Module: 02g — COPPA, FERPA, and Student Data Privacy Law for Security Researchers Difficulty: Intermediate

Questions

Q1. Under COPPA (15 U.S.C. §§ 6501–6506), what age threshold defines a "child" whose personal information is protected by the statute?

  • A) Under 16 years of age
  • B) Under 14 years of age
  • C) Under 13 years of age
  • D) Under 18 years of age for school-related services

Correct answer: C Explanation: COPPA defines "child" as an individual under 13 years of age. This threshold has remained unchanged since the statute was enacted in 1998; COPPA 2.0 proposals would raise it to 16, but as of 2026-04-17, no such amendment has been enacted.

Q2. The FTC's 2013 amended COPPA Rule (16 C.F.R. § 312.2) expanded the definition of "personal information" to expressly include which category that catches most modern apps off-guard?

  • A) Student email addresses used for school communication
  • B) Persistent identifiers — including cookies, IP addresses, device serial numbers, and unique device identifiers — that can recognize a user across websites or online services
  • C) Aggregate analytics about children's usage patterns that cannot identify individuals
  • D) Biometric data collected from children by licensed health providers

Correct answer: B Explanation: The 2013 COPPA Rule expansion added "persistent identifier" as personal information, expressly covering cookies, IP addresses, processor or device serial numbers, and unique device identifiers that track a child across sessions or services. A UUID assigned to an app install that tracks a child across sessions is COPPA-regulated personal information.

Q3. In FTC v. Google / YouTube (2019), what was the total settlement amount, and what was the primary COPPA violation alleged?

  • A) $5.7 million; collecting location data from minors during app registration
  • B) $170 million; serving behavioral advertising on child-directed channels using persistent identifiers tied to child viewers without parental consent
  • C) $450,000; collecting geolocation data from minors without verifiable parental consent
  • D) $1.5 billion; failing to honor deletion requests and allowing age-gating bypass

Correct answer: B Explanation: The FTC and New York AG settled with Google/YouTube for $170 million ($136M to FTC, $34M to NY AG). The violation was serving behavioral advertising to children on YouTube Kids and child-directed channels by collecting persistent identifiers (cookies) tied to child viewers and monetizing that data without parental consent. This remains the largest COPPA settlement in FTC history as of 2025.

  • A) The exception applies only to public schools, not private or charter schools
  • B) The operator must delete all student data within 30 days of the school year ending
  • C) The data collection must be for an educational purpose and the operator must not use the data for commercial purposes, behavioral advertising, or building profiles for non-educational use
  • D) The exception requires annual renewal and re-certification by the school board

Correct answer: C Explanation: The school official exception permits data collection without direct parental consent only when collection is for an educational purpose and the operator acts solely as a data processor for the school's educational use — not for commercial purposes, behavioral advertising, or building non-educational profiles. Many operators push far beyond this limit into data monetization while claiming the exception covers them.

Q5. The Supreme Court's decision in Gonzaga University v. Doe, 536 U.S. 273 (2002), established what fundamental principle about FERPA enforcement?

  • A) Schools must obtain written parental consent before disclosing any education records to federal agencies
  • B) FERPA does not create a private right of action — individuals cannot sue a school in federal court for disclosing their education records
  • C) The Department of Education must impose minimum fines of $10,000 per FERPA violation before escalating to funding termination
  • D) State courts have concurrent jurisdiction with federal courts to enforce FERPA rights

Correct answer: B Explanation: In Gonzaga University v. Doe, 536 U.S. 273 (2002), the Supreme Court held that FERPA does not create a private right of action for individuals. Complaints go to the U.S. Department of Education's Student Privacy Policy Office, making FERPA one of the most significant enforcement gaps in any major federal privacy statute.

Q6. Under FERPA, which of the following records held by a school is explicitly EXCLUDED from the definition of "education records"?

  • A) A student's IEP (Individualized Education Program) maintained by the special education office
  • B) A student's disciplinary hearing transcripts maintained by the dean of students
  • C) Campus police records maintained by the law enforcement unit solely for law enforcement purposes
  • D) A student's financial aid records including loan disbursement amounts

Correct answer: C Explanation: Under 20 U.S.C. § 1232g(a)(4)(B)(ii), records maintained by the campus law enforcement unit solely for law enforcement purposes are explicitly excluded from FERPA's definition of "education records." These records may be subject to state public records laws instead. IEPs, disciplinary records, and financial aid records are all education records under FERPA.

Q7. The PowerSchool breach disclosed in January 2025 is significant for what reason that reflects a systemic vulnerability in K-12 data security?

  • A) It was the first breach to expose biometric data collected from students under BIPA
  • B) A single vendor's customer support portal breach exposed data from approximately 50+ million students due to extreme market concentration, making it the largest K-12 data breach in U.S. history
  • C) It resulted in the first FERPA funding termination enforcement action by the Department of Education
  • D) The breach was caused by a student who exploited a SQL injection vulnerability discovered during a school-authorized security assessment

Correct answer: B Explanation: PowerSchool serves approximately 16,000 school districts and roughly 90% of the K-12 SIS market. When an attacker breached its PowerSource customer support portal using compromised credentials and exfiltrated the SIS database, it exposed 50+ million students' records — making it the single largest K-12 data breach in U.S. history and illustrating the catastrophic single-point-of-failure risk created by extreme market concentration.

Q8. A security researcher is hired to pen test a school district's network. The district's student information system (SIS) is cloud-hosted by PowerSchool. What authorization issue is most critical to resolve before testing the SIS itself?

  • A) The researcher must obtain a signed FERPA release from the district superintendent authorizing access to student records
  • B) The district cannot authorize access to the SIS because the vendor — not the district — operates that system; SIS testing requires authorization from PowerSchool directly
  • C) The researcher must file a notification with the Department of Education's SPPO before testing any system that processes education records
  • D) Testing the SIS is permitted as long as the researcher agrees not to view any actual student records during the engagement

Correct answer: B Explanation: As the module explains, the school district can authorize CFAA coverage for its own systems, but if the SIS is a cloud-hosted platform, the district is a customer — not the operator. Accessing the SIS without vendor authorization constitutes unauthorized access against the SIS operator under the CFAA, regardless of the district's written scope letter.

Q9. California's SOPIPA (Cal. Education Code §§ 22584-22585) prohibits ed-tech operators from using student data for behavioral advertising. What is the scope test that determines whether a product is covered by SOPIPA (as opposed to COPPA)?

  • A) Any product accessed by a student under 18 on a school-issued device is automatically SOPIPA-covered
  • B) SOPIPA covers operators of websites, apps, or online services "designed and marketed" for K-12 school purposes — narrower than COPPA's child-directed test
  • C) SOPIPA applies to any product that uses persistent identifiers to track California students across sessions
  • D) SOPIPA covers any operator that has signed a data processing agreement with a California school district

Correct answer: B Explanation: SOPIPA uses a "designed and marketed" for K-12 school purposes standard, which is narrower than COPPA's child-directed test. A general-audience tool that a school happens to use is not necessarily SOPIPA-covered unless it was specifically designed and marketed for K-12 purposes. COPPA, by contrast, attaches based on audience characteristics and actual knowledge.

  • A) Face-match to a verified government photo ID
  • B) Knowledge-based authentication using public records questions a child wouldn't know
  • C) Email plus — sending an email to the parent, awaiting response, then sending a confirmation
  • D) Government ID check with deletion of the ID after verification

Correct answer: C Explanation: The COPPA Rule permits "email plus" consent — sending an email to the parent and receiving a response followed by a confirmation — for lower-risk uses limited to internal operations with no third-party disclosure. This simplified method is expressly insufficient when the operator intends to disclose child data to third parties, which requires a stronger verifiable parental consent method such as credit card verification, government ID check, or knowledge-based authentication.