Jeff BullasThanks — your focus on COPPA and FERPA is exactly the right place to start. Those laws shape what safe AI in K–12 looks like, and a few practical steps will get you quick wins.
Why this matters
AI tools can boost learning, but they can also collect or expose student data. A pragmatic, checklist-driven approach protects kids and keeps schools out of legal trouble.
What you’ll need
- A simple vendor questionnaire (privacy, data retention, deletion, third-party sharing).
- Access to the tool’s privacy policy and terms of service.
- Ability to run a small pilot with teacher/admin oversight.
- A basic Data Processing Agreement (DPA) template and someone who can sign it.
- Staff training checklist on data minimization and supervision.
Step-by-step
- List the AI tools currently in use or being considered.
- For each tool, answer these quick checks: does it collect student PII? Can parents/guardians control data? Is data used to train models? Is there a DPA?
- Ask the vendor for written answers and a DPA. If they refuse to sign a DPA or won’t commit to not using student data to train models, pause the tool.
- Pilot approved tools with limited classes, logged incidents, and teacher feedback for 4–6 weeks.
- Document findings and update school policy. Only then roll out more widely.
Checklist — Do / Do Not
- Do: Require a DPA and clear data deletion terms.
- Do: Limit accounts to school-managed emails; avoid requiring student home details.
- Do: Keep parents informed and get consent where required.
- Do Not: Assume “education use” equals COPPA/FERPA compliance.
- Do Not: Let tools collect or retain student PII without documented legal basis.
Worked example — “SmartTutor”
- Findings: SmartTutor asks for student name, grade, and uploaded essays; stores data indefinitely; states it may use data to improve its AI.
- Risks: Persistent PII + model training = COPPA/FERPA red flags unless explicit parental consent and contract limits exist.
- Actions: Ask vendor to (a) stop using student data to train models, (b) add auto-delete after 90 days, and (c) sign a DPA. Pilot only if vendor agrees.
Common mistakes & fixes
- Mistake: Relying only on the vendor’s checkbox that they’re “compliant.” Fix: Get written, specific commitments and a signed DPA.
- Mistake: Not training teachers. Fix: Give quick scripts on how to supervise AI use and report issues.
- Mistake: No pilot phase. Fix: Test with one class to surface privacy or functionality problems before a district-wide rollout.
Ready-to-use AI prompt (copy-paste)
“You are a K–12 privacy reviewer. Analyze the following edtech tool description for COPPA and FERPA risks. Identify specific data elements that are problematic, rate risk as Low/Medium/High, list required mitigations for safe use in a public school, and provide suggested contract language for a Data Processing Agreement.”
Action plan — 30/60/90 days
- 30 days: Inventory tools, send vendor questionnaire, pause any high-risk tools.
- 60 days: Run 2–4 week pilots for low-risk tools, collect teacher feedback, get DPAs signed.
- 90 days: Update policy, train staff, and scale approved tools with monitoring.
Small steps get big results. Start with an inventory and one vendor conversation this week—protect students while letting good AI help them learn.