What COPPA 2026 Actually Changed for Texas Districts' Ed-Tech Consent

If you're a Texas technology director or data privacy lead, your inbox in late April probably had a wave of "we've updated our privacy policy" emails from ed-tech vendors. That was the 2025 amendments to the FTC's COPPA Rule reaching their April 22, 2026 compliance date.

What COPPA 2026 is really testing for districts is narrower than the wave suggests, and harder than it looks. The federal rule does not require districts to maintain a per-vendor parental-consent ledger — the school-authorization framework that lets districts consent on parents' behalf is still in effect, unchanged by the 2025 amendments. What changed is what kinds of vendor uses school consent can still cover. The actual test for districts is whether they can name, vendor by vendor, which of their ed-tech tools are doing things school consent never covered. Most can't, because most don't have a current vendor inventory.

For Texas districts there's a parallel state-law layer that lands on the same prerequisite: Tex. Educ. Code §32.1021, added by HB 18 in 2023, requires district-collected parental consent for student software use through TEA-adopted standards. That obligation is unchanged by COPPA 2026, but answering it requires exactly the same thing the federal question requires. A vendor inventory that's current.

The Inventory Test Districts Are Now Taking

The argument starts with the numbers. U.S. districts accessed an average of 2,982 ed-tech tools per district during 2024–25, up from 2,591 two academic years earlier. That figure is based on engagement data — what students and staff actually opened — not the smaller list of tools that went through a procurement and privacy review. Of the K-12 apps that Internet Safety Labs tested in its 2022 K-12 EdTech Safety Benchmark, 96% shared children's personal information with third parties, with 78% of those flows reaching advertising or monetization entities.

The capacity to track that volume is not where it would need to be. In CoSN's 2025 National Student Data Privacy Report, 73% of K-12 privacy leads said overseeing the district's privacy program is not part of their job description, and 60% cited time and manpower — not budget or expertise — as the biggest barrier to improving privacy compliance.

The New York State Comptroller's audit of NYC Public Schools, released April 23, 2026 (Report 2026-23N6), put the structural version of this on paper. Of 524 responding schools, 218 (42%) collectively identified at least 70 different SIS applications outside the central ATS and STARS systems; the audit documented no centralized inventory of software in use across the district, and 141 data security incidents over two years. The country's largest district can't list which apps are running in each building. The expectation that a smaller Texas district can quickly answer "which of these vendors does targeted advertising or AI training on student inputs" gets exposed in the same way when a parent or a regulator asks.

That's the test COPPA 2026 is administering. It doesn't grade districts on a consent ledger; it grades them on whether the underlying knowledge exists. Districts that built a vendor inventory and a consent posture before April are confirming what they expected when vendor emails arrive. Districts that didn't are doing discovery work in the middle of a compliance window.

What the 2025 COPPA Amendments Actually Changed

COPPA regulates ed-tech operators, not schools — and the 2025 amendments tightened operator obligations rather than shifting them onto districts.

The headline shift is §312.5(a)(2): separate verifiable parental consent for non-integral third-party disclosures. An operator must now give parents the option to consent to collection and use without also consenting to third-party disclosure, and must obtain a separate VPC for disclosures that are not integral to the service. The FTC's Statement of Basis and Purpose at 90 FR 16918, 16948 explicitly named targeted advertising, disclosures for monetary consideration, and disclosures to third parties for AI model training as non-integral. A vendor that buried "we may share data with partners to improve our services" in a privacy policy and treated school consent as covering AI training or ad targeting is no longer doing that correctly.

The pre-existing requirement at §312.5(a)(1) — verifiable parental consent for material changes — has been in effect since the 2013 COPPA Rule. The 2025 amendments restate it but do not enlarge it. The Federal Register preamble specifically cautions against reading "material change" too broadly: the Commission is not likely to consider the addition of a new third party to an already-disclosed category of third-party recipients to be a material change that requires new consent. The material-change rule is not a 2025 invention and is not triggered by every privacy-policy update.

One thing the FTC did not do in 2025 is codify a school-authorization exception. The 2024 NPRM proposed it; the April 2025 Final Rule pulled the ed-tech provisions back, deferring to anticipated FERPA rulemaking by the Department of Education. The school-consent doctrine still lives where it has lived since 1999 — in the FTC's COPPA FAQs and the May 19, 2022 FTC Policy Statement on Education Technology and COPPA.

The 2025 reset is therefore narrower than the trade-press framing suggests. The school-authorization framework that lets districts consent on parents' behalf for school-purpose ed-tech is unchanged. What §312.5(a)(2) added is a narrowing of what that consent can still cover. Vendors that quietly used student data for purposes outside school benefit, under the assumption that district school-authorization covered everything they wanted to do, can no longer rely on that. Either they stop those uses or they obtain separate VPC from each parent directly.

That is the actual signal in the vendor inbox wave. The privacy-policy updates that matter most are the ones disclosing — sometimes for the first time — that the vendor was doing things school consent never covered.

How Texas Law Stacks on Top

Texas's parental-consent layer for ed-tech runs alongside COPPA but lives in different statutes, and the citations are easy to mix up. The map a Texas district needs:

• Tex. Educ. Code §32.1021 (Subchapter C, added by HB 18 §3.03, effective June 13, 2023) is the district-side state obligation. TEA standards adopted under it require "direct and informed parental consent" for a student's use of a software application, with carve-outs for state assessments (Subch. B Ch. 39) and CCR assessments (§39.054). Already in force. Unchanged by COPPA 2026. Not enjoined — the CCIA/NetChoice and SEAT preliminary injunctions reach only Tex. Bus. & Com. Code Ch. 509 (SCOPE Act Article II), not the Education Code.
• Tex. Educ. Code §§32.151–32.157 (Subchapter D, added by HB 2087, 2017) is the operator-side state obligation — Texas's SOPIPA-style operator regime. It prohibits targeted advertising on student data, prohibits selling or renting student information, and requires deletion within 60 days of district request (§32.156). At §32.157 it explicitly does not alter rights or duties under FERPA. Subchapter D regulates ed-tech vendors, not districts; districts enforce it through the contract. HB 18's §32.1021(11) directs districts to ensure operators they contract with comply with Subchapter D.
• Tex. Bus. & Com. Code Ch. 509 (SCOPE Act Article II) governs digital service providers with known minors. It explicitly does not apply to school districts (§509.002(b)(1)) or to Subchapter D operators primarily serving students (§509.002(b)(7)). Several Article II sections are partly enjoined and on consolidated 5th Circuit appeal; neither injunction touches the Education Code.

On top of all of this, FERPA's operative mechanism for ed-tech is the school-official exception at 34 CFR §99.31(a)(1) — disclosure under contractual control without parental consent, provided the vendor performs a function the district would otherwise do internally and is limited to that function. The U.S. Department of Education's "Protecting Student Privacy While Using Online Educational Services" guidance is the authoritative gloss.

For a Texas district reading vendor privacy-policy updates after April 22, two consent questions are now live:

1. Federal: which of our vendors do things school consent never covered? COPPA §312.5(a)(2) puts the obligation on the vendor — but the district has to know which vendors fall in that bucket to manage procurement and avoid renewing a contract that's about to be out of compliance.
2. State: which of our software apps need direct parental consent under §32.1021? District's obligation, collected through the district's workflow, with TEA standards as the binding instrument.

Both questions have the same prerequisite. A current vendor inventory.

The AI Overlay

The 2026–27 AI overlay sharpens what's at stake. RAND's September 2025 survey (RRA4180-1) found 54% of K-12 students and 53% of ELA, math, and science teachers were already using AI for schoolwork; a follow-up RAND release in March 2026 found AI-for-homework use rose from 48% in May 2025 to 62% in December 2025. The FTC's explicit treatment of third-party AI training as non-integral under §312.5(a)(2) means the vendors whose models train on student inputs are precisely the ones whose privacy-policy updates require the most careful reading right now. They are also the ones most likely to be in a district's catalog without a recent privacy review.

Four Checks to Run Before Fall

For Texas districts looking to close the gap before the 2026–27 school year:

1. Vendor inventory current. Centrally purchased tools, campus-level adds, and anything routed through SSO. If you can't list it, you can't tell which vendors fall under §32.1021 or which vendors are doing things school consent doesn't cover.
2. Vendor uses surfaced. For each significant vendor, what does the latest privacy notice actually say about targeted advertising, monetary disclosures, AI training on student inputs, and third-party sharing for non-integral purposes? The vendors that quietly added these uses are the ones whose updates matter most.
3. §32.1021 consent collection running. TEA standards apply to the software apps a district authorizes for student use. A workflow that collects consent at enrollment and on adoption of new apps mid-year is the practical bar.
4. Delivery reaches all families. Forms in the languages your district serves, distributed through channels parents actually use, not only through a portal login. NCES data shows 69% of Spanish-speaking parents who attempted to participate in school activities in 2018–19 reported that a language barrier made it difficult (Data Point 2024-132). A consent flow that only reaches English-speaking families isn't a consent flow that survives scrutiny.

Closing

COPPA 2026 didn't create a per-vendor district consent event. It narrowed what school consent can still cover, and it raised the cost of not knowing which vendors are doing what with student data. The districts that built a vendor inventory and a consent posture before April are absorbing this in stride. The rest are doing discovery work in the middle of a compliance window, which is the slowest possible way to do it.

If your district is working through the vendor wave, we'd be glad to share what's working for others. Reach out any time.