What you get for $2,000
One attorney-supervised review pass across all three documents plus the gap memo
- Redline of Terms of Service against EdTech-specific risk: minor-account formation, parental consent flows, liability allocation for under-13 user actions, payment and refund mechanics, governing law and dispute resolution clauses scaled to a K-8 audience.
- Redline of Privacy Policy against COPPA (16 C.F.R. Part 312) as amended by the FTC's final rule of April 22, 2025 (effective June 23, 2025), the Oregon Consumer Privacy Act including HB 2008 (2025) child-data amendments, and standard B2C / B2B disclosures.
- DPA hardening pass: subprocessor flowdown, breach notification timing, audit rights, return-or-deletion-on-termination, schedule of processing activities, FERPA pass-through language where the customer is an institution covered by 20 U.S.C. § 1232g and 34 C.F.R. Part 99.
- Gap memo: one document tying every finding to the relevant clause and statute, with prioritization (must-fix before launch, should-fix in the first 90 days, watch items for monitoring).
- Up to three rounds of revisions on each deliverable after you read my comments.
Direct-booking prices on Terms.Law reflect the absence of third-party platform fees, marketplace administration, or platform-specific workflow overhead. If we first connected through a third-party marketplace, all communications and payments must remain on that platform unless the relationship is converted in accordance with that platform's rules.
The four workstreams inside the package
1. COPPA applicability and collection map
The April 22, 2025 FTC final rule tightened verifiable parental consent, added a separate consent for disclosure to third parties beyond what is integral to the service, and updated the safe-harbor framework. Whether your product is "directed to children under 13" under 16 C.F.R. § 312.2 turns on the totality-of-circumstances factors (subject matter, visual content, audio content, language, age models, and marketing). I map your actual data flows against those factors and identify which COPPA obligations attach.
2. FERPA pass-through (where applicable)
FERPA (20 U.S.C. § 1232g; 34 C.F.R. Part 99) applies to educational agencies and institutions that receive U.S. Department of Education funds. A pure consumer enrichment app sold directly to families is generally not FERPA-governed; the same product sold as a school operator under the school-official exception (34 C.F.R. § 99.31(a)(1)(i)(B)) is. I identify which posture your product is in, and draft DPA language that supports FERPA-covered customers where applicable without falsely implying every operator relationship is FERPA-governed.
3. Oregon Consumer Privacy Act (OCPA) including HB 2008
OCPA went into effect July 1, 2024 with a $25,000 personal-information threshold (lower for sensitive data) and standard rights of access, correction, deletion, portability, and opt-out of targeted advertising / sale / profiling. HB 2008 (2025) layers a narrower set of child-data restrictions on top: targeted advertising, sale, and certain profiling and precise-geolocation processing are restricted for users under 16. I scrub the Privacy Policy and DPA against both layers.
4. DPA hardening and B2B operator architecture
The DPA is where most pre-launch EdTech founders carry the biggest exposure. I tighten subprocessor flowdown, breach notification timing, audit rights, return-or-deletion on termination, the processing-activities schedule, the controller-processor allocation, and the liability cap structure. I also pressure-test the operator-as-controller boundary against the school-as-controller boundary so the DPA reads coherently to enterprise customers.
One important caveat about FERPA scope
The California AADC question
The California Age-Appropriate Design Code (Cal. Civ. Code § 1798.99.28 et seq., AB 2273) imposes additional design and assessment obligations on businesses likely to be accessed by minors. As of this writing the statute remains in active litigation in the Ninth Circuit (NetChoice v. Bonta), with portions enjoined and the operative scope of the law unsettled. I flag the current posture, identify which provisions are presently enforceable, and recommend a calibrated compliance position rather than a maximalist build-to-the-broadest-reading approach.
Want a preliminary read before you book?
Upload your draft Terms of Service, Privacy Policy, or DPA to the AI Legal Analyst chatbox on this page. The chatbox scans against COPPA (2025 amendments), FERPA pass-through, OCPA including HB 2008, and the DPA hardening checklist, and returns a per-issue findings summary with severity flags. Attorney-supervised AI Legal Analyst output is not legal advice; the deeper review and the gap memo are the engagement.
Deliverables
- Redlined Terms of Service (Word, tracked changes).
- Redlined Privacy Policy (Word, tracked changes).
- Redlined / hardened DPA (Word, tracked changes), with a processing-activities schedule template attached.
- Gap memo (PDF) mapping every finding to the specific clause and statute, with priority (must-fix before launch / should-fix in 90 days / watch).
- Up to three rounds of revisions on each deliverable after you read my comments.
First delivery is three business days from receipt of the full document set and a one-page intake (company posture, customer mix, geographies served, ages targeted, data categories collected).
Excluded from this package
Who this is for
- Pre-launch EdTech founders with v2 or v3 documents ready for an attorney pass before public release, especially K-8 / K-12 / youth-enrichment products.
- Post-MVP EdTech operators who have grown into FERPA-pass-through territory and need the DPA to credibly survive a school-district procurement review.
- SaaS founders pivoting into youth audiences whose existing privacy stack was built for B2C adults and now needs a COPPA / OCPA layer.
- Children's app companies currently using a template DPA who need it tightened for enterprise / district customers.
Ready to engage
The $2,000 direct-booking package covers all four workstreams above plus the gap memo and up to three rounds of revisions on each deliverable. First delivery is three business days from receipt of the full document set.
The PayPal Now Checkout link for this tier is being provisioned. To start the engagement, email me at owner@terms.law with the three documents attached and a one-page intake (company posture, customer mix, geographies served, ages targeted, data categories collected), and I will reply with the engagement confirmation and the correct payment link.
I do not run a free intake call or a free document scan before engagement. The chatbox above is the free preliminary read; the deeper review and the gap memo are the engagement.
Related reading on this site
- Online K-12 School Legal Hub - the broader K-12 / EdTech compliance landscape, including the operator-as-controller / school-as-controller architecture and a current-year statutory map.
- COPPA Compliance Checker - an interactive tool that walks through the totality-of-circumstances factors used to determine whether a product is "directed to children" under 16 C.F.R. § 312.2.
- Children's Privacy & COPPA FAQ - common questions on verifiable parental consent, the integral-service exception, and the 2025 amendments.
- DPA Generator - the template generator that produces a baseline Data Processing Agreement, useful as a starting point before the engagement-level hardening pass.
- SaaS Agreement Review - the broader SaaS / contract review service for products that are not specifically EdTech-targeted.