The Bottom Line
- The FTC is fully committed to cracking down on companies that illegally surveil children learning online.
- Companies should follow best practices to avoid fines that could reach millions for violating children’s privacy.
The Federal Trade Commission (FTC) unanimously approved a Policy Statement that focuses on the Children’s Online Privacy Protection Act’s (COPPA’s) application to education technologies (Ed Tech) used in and by schools to support learning, including remote learning. This is especially significant now that the pandemic has made online learning fairly common, causing the Ed Tech industry to undergo exponential growth. A hybrid model of learning that combines in-person teaching with Ed Tech products, whether remotely or in the classroom, is likely to be the lasting outcome of the pandemic.
The Policy Statement
COPPA places a variety of obligations on operators of online services directed to children under 13 or services that knowingly collect personal information from children under 13. The Policy Statement emphasizes that children should not have to hand over their data and forfeit their right to privacy in order to do their schoolwork or participate in remote learning. It is a clear indication that the FTC plans to acutely focus on children’s privacy and act where providers fail to meet their legal obligations to protect children’s privacy.
Key Takeaways
The key takeaways of the Policy Statement for COPPA-covered companies, including Ed Tech providers, include:
- Prohibition Against Mandatory Collection: Companies must not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity. In other words, students must not be required to submit to unnecessary data collection in order to do their schoolwork.
- Use Prohibitions: Companies are strictly limited in how they can use the personal information they collect from children. For example, Ed Tech operators that collect personal information pursuant to school authorization may use such information only to provide the requested online education service. Companies are prohibited from using the information for any other commercial purpose including marketing or advertising.
- Retention Prohibitions: Companies must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected.
- Security Requirements: Companies must have procedures to maintain the confidentiality, security and integrity of children’s personal information. Even in the absence of a data security breach, Ed Tech providers can be liable for violating COPPA if they lack reasonable security.
COPPA Enforcement
The FTC is clearly putting the responsibility for COPPA compliance on COPPA-covered businesses and not on schools or parents. The Policy Statement does not fundamentally change companies’ existing obligations under COPPA or other laws, but indicates that children’s privacy will be a top priority. Companies that fail to follow COPPA could face civil penalties of up to $43,280 per violation, as well as limitations on their business practices. In recent years, the FTC and state agencies have been stepping up their enforcement of COPPA. Since COPPA became law, fines for violating children’s privacy online have become greater and greater. The rise of multi-million dollar COPPA settlements indicates that the government is willing to place pressure on companies in order to force them to protect children’s privacy.
Best Practices for Ed Tech Companies Regarding the Collection of Children’s Data
Ed Tech providers and other companies involved in this industry should carefully review their data practices and fully understand the limits on the collection and use of children’s data. This includes the following:
- Have a clear privacy policy that explains your data collection practices for users under 13.
- Protect all personal information collected with reasonable information security procedures that protect the security, confidentiality and integrity of personal information collected from users under 13.
- Store personal information only for as long as necessary for the purpose for which it was collected.