Business Blog
COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus
“Social distancing,” “shelter-in-place,” “virtual happy hour”— these are some of the new expressions on everyone’s lips the past few weeks. For many, add “remote learning” to the list. Because of school closures, millions of students are now using online, education technology (or “ed tech”) services to engage in remote learning from home. And while this fills a vital need, it’s important to keep in mind that many of these ed tech services collect and use student’s personal information. So, it’s a good time to remind ed tech providers and schools about the continued need to protect student’s privacy and safeguard their personal data. To help, here are some FAQs.
What is the Children’s Online Privacy Protection Act (COPPA)? Importantly, COPPA does not impose obligations on schools. Instead, COPPA spells out what operators of commercial websites and online services, including some ed tech services, must do to protect children’s privacy and safety online. For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13. In addition, companies covered by COPPA must also maintain reasonable data security practices to, for example, protect hackers from accessing student accounts.
Does COPPA apply to ed tech services used for remote learning? At the outset, we want to stress that COPPA is not a barrier to schools providing robust remote learning opportunities through ed tech services. COPPA generally requires companies that collect personal information online from children under age 13 to provide notice of their data collection and use practices and obtain verifiable parental consent. In the educational context, however, schools can consent on behalf of parents to the collection of student personal information — but only if such information is used for a school-authorized educational purpose and for no other commercial purpose. This is true whether the learning takes place in the classroom or at home at the direction of the school.
How can ed tech services get consent from a school? For the ed tech service to get consent from the school instead of from the parent, the service must provide the school the necessary COPPA-required notice of its data collection and use practices. Want to know what the notice should look like? Read Section C of the FTC’s COPPA FAQs. As a best practice, ed tech services should make the COPPA notice available to parents, and, where feasible, let parents review the personal information collected. In addition, ed tech services should use plain language that students, parents, and educators can easily understand.
What if the ed tech services are for students over the age of 13? Even for students who are 13 or older and not covered by COPPA, ed tech services should not use less care or engage in different practices simply because a student is engaged in remote learning rather than using the ed tech service in the classroom.
Are there other laws that ed tech vendors should be aware of? In addition to COPPA, ed tech services should review the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) — laws administered by the U.S. Department of Education’s Student Privacy Policy Office (SPPO) — as well as any of the state laws that protect the privacy of K-12 students. Also, check out the U.S. Department of Education’s new information on FERPA and Virtual Learning. SPPO’s website includes best practices and potential terms of service that may be helpful to include in an agreement between schools and ed tech vendors. And, of course, Section 5 of the FTC Act prohibits all companies from engaging in unfair or deceptive practices.
Is there any advice for schools that are using ed tech services? Keep in mind that, because COPPA applies only to operators of commercial websites and services, it generally does not impose obligations directly on schools. Nevertheless, as schools and school districts move to remote learning, they should consult with their attorneys and information security specialists to review the privacy and security policies of the ed tech services they use. Schools or school districts should decide whether a particular site’s or service’s privacy and information practices are appropriate, rather than delegating that decision to the teacher. Also, the school or school district should give parents a notice of the websites and online services whose collection they have consented to on behalf of the parent. In deciding which online technologies to use with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are:
- What types of personal information will you collect from students?
- How do you use this personal information?
- Do you use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, do you use students’ personal information in connection with generating targeted advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
- Do you let the school review and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.
- What measures do you take to protect the security, confidentiality, and integrity of the personal information that you collect?
- What are your data retention and deletion policies for children’s personal information?
For more guidance on schools and COPPA, read Section M of the FTC’s COPPA FAQs.
Where can I learn more? For more specific information on how COPPA works and who is covered, read COPPA FAQs and Children’s Online Privacy Protection Rule: A Six Step Compliance Plan for your Business.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.