Whether your company is in the educational technology business or you have kids in schools where ed tech is used, you’ll want to read the FTC’s Policy Statement on Education Technology and the Children’s Online Privacy Protection Act. The key takeaway: Kids shouldn’t have to surrender their privacy rights to do their schoolwork or attend class remotely. That’s why companies can’t require parents and schools to agree to the comprehensive surveillance of children as a condition of using learning tools.
For 22 years, the COPPA Rule has been at the center of the FTC’s efforts to ensure that children’s privacy is protected in the digital world. But two converging developments suggest the need for clarity in how the FTC will continue to enforce COPPA.
One development is the proliferation of technologies that monetize the collection of personal information. Companies are able to target ever closer to the bullseye, which raises serious concerns about whether they’re building profiles of kids. That was part of the driving force to amend COPPA in 2013 to expand the definition of “personal information” to include persistent identifiers used to target ads to children and to hold third parties like advertising networks liable for the illegal collection of kids’ information.
The other major change is the introduction of educational technology devices and apps into the classroom – a development hastened by the COVID-motivated move to remote schooling. Sure, ed tech may have the potential to enhance learning, but at what price? The FTC’s concern is that ed tech doesn’t become a pretext for companies to collect personal information in the classroom and in the home. Parents are understandably concerned about the information ed tech companies are gathering, how they might be using it, and the extent to which it might be shared with third parties. What’s more, many Moms and Dads are troubled by the extent to which ed tech could make their kids a captive audience for advertisers.
What about a system of notice and consent? Permission slips may work for field trips to the zoo, but they seem ill-suited in this context. In enacting COPPA, Congress empowered the FTC to do more than just administer notice and consent procedures. As the Policy Statement makes clear, “The Commission’s COPPA authority demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure. The Commission intends to fully enforce these requirements – especially in school and learning settings where parents may feel they lack alternatives.”
You’ll want to read the Policy Statement for details, but there’s a fundamental message industry members need to hear. In investigating potential COPPA violations by ed tech providers and other covered online services, the FTC “intends to scrutinize compliance with the full breadth of the substantive prohibitions and requirements of the COPPA Rule and statutory language.” In particular, the FTC will focus on:
- Prohibition Against Mandatory Collection. COPPA-covered companies must not condition a child’s participation on the disclosure of more information than is reasonably necessary to participate. For example, if an ed tech business doesn’t need to email students, the company can’t require kids’ email addresses.
- Use Prohibitions. COPPA-covered companies are strictly limited in how they can use the personal information collected from kids. For example, operators of ed tech that collect personal information pursuant to school authorization may use it only to provide the requested online education service. Here's how the Policy Statement puts it: “In this context, ed tech companies are prohibited from using such information for any commercial purpose, including marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service.”
- Retention Prohibitions. COPPA-covered companies can’t retain personal information collected from kids for longer than is reasonably necessary to fulfill the purpose for which it was collected. That would violate Section 310.12 of the COPPA Rule.
- Security Requirements. COPPA-covered companies must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. Even absent a data breach, failing to have those procedures in place would violate Section 310.8.
In case an ed tech company is thinking about passing compliance off to school administrators, parents, or others – for example, through contract provisions or terms of service – the Policy Statement makes it clear that’s a hard no. The responsibility to implement strong privacy protections rests squarely on ed tech companies and it’s an obligation they can’t shirk.
The Policy Statement ends where ed tech companies need to begin: “Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”