If your church uses any AI-powered tool, a chatbot for prayer requests, an app that tracks children’s attendance, a platform that generates lesson plans, or software that stores volunteer information, and children are involved in your ministry, you have legal and ethical obligations that most church leaders have never been trained on.

This is especially true when children in foster care are part of your congregation. Foster children carry a layer of legal protection around their personal data that goes beyond what applies to other minors. Getting this wrong is not just an ethical failure. It can expose your church to legal liability and, more importantly, put a vulnerable child at risk.

This article is not legal advice. It is a practical orientation to the legal landscape and a set of concrete steps your church can take to handle children’s data responsibly when AI tools are involved.

The Legal Framework You Need to Know

COPPA, Children’s Online Privacy Protection Act

COPPA is the federal law that governs the collection of personal information from children under 13 online. On June 23, 2025, a significant update to COPPA went into effect with direct implications for AI. The updated rule, issued by the Federal Trade Commission, explicitly states that using a child’s personal information to train or develop AI systems requires separate, verifiable parental consent, it is not covered by general consent to use a service.

The updated rule also expands the definition of “personal information” to include biometric identifiers such as voiceprints and facial templates, prohibits indefinite retention of children’s data, and requires written data retention policies. (Source: Akin Gump, “New COPPA Obligations for AI Technologies Collecting Data from Children,” June 23, 2025)

What this means for your church: If your church uses any AI tool that collects information from children under 13, including voice data, images, or behavioral data, you need verifiable parental consent before that data is collected or used. If the tool’s vendor uses that data to train AI models, you need separate consent for that specific purpose.

FERPA, Family Educational Rights and Privacy Act

FERPA protects educational records. If your church runs an after-school program, a tutoring ministry, a vacation Bible school with records, or any program that generates records about a child’s learning or development, those records may qualify as educational records under FERPA.

AI-generated assessments of a child’s spiritual development, learning progress, or behavioral patterns could constitute educational records. These cannot be shared without written consent from the parent or guardian, with limited exceptions for health and safety emergencies. (Source: U.S. Department of Education, FERPA Regulations, ed.gov)

HIPAA, Health Insurance Portability and Accountability Act

If your church uses an AI-based counseling platform, a mental health support app, or any tool that records health or mental health information about a child, that data may qualify as protected health information under HIPAA. This requires specific safeguards, breach notification procedures, and Business Associate Agreements with any vendor handling that data. (Source: U.S. Department of Health and Human Services, HIPAA Privacy Rule, hhs.gov)

State Child Protection Laws

Every state has mandatory reporting laws that require certain individuals, including many church workers, to report suspected abuse or neglect. If an AI tool flags a child as potentially at risk, that flag must trigger your church’s mandatory reporting workflow, not just an internal notification. The AI does not replace the human obligation to report.

State laws also vary significantly in their data privacy requirements for minors. Your church’s obligations depend on the state where the child resides. (Source: National Conference of State Legislatures, Child Abuse Reporting Laws, ncsl.org)

Special Considerations for Children in Foster Care

Children in foster care carry an additional layer of legal protection that most church workers are unaware of. The Administration for Children and Families at the U.S. Department of Health and Human Services has published extensive guidance on data privacy for children in foster care, emphasizing that their personal information requires heightened protection. (Source: ACF, Confidentiality Toolkit, acf.gov, 2021)

Agency Authorization Is Required

Before collecting any personal data about a child in foster care, including through an AI tool, you need written permission from the child-welfare agency responsible for that child. The foster parent alone cannot provide this consent. The agency must authorize it.

This means that if a child in foster care participates in your church’s AI-assisted children’s ministry program, you need to contact the relevant agency before enrolling them in any data-collecting system.

Foster Care Status Is Confidential

A child’s foster care status is itself confidential information. It should not be shared with other volunteers, other children, or other families without explicit authorization. This includes not mentioning it in prayer requests, small group settings, or any context where it could be overheard.

Data Segregation

Information about children in foster care should be kept separate from general ministry records, stored securely, with access limited to staff who have a legitimate need to know and who have signed confidentiality agreements.

Emergency Disclosure

If an AI tool or any ministry worker identifies a child in foster care as potentially at risk, the mandatory reporting obligation applies immediately. Contact the appropriate child protective services agency. The AI does not replace the human obligation to report.

Practical Steps for Your Church

1. Audit Your AI Tools

Make a list of every AI-powered tool your church uses that touches children’s data. For each tool, ask: What data does it collect? Where is it stored? Who has access? Does the vendor use this data to train AI models? What is the data retention policy?

Common tools to audit include check-in systems, attendance apps, curriculum platforms, chatbots, and any communication tools that store messages involving minors.

2. Update Your Consent Forms

Your existing consent forms almost certainly do not cover AI data collection. Update them to include a clear description of what AI tools are used and what data they collect, explicit consent for AI-specific data uses, a separate section for children in foster care acknowledging the need for agency authorization, and a data retention statement.

3. Update Your Child Protection Policy

Add a data privacy addendum to your child protection policy that addresses purpose limitation, data minimization, retention schedules, foster care protocols, and breach response procedures.

4. Train Your Volunteers

Most children’s ministry volunteers have no training on data privacy. They need to know what information about children is confidential, that foster care status is especially sensitive, what to do if they have a concern about a child’s safety, and who to contact with questions.

5. Vet Your Vendors

Before adopting any AI tool that will touch children’s data, ask the vendor whether their platform is COPPA-compliant, whether they use user data to train AI models, what their data retention policy is, and whether they will sign a Business Associate Agreement if health data is involved.

The Bigger Picture

The legal framework around AI and children’s data is evolving rapidly. The 2025 COPPA update is one of several recent developments that have tightened requirements for organizations that collect children’s data. More changes are likely at both the federal and state level.

The church has a responsibility that goes beyond legal compliance. Children, especially children in foster care, are among the most vulnerable people in our communities. They deserve to have their information handled with the same care and dignity that we would want for our own children.

The Vatican’s Pontifical Academy of Sciences, in a March 2025 conference on AI and child safety, called on churches to be “promoters of an education for a safer way to engage with the social media world and digital world in general.” (Source: EWTN Vatican, March 2025) That responsibility extends to how we handle children’s data in our own ministry systems.

Ministry Resources

• AI Ethics in Ministry Hub
• Church AI Policy Template
• Child Safety and Protection Kit
• Volunteer Management Resources

Sources

• Federal Trade Commission, COPPA Final Rule Update, effective June 23, 2025 (akingump.com)
• U.S. Department of Education, FERPA Regulations (ed.gov)
• U.S. Department of Health and Human Services, HIPAA Privacy Rule (hhs.gov)
• Administration for Children and Families, Confidentiality Toolkit, 2021 (acf.gov)
• National Conference of State Legislatures, Child Abuse Reporting Laws (ncsl.org)
• Child Welfare Information Gateway, Protecting the Privacy of Children in Foster Care (childwelfare.gov)
• EWTN Vatican, “Experts Champion Catholic Church’s Role to Promote Child Safety in AI Sphere,” March 2025