.
COPPA: The Under-13 Threshold That Changes Everything
COPPA applies to websites and online services directed at children under 13, or those with actual knowledge that they are collecting data from children under 13. For primary school websites, learning platforms used by young students, and child-directed edtech products, COPPA compliance is mandatory.
The FTC's amended COPPA Rule, finalised in January 2025 with full compliance required by April 2026, tightens several requirements. Operators must now obtain verifiable parental consent before sharing children's personal information with third parties for any purpose beyond the service itself. A written data retention policy is required, and indefinite retention of children's data is prohibited.
Cookies that collect persistent identifiers - such as _ga, _fbp, or advertising cookies like IDE - count as personal information under COPPA. Setting these cookies on a child-directed site without verifiable parental consent is a violation.
The School Consent Exception
COPPA has long recognised that schools can consent on behalf of parents when an edtech service collects student data strictly for educational purposes. The FTC declined to codify this exception in the 2025 amendments, citing a potential student privacy rulemaking by the Department of Education. The exception still exists in FTC guidance, but its boundaries remain unclear.
Schools relying on this exception should limit third-party cookies on student-facing platforms to those strictly necessary for educational functionality. Marketing cookies, social media pixels, and behavioural advertising trackers cannot be justified under the school consent exception.
How FERPA and COPPA Overlap on School Websites
A primary school website serving students under 13 must comply with both FERPA and COPPA simultaneously. The two laws address different aspects of the same problem, and neither exempts compliance with the other.
| Requirement | FERPA | COPPA |
|---|---|---|
| Scope | Education records at federally funded institutions | Personal information from children under 13 |
| Consent authority | Parents (or students over 18) | Parents (verifiable consent required) |
| School can consent on behalf of parents? | Yes, via school official exception with vendor agreements | Yes, for educational purposes only (FTC guidance, not codified) |
| Covers cookies and tracking? | When cookies collect data linked to education records | Yes, persistent identifiers are personal information |
| Penalties | Loss of federal funding | Up to $53,088 per violation (civil penalties) |
| Enforced by | U.S. Department of Education | Federal Trade Commission (FTC) |
The practical result: a school website needs vendor agreements that satisfy FERPA's disclosure rules and cookie practices that satisfy COPPA's consent requirements. One law does not cover the gaps in the other.
State Student Privacy Laws Add Further Obligations
Since 2014, state legislatures have passed nearly 150 student privacy laws across 47 states. Many of these go further than FERPA or COPPA by imposing direct obligations on edtech vendors, not just schools.
Common state-level requirements include prohibitions on using student data for targeted advertising, mandatory data deletion upon request or contract termination, security incident notification obligations, and bans on selling student information. States like California (SOPIPA), New York (Education Law 2-d), and Illinois (ISSDA) have particularly detailed frameworks.
For edtech vendors operating nationally, this patchwork means cookie and tracking practices must satisfy the strictest applicable standard. A vendor agreement that works in one state may be insufficient in another. The US state privacy laws comparison gives a broader picture of how these frameworks interact.
Which Cookies Are Acceptable on Education Websites?
Not all cookies pose the same risk on education websites. The distinction between functional cookies and marketing cookies matters more here than on a typical commercial site.
Strictly necessary cookies - session identifiers like PHPSESSID, authentication tokens, and CSRF protection cookies - can generally be set without parental consent. These are required for the website to function and do not collect data for third parties.
Analytics cookies fall into a grey area. Tools like Google Analytics set cookies (_ga, _gid) that create persistent identifiers. On a COPPA-covered site, these require parental consent or must be replaced with privacy-preserving analytics that operate without persistent identifiers.
Marketing and advertising cookies - including _fbp, IDE, and remarketing tags - should not appear on student-facing education websites. These cookies collect data for behavioural profiling and targeted advertising, which directly conflicts with both COPPA restrictions and most state student privacy laws.
Building a Compliant Cookie Strategy for Schools
Start with a cookie audit. Identify every cookie set on your school website, who sets it, what data it collects, and where that data goes. Automated scanning tools can detect cookies you may not know about, particularly those injected by third-party scripts or embedded content.
Step 1: Classify and Remove Unnecessary Cookies
Remove all marketing pixels, social media trackers, and advertising cookies from student-facing pages. If YouTube embeds or social sharing buttons set third-party cookies, replace them with privacy-enhanced alternatives or load them only after consent.
Step 2: Implement Consent Where Required
For any non-essential cookies that remain, implement a cookie consent banner that meets COPPA's verifiable parental consent standard - not just a generic accept/reject prompt. COPPA requires methods that are reasonably calculated to ensure the person giving consent is actually the child's parent. Simple banner clicks may not satisfy this threshold for under-13 audiences.
Step 3: Review Vendor Agreements
Ensure every third-party service that receives data through cookies has a written agreement covering FERPA's school official requirements. The agreement should specify data use limitations, retention periods, deletion obligations, and security standards. A vendor risk assessment helps systematise this process.
Step 4: Separate Student and Public Pages
Many school websites serve two audiences: students and parents accessing educational tools, and the general public visiting informational pages. Consider running different cookie configurations for each. Public-facing pages may use standard consent mechanisms, while student-facing portals should restrict cookies to those strictly necessary for functionality.
GDPR and International Students
Universities and online learning platforms with students in the EU or UK face GDPR and UK GDPR requirements on top of FERPA and COPPA. GDPR's children's data provisions set the digital age of consent between 13 and 16, depending on the member state, and require prior opt-in consent for non-essential cookies regardless of the visitor's age.
For institutions with an international student body, the safest approach is to apply the strictest standard across all visitors. Block all non-essential cookies by default, obtain explicit consent before activation, and maintain auditable consent records.
Frequently Asked Questions
Do school websites need a cookie consent banner?
Yes, if the school website sets any non-essential cookies. COPPA requires verifiable parental consent for persistent identifiers on sites directed at children under 13. Even for older students, FERPA and state laws may require notice and consent for third-party data sharing facilitated by cookies.
Can schools use Google Analytics on student-facing pages?
Google Analytics sets persistent identifier cookies that qualify as personal information under COPPA. Schools can use it on public informational pages with proper consent, but student-facing portals for children under 13 should either obtain verifiable parental consent or switch to cookieless analytics alternatives.
Does FERPA apply to cookies on university websites?
FERPA applies when cookies collect or transmit data that forms part of an education record. If analytics or tracking cookies on a university site capture student-identifiable information and send it to a third party without a compliant agreement, that may violate FERPA's disclosure restrictions.
What is verifiable parental consent under COPPA?
Verifiable parental consent requires methods reasonably calculated to ensure the consenting person is the child's parent. Acceptable methods include signed consent forms, credit card verification, video conferencing, and knowledge-based authentication. A simple cookie banner click does not meet this standard for under-13 audiences.
Are session cookies exempt from COPPA?
Session cookies that do not collect personal information and expire when the browser closes are generally exempt. Persistent cookies that create unique identifiers, track behaviour across sessions, or enable third-party data collection are not exempt and require parental consent on child-directed sites.
How do state student privacy laws affect edtech cookie practices?
Many state student privacy laws prohibit using student data for targeted advertising and require vendors to delete data upon request. These laws often apply directly to edtech vendors, meaning cookie-based tracking for advertising or profiling purposes is restricted regardless of whether consent is obtained.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
