Beyond COPPA: How US State Student-Privacy Laws (SOPIPA and Others) Treat Children's Images

Łukasz Bonczol
Published: 6/1/2026

Stripping a photo or video of recognizable people and identifiers - so they can no longer be directly recognized in what gets published - is the job of visual anonymization. In school and EdTech publishing, the most common techniques are face blurring, which masks a student’s face, and license plate blurring, which masks vehicle plates visible in campus footage, field-trip photos, parking-lot videos, or public-event recordings.

This article is not legal advice. It explains a common compliance approach for organisations that publish images or videos involving children and students in the United States. The key point is practical: COPPA is important, but multi-state K-12 operators cannot stop at COPPA. State student-privacy laws often create stricter expectations for operators that collect, use, disclose, or share student-linked visual material.

What COPPA covers when children appear in photos and videos?

The Children’s Online Privacy Protection Act and the COPPA Rule apply to operators of websites and online services directed to children under 13, and to operators with actual knowledge that they collect personal information from children under 13 [1]. COPPA is federal law, so it gives a national baseline for covered online services.

For visual publishing, the important detail is that the COPPA Rule defines personal information to include a photograph, video, or audio file that contains a child’s image or voice [1]. That means an online service collecting, using, or disclosing identifiable child images cannot treat the image as a harmless media asset merely because it does not show a name or email address.

COPPA is strongest where the operator is collecting personal information from children under 13 through an online service. It is less complete as a general publication rule for all school-related media. A K-12 vendor may also operate under school consent in limited educational contexts, but that does not automatically cover marketing, PR, public case studies, social media posts, or broad promotional reuse [2]. Those scenarios need a separate review.

Why state student-privacy laws matter beyond COPPA?

State student-privacy statutes usually focus on operators, service providers, and vendors handling student information for school purposes. They often restrict targeted advertising, profiling, sale of student information, unauthorized disclosure, and retention. Many of them were drafted for online services, learning platforms, cloud systems, and digital tools, but their definitions can reach student-linked visual data.

California’s SOPIPA is the best-known example. It regulates operators of websites, online services, online applications, or mobile applications used primarily for K-12 school purposes and designed and marketed for K-12 purposes. It restricts targeted advertising, creation of certain student profiles, sale of covered information, and unauthorized disclosure [3]. A student image may be covered where it is provided through the service, linked to a student account, tied to a classroom activity, or otherwise connected with student information.

Other states follow similar policy logic, but not identical wording. Illinois SOPPA is particularly relevant because student-generated content can expressly include photographs and audio files, and biometric information can include voiceprints and facial characteristics [4]. New York Education Law 2-d and its implementing rules focus on personally identifiable information, student data, contracts, security, and parent rights [5]. Colorado and Connecticut laws also regulate student personally identifiable information and operator responsibilities [6], [7]. Texas has a student information protection framework with restrictions on covered information, targeted advertising, profiling, sale, and disclosure [8].

The result for multi-state operators is simple but demanding: a photo or video that is low-risk under one state’s wording may still be treated as regulated student information under another state’s broader definition or contract requirements.

A man writes complex mathematical and chemical formulas on a large board, surrounded by graphs and equations.

US state comparison for student images in photos and video

Jurisdiction

Relevant student-privacy framework

How children’s images may be treated

Publishing risk for photos and videos

Federal COPPA baseline

 

California

SOPIPA, Cal. Bus. & Prof. Code § 22584

Images may fall within covered information when created, provided, or gathered through a K-12 service and linked to a student or school purpose.

High where images are used for ads, profiles, testimonials, social media, vendor marketing, or disclosure outside the school purpose.

COPPA covers under-13 child photos and videos collected by online services directed to children or with actual knowledge.

Illinois

Student Online Personal Protection Act, 105 ILCS 85

Student-generated content can include photographs and audio files, making visual and audio media directly relevant.

High for identifiable student media stored in platforms, used in case studies, or disclosed to third parties without the required basis.

COPPA still applies to under-13 online collection, but Illinois can be more explicit for student photos and audio files.

New York

Education Law § 2-d and 8 NYCRR Part 121

Images can be relevant where they are personally identifiable information or part of protected student data handled by a vendor or school system.

High where contracts, security controls, parent rights, or disclosure limits apply to the media workflow.

COPPA does not replace New York contract and student-data obligations.

Colorado

Student Data Transparency and Security Act

Visual media may be treated as student personally identifiable information when linked to a student record, account, classroom activity, or service use.

Medium to high, depending on whether the image is connected to student data and whether the operator uses it beyond the educational purpose.

COPPA is narrower because it focuses on under-13 online child data collection.

Connecticut

Student data privacy statutes, Conn. Gen. Stat. §§ 10-234aa to 10-234dd

Images can become student information, student records, or student-generated content depending on context and platform use.

Medium to high for EdTech vendors, especially where deletion, security, contract, or redisclosure duties are triggered.

COPPA remains a federal floor, not a full publication framework.

Texas

Texas Education Code, Chapter 32, Subchapter D

Student-linked visual material may be covered where handled by an operator in connection with K-12 school purposes.

Medium to high where media is used for advertising, profiling, sale, or disclosure beyond authorized purposes.

COPPA applies only where its under-13 online-service criteria are met.

Face blurring as the baseline for the strictest applicable state

Face blurring is not a magic shield. Poor-quality blurring, remaining voice, jerseys with names, visible screens, tattoos, badges, or contextual clues can still identify a student. However, for publication workflows, redacting faces before external publication is a defensible baseline when a company, school district, agency, or vendor does not need the child’s identity to communicate the story.

The same logic applies to license plate blurring in school-adjacent video. License plates may not be the core of student-privacy statutes, but plates visible in pickup lines, parking lots, buses, or residential streets can identify families, staff, or students by context. For public-facing media, the business question is whether the plate is necessary. Usually, it is not.

Organisations often document narrow publication rationales before deciding not to blur a person:

  1. the person is a public figure,
  2. the person’s image is part of a wider scene, especially an event open to families or the public, such as a concert, sports event, or ceremony,
  3. the person, or for a minor the parent or guardian, gave a valid release or authorization for use of the image.

For children and students, each rationale remains context-dependent and should not be treated as a shortcut around COPPA, state student-privacy laws, school policy, or parental expectations.

A black-and-white map of the southern US states, covered with numerous pushpins. Alabama is clearly visible, surrounded by a cluster of pushpins.

What visual data anonymization should and should not promise?

A useful redaction workflow separates automatic detection from human review. Gallio PRO supports visual data anonymization for photos and videos by automatically detecting and blurring faces and license plates. It is designed for files, not real-time anonymization and not video stream anonymization.

The limitation matters. Automatic detection covers faces and license plates only. It does not automatically detect logos, tattoos, name tags, documents, classroom posters, whiteboards, or content visible on monitor screens. Those elements can still identify a student or reveal a school context. They should be checked manually where relevant.

Manual editing is therefore part of the control, not an afterthought. A reviewer can use the built-in editor to blur additional visible items that the automatic process is not designed to detect. Teams that need to redact recorded school events, hallway footage, student interviews, or campus videos can review a practical video anonymization workflow before selecting a deployment model.

For sensitive K-12 use cases, on-premise software can also be important. On-premise software means the redaction tool runs within the organisation’s own infrastructure rather than sending media files to an external cloud service by default. That model can help privacy, IT, and procurement teams reduce transfer points and align with stricter vendor-risk expectations. Gallio PRO does not store logs containing detection data or personal data.

A practical workflow for multi-state EdTech and K-12 operators

  1. First, identify the publishing purpose. A classroom archive, parent portal, district newsletter, public website, vendor case study, and paid social campaign do not carry the same risk.
  2. Second, classify the visual material. Check whether faces, voices, license plates, school uniforms, name tags, screens, posters, location clues, or unique student attributes are visible.
  3. Third, map the states involved. A vendor serving California, Illinois, New York, Colorado, Connecticut, and Texas should not apply only the narrowest rule. The operational baseline should reflect the strictest applicable state and the contract terms with school districts.
  4. Fourth, apply face blurring and license plate blurring before publication unless the identifiable image is necessary and properly authorized. When the image is used only to show a classroom, event, product interface, school facility, or activity, identifiable faces rarely add value.
  5. Fifth, run manual review for items outside automatic detection. Logos, tattoos, name tags, documents, and monitor content require human attention because they are not automatically detected.
  6. Sixth, retain a simple decision record. The record should say what was published, what was blurred, who approved the publication, and why any visible student image remained unredacted.

Teams that want to test this file-based workflow can download the free demo and evaluate it on representative photos and videos before using it in production.

A laptop on a wooden desk, surrounded by a cup of coffee, documents, and a pen.

When individual consultation is usually needed?

Individual review is often needed where a vendor publishes school customer stories, where a district releases video from security cameras, where a state agency posts footage from youth programs, or where a company wants an on-premise setup for sensitive media. In those cases, privacy counsel, procurement, IT security, and communications teams should agree on the same publication standard before launch.

For enterprise deployment, on-premise configuration, or a specific multi-state compliance case, organisations can get in touch to discuss the operational setup.

Key takeaway for publishing children’s images in the United States

COPPA expressly treats photos and videos containing a child’s image or voice as personal information when collected by covered online services. State student-privacy laws then add another layer, especially for K-12 operators and vendors. California SOPIPA, Illinois SOPPA, New York Education Law 2-d, Colorado, Connecticut, and Texas laws do not use identical wording, but they point in the same direction: student-linked visual media should not be reused, disclosed, profiled, sold, or published casually.

For multi-state operators, the safest operational habit is not to ask whether one statute literally says “photo” in every clause. The better business practice is to ask whether the image identifies a student, whether the publication purpose requires identification, and whether redaction can achieve the same communication goal with less privacy risk.

A question mark formed from tiny beads on a scratched wooden surface. Black-and-white image.

FAQ: COPPA, state student-privacy laws, and children’s images

Does COPPA apply to every school photo?

No. COPPA applies to covered online services directed to children under 13 or services with actual knowledge that they collect personal information from children under 13. A school photo can still be regulated by state student-privacy law, school policy, contract terms, or other rules even where COPPA is not the central issue.

Are children’s faces personal information under COPPA?

Yes, where the COPPA Rule applies. The Rule includes a photograph, video, or audio file containing a child’s image or voice within the definition of personal information [1].

Does face blurring make a student photo fully anonymous?

Not always. Face blurring reduces identifiability, but other visual clues can remain. Jerseys, name tags, tattoos, classroom screens, school banners, location clues, and voice can still identify a student. The result is context-dependent.

Do state student-privacy laws expressly mention photos?

Some do, and some use broader concepts. Illinois SOPPA expressly lists photographs as a type of student-generated content and also covers certain audio files [4]. Other state laws may capture images when they are linked to student data, student accounts, school services, or education records.

Should license plates be blurred in school videos?

Often, yes as a business practice. License plates visible in school parking lots, pickup lines, field trips, or neighborhood footage may identify families or students by context. If the plate is not necessary for the publication purpose, blurring is usually a low-friction risk reduction measure.

Can automatic software blur everything that might identify a student?

No. In Gallio PRO, automatic detection covers faces and license plates only. Logos, tattoos, name tags, documents, posters, and screen content require manual review and, where necessary, manual blurring.

References list

  1. Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506; Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312.
  2. Federal Trade Commission, Complying with COPPA: Frequently Asked Questions, including guidance on photos, videos, audio recordings, and school consent.
  3. California Business and Professions Code § 22584, Student Online Personal Information Protection Act.
  4. Illinois Student Online Personal Protection Act, 105 ILCS 85.
  5. New York Education Law § 2-d; 8 NYCRR Part 121.
  6. Colorado Student Data Transparency and Security Act, Colorado Revised Statutes §§ 22-16-101 to 22-16-112.
  7. Connecticut General Statutes §§ 10-234aa to 10-234dd, student data privacy provisions.
  8. Texas Education Code, Chapter 32, Subchapter D, student information protection provisions.