The Bottom Line
- With many schools closed through the end of the 2019-2020 academic year, children — like many others of all ages — are rapidly finding much more of their day-to-day lives taking place online. As a result, the FTC has provided guidance for ed tech providers and schools that utilize ed tech platforms to actively assure themselves that they are properly complying with COPPA.
With many children’s schools having transitioned to online education, questions have arisen regarding the collection of children’s personal information by the online educational platforms that support remote learning.
In response to these questions, the Federal Trade Commission (FTC) recently provided guidance on how the Children’s Online Privacy Protection Act (COPPA) applies to educational technology (ed tech) providers and schools when engaging in virtual online learning.
COPPA prohibits commercial websites and online services from collecting personal information from children under the age of 13 without their parents’/guardians’ consent. Operators of websites and other online platforms with large audiences of children under 13 years of age are responsible for ensuring that their sites and platforms do not collect a child’s personal information, such as their name, address, photograph or any other identifying information — including online cookies, geolocation data and user names — without the express informed consent of the children’s parent or guardian.
However, in the new reality caused by the coronavirus pandemic, many children under 13 are now spending even more of their time interacting online — making COPPA more relevant than ever. Children and their families are using the Internet for home schooling as well as for remote learning offered virtually by public and private schools. With classroom learning taking place virtually, students often must provide their personal identifying information in order to be enrolled in schools and to participate in class.
Schools may face new challenges as they seek to navigate technological needs and legal requirements in adopting an increased online presence, while parents may find themselves wondering how their children’s personal information is being protected in this new paradigm.
Under limited circumstances, COPPA permits schools, acting on behalf of the children’s parents/guardians, to provide consent for the collection of their students’ personal information by ed tech providers. This allows students to more seamlessly transition to participation in online classes, without being delayed by the need to secure individual consent from each child’s parents.
Notably, however, schools can only provide consent for educational purposes, and not for commercial or other purposes. For example, a school cannot consent on behalf of a parent if the ed tech provider uses the child’s personal information to engage in behavioral advertising or to build user profiles on the child for commercial purposes not related to the provision of the educational service.
In order to obtain consent from the school, ed tech providers must provide schools with COPPA-compliant notices of their data collection practices. In addition, these ed tech providers should let schools review and have deleted the personal information collected from their students. To the extent practical, notices of a provider’s data collection practices should also be made available to parents, who should be allowed to review the personal information collected from their child.
As a best practice, schools should proactively review the privacy and data security policies of any potential ed tech providers. These privacy and data security policies should describe the measures used to protect the security, confidentiality and integrity of personal information being collected.
Before engaging any ed tech providers, schools should specifically ask them:
- What types of personal information will they collect from students?
- How do they use this personal information?
- Do they use or share the information for commercial purposes not related to the provision of the online services requested by the school, such as to build user profiles for targeted advertising, or make such data available to other marketing companies?
- Do they let the school review and confirm that they have deleted the personal information collected from their students?
- What measures do they take to protect the security, confidentiality and integrity of the personal information they collect?
- What are their data retention and deletion policies for children’s personal information?
Last year, the FTC had signaled that changes to COPPA may be forthcoming, particularly with respect to ed tech. Now, in the face of a global pandemic in which children are required to interact online more than ever before, the FTC will undoubtedly gain more insights into the best methods for protecting children’s privacy online in connection with remote learning.