Testing, testing: A review session on COPPA and schools

We often get questions about how the Children’s Online Privacy Protection Act applies in the school setting. The COPPA Rule gives parents control over what information “an operator of a Web site or online service” – yes, that includes apps – can collect from their kids under 13. Among other things, COPPA requires entities covered by the law to notify parents and get their approval before they collect, use, or disclose personal information from children. So how does COPPA apply to schools? Here’s the short answer: Schools – which are usually part of the local government – don’t fall within the legal definition of who’s covered by COPPA because they aren’t commercial “operators.” That said, schools sometimes allow, or even require, students to use sites and services that are covered by COPPA and which must provide notice and get verifiable parental consent.

This question isn’t new. When the FTC issued the original COPPA Rule in 1999, it addressed how schools may serve as an intermediary between operators and parents in the notice and consent process or as the parent’s agent, acting on the parent’s behalf. Here’s what we said about the subject back then in the Statement of Basis and Purpose for COPPA:

“Numerous commenters raised concerns about how the Rule would apply to the use of the Internet in schools. Some commenters expressed concern that requiring parental consent for online information collection would interfere with classroom activities, especially if parental consent were not received for only one or two children. In response, the Commission notes that the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process. For example, many schools already seek parental consent for in-school Internet access at the beginning of the school year. Thus, where an operator is authorized by a school to collect personal information from children, after providing notice to the school of the operator’s collection, use, and disclosure practices, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.”

(Need the citation for that? It’s 64 Fed. Reg. 59888, 59903.)

However, the school’s ability to consent on a parent’s behalf is limited to the educational context – in other words, it applies only when an operator collects personal information from students just for an educational purpose, and for no other commercial purpose. Thus, in addition to the central role schools play in creating an engaging learning environment, they also have a part to play in protecting student privacy.

Recently, FTC staff received questions about whether COPPA covers providers of online tests – in particular, tests that two consortia of state educational agencies are developing. The Partnership for Assessment of Readiness for College and Careers (PARCC) is a nonprofit that describes itself as “an alliance of states working together to develop common assessments serving nearly 24 million students.” The Smarter Balanced Assessment Consortium is made up of member states and other government agencies. The idea is that the tests will be given online to school kids across the country. While we encourage all types of entities to respect children’s privacy, the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits. So these specific consortia, and the development and administration of their tests, are not covered by COPPA. It’s important to keep in mind that schools administer tests for many reasons – to evaluate students’ and schools’ performance, for example – but also, in many cases, schools must comply with legal mandates to test students under federal, state, and local laws.

More broadly, however, the goal of COPPA is to protect children’s privacy with respect to the online collection of personal information by commercial entities. Many parents care deeply about their children’s privacy, and rightly expect their schools to protect it. But COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission. That holds true even when that information is collected online.

Of course, under the Family Educational Rights and Privacy Act (FERPA), educational agencies and institutions have specific obligations to protect student privacy, including protecting personal information from children’s education records from further disclosure or uses without the written consent of the parent, unless permitted to do so under FERPA.

In sum, COPPA provides important protections for children’s personal information in the commercial space, and also recognizes the special role that schools may play in providing consent for the online collection of information from kids exclusively for educational services – for example, online testing.

Comments

This posting leaves me confused. The FTC FAQ on COPPA at http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions#Schools states in M.1.: "Whether the operator gets consent from the school or the parent, the operator must still comply with other COPPA requirements. For example, the operator must provide the school with all the required notices, as noted above, and must provide parents, upon request, a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child's personal information."

Does this blog posting supersede the FAQ M. 1? That is, if the commercial operator is only using info in the educational context, is the operator NOT obligated comply w/ other COPPA requirements that allow a parent to review,delete, and prevent further collection?

You say "the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits." Which nonprofits does your authority cover? Also, FTC guidance says that even when schools or districts contract with purely commercial operators who collect personal information from children under 13 in schools, though parents do not have the right to consent, they do have the right to inspect the data, delete if it is incorrect, and opt out of further collection. Your guidance on this is posted in your FAQ here: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions#Schools It says the following: "Whether the operator gets consent from the school or the parent, the operator must still comply with other COPPA requirements. For example, the operator must provide the school with all the required notices, as noted above, and must provide parents, upon request, a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child's personal information." Do you stick by this position or have you now changed it? thanks,

Hi, C Ball and Leonie Haimson. Thank you for your questions. As noted in the staff’s COPPA FAQs, the COPPA statute states that the law applies to commercial websites and online services, but doesn't apply to nonprofit entities that otherwise would be exempt from coverage under Section 5 of the FTC Act. Nonprofit entities that operate for the profit of their commercial members may be subject to the COPPA Rule. As indicated in the blog, these consortia aren't covered by COPPA.

FTC: This guidance and your responses to Leonie Haimson and C Ball leave me confused.

Specifically, your guidance hinges on PARCC's status as a nonprofit.

Yes, PARCC is a nonprofit, but it has contracted with a for-profit corporation, Pearson, to administer the PARCC assessment online. For instance, when I access a PARCC practice test online, I am redirected to [Admin note: Link deleted] and my understanding is that the same relationship holds true for children who take the actual PARCC assessments (Indeed, Pearson, and not PARCC, will, as I understand it, also be responsible for scoring the assessments). Given that Pearson is a commercial, for-profit operator, which is certainly attempting to make a profit from its administration and scoring of the PARCC assessment, isn't children's provision of data to Pearson through its website in the course of taking the PARCC tests governed by COPPA, since there is no question that Pearson is a for-profit commercial operator of a website that is indisputably gathering individual student data? Thank you.

I believe that COPPA does (and should) apply to PARCC. While the organization PARCC, Inc. may be a non-profit, the test itself is made by Pearson, and students take the test via Pearson's web based software (http://home.testnav.com). This is where student information is uploaded to by schools, and this is where students are logging in and inputting information. As a contractor of PARCC, Pearson operates this site for a profit and should be compelled to comply with COPPA. Likewise, parents should have the right to object to Pearson's privacy policy for their software and request that their child's information be removed.

So whether the online program is for educational purposes or not, if it is operated by a for-profit vendor, parents have the right to opt out (though not consent - which we already knew)?

So by this FTC interpretation, any "free" app or website (such as Khan Academy) would be exempted. So who is responsible for determining whether "nonprofit entities operate for the profit of their commercial members"?

We know there is no such thing as free lunch. "Free" usually means data shared with third parties that sell to data brokers. The data derivatives become profiles, without a trail to audit.

Would the FTC support a mandate that schools use “accountable http”? According to Science magazine, it is "a variant of the http protocol that was proposed by MIT researchers. Httpa conveys usage restrictions between the data providers and data users, creating a network log each time a protected resource is accessed. These logs might be valuable in protecting patient health data to determine compliance with HIPAA."

One would assume the same would be true when it comes to compliance with COPPA/FERPA.

i want to solve this problam

NY Times article today bolsters my comment/question, Uncovering Security Flaws in Digital Education Products for Schoolchildren.

"But some privacy law scholars, educators and technologists contend that federal protections for student data have not kept pace with the scope and sophistication of classroom data-mining. Although a federal privacy law places some limits on how schools, and the vendors to which they outsource school functions, handle students’ official educational records, these experts say the protections do not extend to many of the free learning sites and apps that teachers download and use independently in their classrooms."

Another issue...
Schools use assessments for special education eligibility and 504 accommodations (such as for ADD/ADHD). The monopoly on these tests is London-based Pearson, the largest education company and book publisher in the world. Since 2013, Pearson Clinical has been using Q-global to score and store tests. This decreased administrative burden is attractive for districts that are increasingly choosing the Q-Global option instead of scoring manually or with software.

Students who receive special education or 504 accommodations are afforded confidentiality provisions under IDEA, the Individuals with Disabilities Education Act.

It is not clear to me that assessments scored and stored by Pearson are education records, protected by FERPA, since the LEA outsources the collection of this data.

Here is the privacy company of Pearson Q-Global.

This subsidiary can use “non-personally identifiable statistically aggregated data raw test data and other information collected in the testing process for our research, quality control, operations management, security and internal marketing purposes and to enhance, develop or improve tests and testing processes” They can transfer the data “in connection with a sale, joint venture or other transfer of some or all of the assets of NCS Pearson, Inc.” or “to our contractors or agents who are committed or obliged to protect the privacy of Personal Information in a manner consistent with this Privacy Policy“

So... if any of these students' assessments go directly into the Pearson pipeline for scoring and storing, are they covered by FTC? And what kind of notice and consent should be required so that a parent can request manual scoring/storing by the district?

Another issue... Schools use assessments for special education eligibility and 504 accommodations (such as for ADD/ADHD). The monopoly on these tests is London-based Pearson, the largest education company and book publisher in the world. Since 2013, Pearson Clinical has been using Q-global to score and store tests. This decreased administrative burden is attractive for districts that are increasingly choosing the Q-Global option instead of scoring manually or with software.

Did anyone ever received a response regarding Pearson collecting the student data. There is no doubt that they will be using the data to increase their commercial enterprises. Parents definitely need an answer!!

Is the FTC willing to comment on Pearson's responsibilities under COPPA following the revelation of its online monitoring of children's social media participation in connection with its administration of the PARCC assessments?

As a parent, I have never been happier with my decision to refuse to allow my child to participate in these online assessments administered to children as young as 8 years old by a for-profit company that is apparently intentionally monitoring the online activities of young children.

To take things one step further, Pearson is reviewing student social media and reporting discussions about their test to the state Dept of Education for disciplinary action against said students. Essentially this private, for-profit entity is using confidential test taker lists to identify posters of social media items critical of the company or discussing the test and then using the information to persecute the posters. This should be investigated as a violation of COPPA. It is certainly action being taken outside the consortium an dis producing real damage to children.

There are no tests from PARCC except online tests provided by Pearson. You say that Pearson online tests are except from COPA because these consortia aren't covered by COPPA and further, that "COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission. That holds true even when that information is collected online.

But suppose that Pearson is not collecting information "exclusively for educational purposes" but is engaged in using the information for marketing, marketing the information, and using the information to protect its investments in tests the latter by the trolling students' social media for the purpose of identifying breaches in test security. That is a commercial pursuit of information that may not have been authorized by the school. Pearson wants student information in order to market a slew of products that are ancillary to the tests in school. many of these marketed at parcc/pearson.com . This branding relationship places into question whether PARCC is only functioning in one relationship with Pearson.
Also not clear what you mean by the "traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context." There is nothing "traditional" about this scheme of contracting for on line tests, the scale of testing, and the the failure of Pearson contracts to delivery back to schools information of real educational value to the school, teachers, or parents.. All of the information goes into a data bank for ratings demanded by policies created at a very long distance from the local school and the teachers and parents of the children who are being tested. The data is not instructionally useful because it is delivered too late in the school year to be acted upon. There is also nothing "traditional" about PARCC.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.