ChatGPT
Claude
Perplexity
Gemini
GrokThe patchwork of US privacy laws affecting your school's website
If you have spent any time trying to get a definitive answer on whether your college needs a cookie consent banner, you already know the frustration. Unlike the European Union — where the GDPR and the ePrivacy Directive create a single, relatively coherent framework — the United States has no federal cookie law. What American colleges and universities face instead is a patchwork of overlapping federal statutes and, as of 2026, comprehensive consumer privacy laws in more than 19 states. Understanding how these frameworks interact is the first step toward building a compliant web presence.
Four federal frameworks form the baseline for every US institution.
FERPA (Family Educational Rights and Privacy Act) governs education records of enrolled students at institutions receiving federal funding — which means every regionally accredited college in the country. FERPA does not create a "cookie law," but it does regulate what data can be disclosed, to whom, and under what conditions. When analytics tools or advertising pixels ingest data tied to an enrolled student's web activity, FERPA questions arise immediately.
COPPA (Children's Online Privacy Protection Act) applies when a website collects personal information from children under 13. For most four-year colleges, this is a minor concern — but dual-enrollment programs, early college initiatives, and high school recruitment campaigns that drive minors to your site trigger COPPA compliance obligations, including verifiable parental consent before data collection.
The FTC Act prohibits unfair or deceptive trade practices. If your privacy policy says "we do not share your data with third parties" but your site loads 14 ad-network trackers on the inquiry form page, you face FTC enforcement risk — independent of any state privacy statute.
CAN-SPAM governs commercial email, including follow-up sequences after a prospect completes a campus tour sign-up form. Every email must include a physical address, a working unsubscribe mechanism, and non-deceptive headers. Unsubscribes must be honored within 10 business days. No exceptions.
State law is where the real complexity lives.
As of April 2026, comprehensive consumer privacy laws are in force in California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon, Montana, Iowa, Indiana, Tennessee, and several additional states. Each imposes its own thresholds, definitions, and enforcement mechanisms. California's CCPA/CPRA is the most consequential for higher education: it applies to for-profit institutions meeting revenue or data-processing thresholds, grants consumers (including prospective students) rights to access, delete, and opt out of the sale or sharing of their data, and authorizes fines of up to $7,500 per intentional violation.
Public and nonprofit institutions are often exempt from CCPA's core provisions, but this exemption is narrower than many compliance teams assume. Marketing activities — buying lead lists, sharing prospect data with enrollment management vendors, running retargeting campaigns — may not qualify for the nonprofit exemption even when the core educational mission does.
For a comprehensive look at how these frameworks interact across the full student lifecycle, see our complete student data privacy guide.
Which cookies need consent under US law?
The concept of "consent before cookies" is a European invention. US law does not require opt-in consent for cookies as a categorical matter. What US law requires — primarily through CCPA/CPRA and similar state statutes — is transparency, opt-out rights for certain uses of data, and honest disclosure in your privacy policy. The practical implication: you need a consent management approach calibrated to US obligations, not a copy-paste of a GDPR cookie banner.
The table below maps cookie categories to applicable US legal frameworks and the compliance action required.
| Cookie category | Examples | FERPA applicability | CCPA/State law applicability | Compliance action required |
|---|---|---|---|---|
| Strictly necessary | Session management, login authentication, load balancing | Low — functional, no data sold or shared | Typically exempt from opt-out requirements | Disclose in privacy policy; no consent banner required |
| Analytics | Google Analytics 4, Hotjar, Crazy Egg | Moderate — if linked to enrolled student records | Must disclose; opt-out required if data "shared" for cross-context advertising | Disclose in privacy policy; honor Global Privacy Control (GPC) signals |
| Advertising & retargeting | Meta Pixel, Google Ads remarketing, LinkedIn Insight Tag | High — ad platforms ingest identifiers that may link to student records | Opt-out of sale/sharing required; "Do Not Sell or Share My Personal Information" link mandatory for CA residents | Opt-out mechanism on site; suppression list management |
| Personalization | Drift, Intercom, recommendation engines | Moderate — depends on enrollment status of user | Disclose and honor opt-out | Privacy notice at point of interaction |
| AI chatbot | Skolbot, Intercom AI, Drift AI | High — conversation data may include FERPA-protected info for enrolled students | Must disclose data collection; honor deletion requests | Pre-chat notice; consent for data retention beyond session |
Two elements every US college website needs, regardless of cookie type: a privacy policy that accurately describes what you collect and how you use it, and a visible mechanism for California (and other applicable state) residents to opt out of the sale or sharing of their personal information. The Student Privacy Compass publishes practical guidance on implementing these disclosures in a higher education context.
A note on Global Privacy Control (GPC). Under CCPA/CPRA, the California Privacy Protection Agency has confirmed that GPC signals — browser-level opt-out signals sent automatically — must be honored as valid opt-out requests. If your consent management platform does not detect and act on GPC signals, you are out of compliance with California law for any California resident who visits your site with GPC enabled.
Inquiry forms, campus tour sign-ups, and email lists: compliance rules
Every form on your school's website is a data collection event. The compliance obligations attached to that event depend on who is filling out the form, what you are collecting, what you plan to do with it, and where the person lives.
Inquiry and information request forms are the highest-volume collection point for most admissions offices. These forms are governed by FTC Act transparency requirements (your privacy policy must accurately reflect what you do with the data), CAN-SPAM if you follow up by email, and state consumer privacy laws for residents of states with comprehensive statutes. The compliance minimum: a privacy notice at the point of collection stating what data you collect, why, and how long you retain it, plus a link to your full privacy policy. Pre-checked marketing consent boxes are non-compliant under CCPA for minors under 16 and represent a best-practice violation for all prospects.
72% of chatbot interactions on school websites are standard FAQ queries — each one a data processing event covered by FERPA and potentially by state privacy laws like CCPA (Source: Automated classification of 12,000 Skolbot conversations, 2025). The volume of data processing happening through your chatbot alone makes form compliance a non-trivial operational issue.
Campus tour and open house registration forms present a distinct compliance challenge: they often collect more data than inquiry forms (travel plans, dietary restrictions, accessibility needs, emergency contacts for minors on campus) and the data is frequently shared with event management platforms, shuttle vendors, or catering services. Each vendor receiving prospect data requires a data processing agreement. Accessibility and dietary data may qualify as sensitive personal information under CCPA/CPRA and several state privacy laws, triggering heightened handling requirements.
Email list sign-ups — for newsletters, event announcements, and program updates — are governed by CAN-SPAM at the federal level. CAN-SPAM uses an opt-out model: you can email prospects who have not explicitly opted in, as long as every commercial email includes an unsubscribe mechanism and your physical mailing address. However, for California residents under 16, CCPA requires opt-in consent before you share or sell their data for marketing purposes. And for any audience that includes minors under 13, COPPA requires verifiable parental consent before the child's email address is collected at all.
The practical recommendation for any US college running national recruitment campaigns: implement an opt-in model regardless of the legal minimum. The trust dividend from explicit consent outweighs the marginal list-size benefit from capturing everyone who visited your homepage. The FTC's guidance on education privacy consistently highlights that the institutions subject to enforcement were not doing anything technically illegal — they were doing things their prospects did not expect and had not agreed to.
For a deeper look at the specific data protection obligations around prospect data from first contact through enrollment, see our guide on protecting prospect data.
How to implement a consent management platform for US schools
A consent management platform (CMP) is the technical infrastructure that controls which trackers fire based on user choices and applicable law. In the EU, a CMP is required to implement GDPR cookie consent. In the US, a CMP is the practical tool for honoring CCPA opt-out requests, suppressing ad-network trackers for opted-out users, responding to GPC signals, and maintaining an auditable record of consent choices.
Choosing a CMP for a US higher education context involves five criteria.
First, GPC signal detection. The platform must automatically detect and honor browser-level opt-out signals without requiring the user to find and click a "Do Not Sell" link. This is a CPRA requirement for California residents as of January 2023.
Second, state-law configurability. A single "accept/reject" toggle designed for GDPR does not map cleanly onto US obligations. Your CMP should allow you to present different disclosure language and opt-out mechanisms based on the visitor's state of residence — a California resident needs a "Do Not Sell or Share My Personal Information" option; a Texas resident has different rights under TDPSA.
Third, integration with your analytics and advertising stack. The CMP must suppress Google Analytics, Meta Pixel, LinkedIn Insight Tag, and other trackers based on user choices — not just display a banner and hope vendors comply. Server-side tag management is increasingly preferred because it gives the institution direct control over what data is transmitted to third parties.
Fourth, audit trail and proof of consent. In the event of a state attorney general investigation or FTC inquiry, your CMP should produce records showing when a user was shown a privacy notice, what choices they made, and what trackers were active during their session. Paper trails matter in enforcement actions.
Fifth, FERPA compatibility. This is the criterion most generic CMP vendors overlook. If your analytics platform processes data that could be linked to enrolled student records, the third party receiving that data may need to be designated as a "school official" under FERPA — which requires a legitimate educational interest and a data processing agreement that limits use to that interest. A CMP that simply fires Google Analytics tags regardless of enrollment status does not satisfy this requirement.
Implementation sequence: audit your current tracker inventory before deploying any CMP. Most college websites have accumulated ad pixels, heatmap tools, and A/B testing scripts across multiple years of vendor changes. Running a tool like Ghostery or a similar tracker scanner on your site before implementation typically reveals 20–40 active trackers — many of which were added by marketing vendors and never reviewed for privacy implications.
Special case: AI chatbots, FERPA, and conversation data
The AI chatbot deployed on your school website occupies an unusual compliance position. For a visitor who has never enrolled — a high school junior researching tuition costs, a parent comparing programs — the chatbot is a consumer-facing product governed by FTC transparency requirements and applicable state privacy laws. The moment that same chatbot is accessed by an enrolled student asking about their financial aid status or grade appeal, FERPA enters the picture.
Managing this dual-mode compliance requirement is not optional. The chatbot cannot access, display, or confirm any information from an enrolled student's education record without FERPA authorization. This means the chatbot must be configured to handle general institutional questions and escalate immediately to a human counselor when the conversation moves into territory that would require accessing the student's individual record. A chatbot that retrieves a student's GPA, financial aid award, or academic standing in response to a chat query is a FERPA violation if the appropriate safeguards are not in place.
For prospect interactions, three disclosures are legally and ethically required before data collection begins: that the visitor is interacting with an AI system (not a human counselor), what data is collected during the conversation and how it is used, and how the visitor can request deletion of their conversation data. Several state AI transparency laws — including Colorado's AI Act, effective 2026 — require affirmative disclosure that an automated system is being used. The FTC has signaled that failure to disclose AI identity in consumer-facing contexts constitutes a deceptive practice.
Conversation data retention is the compliance point most institutions get wrong. Default chatbot configurations often retain full conversation transcripts indefinitely. Best practice — endorsed by EDUCAUSE and consistent with state privacy law minimization principles — is to auto-delete conversation transcripts at 12 months, with automatic anonymization of any sensitive data (disability status, financial hardship, health information that prospects frequently volunteer in chat) within 30 days.
The Student Privacy Compass provides specific guidance on chatbot and AI deployments in K–12 and higher education contexts. The FERPA guidance from the US Department of Education's Student Privacy Policy Office addresses the intersection of automated systems and education record access obligations.
FAQ
Does FERPA apply to our school website's cookies and analytics?
FERPA applies to education records — data that is directly related to a student and maintained by the institution. A Google Analytics session from a prospective student who has never enrolled is not an education record, and FERPA does not directly govern that cookie. However, if your analytics platform creates a persistent identifier tied to a user who later enrolls, and that identifier is maintained as part of the student's record, FERPA obligations attach. More practically: if your analytics vendor receives data about enrolled students' web behavior — logged-in portal pages, degree audit access, LMS activity — that vendor may need to be designated as a "school official" with a legitimate educational interest under FERPA, and your data sharing with that vendor must be governed by a data processing agreement. FERPA is not a cookie law, but it shapes how analytics data about enrolled students can be handled.
How do we collect valid consent on campus tour registration forms?
For a US college, "valid consent" is a spectrum rather than a single standard. At the federal level, CAN-SPAM requires only that you offer an unsubscribe mechanism for marketing emails — it does not require opt-in consent. But California's CCPA requires opt-in consent before selling or sharing the data of residents under 16, and COPPA requires verifiable parental consent for any personal information collected from children under 13. Best practice across all states: include a clear privacy notice on the registration form (institution identity, purpose of collection, data categories, retention period, link to full privacy policy), use unchecked opt-in checkboxes for any marketing communications, and do not condition form submission on marketing consent. This approach satisfies both the federal minimum and the most stringent state requirements.
What happens if a prospective student asks us to delete their data?
Under CCPA and similar state statutes, a California resident who submits a deletion request must receive a response within 45 days (with a 45-day extension available if you notify the requester). The deletion must be effective across all systems: CRM, email platform, chatbot conversation history, shared files, and backups. You must also direct any service providers who received the data to delete it. You are not required to delete data you need to comply with a legal obligation (tax records, degree records for enrolled students, data necessary for a pending legal claim) — but you must document the legal basis for any retained data and communicate that basis to the requester. For prospects who never enrolled, the practical scope of a deletion request is typically narrower than for enrolled students, but the operational challenge — knowing where every piece of prospect data lives across your systems — is the same. Our data privacy audit checklist for schools includes a step-by-step process for mapping data locations before you receive your first deletion request.
How long can we keep inquiry form data under US privacy laws?
No federal statute sets a maximum retention period for prospect inquiry data. The FTC and state privacy laws require that data be retained only as long as necessary for the stated purpose. Best practice, consistent with EDUCAUSE guidance and NIST Privacy Framework principles: retain first-contact inquiry data for no more than 12 months after the last active contact if the prospect has not applied; retain incomplete application data for up to 24 months; delete rejected application records within 6 months of the rejection notification. Financial records and enrolled student academic records carry different retention obligations driven by IRS requirements (7 years for financial data) and FERPA (permanent retention of academic transcripts). The key compliance action is documenting your retention schedule, enforcing it through automated CRM purging, and being able to demonstrate that enforcement to a regulator if asked.
Cookie consent and form compliance for US colleges is not a checkbox exercise — it is an ongoing operational commitment that spans your admissions, marketing, IT, and legal teams. The patchwork of federal statutes and state privacy laws will continue to expand: five additional states are projected to enact comprehensive privacy legislation by the end of 2026, and federal legislative activity on AI disclosure and consumer data rights is accelerating.
The institutions that manage this complexity most effectively are the ones that build privacy into their data collection infrastructure from the outset — not as a legal afterthought, but as a prospect trust signal. In a recruitment environment where 73% of 18-to-24-year-olds say data protection influences their institution choice, compliance and conversion are not competing priorities.
See how leading US schools protect prospective student data
