The U.S. Federal Trade Commission (FTC) issued a policy statement on May 19, 2022 (Policy Statement), notifying education technology (ed tech) companies that the FTC intends to strictly enforce the Children’s Online Privacy Protection Act (COPPA) in school and other learning settings.
Although the Policy Statement does not change the requirements under COPPA, it underscores the importance of COPPA to the FTC and emphasizes the specific compliance obligations of ed tech companies. The Policy Statement highlights the fact that COPPA includes more than mere notice and consent requirements, but also includes limits on the collection, use, retention, and security of children’s data. The Policy Statement notes that the FTC fully intends to enforce COPPA, specifically in school and other learning settings where “parents may feel they lack alternatives.”
COPPA is a federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. In recent years, the use of technology in classrooms has grown exponentially. This use has been expanded even further by the sudden pivot to virtual learning that schools experienced during the COVID-19 pandemic. Although the use of technology in educational settings has brought positive changes, it has also resulted in parents and schools having to navigate a complex industry where commercial surveillance has become standard practice. This new reality has raised concerns that a large amount of personal information may be being collected from children.
Concerns regarding data collection are further heightened in school and educational environments as more students are required to engage with ed tech websites and platforms in order to participate in school, especially post-pandemic. Questions and concerns have arisen regarding what personal information ed tech providers are collecting, how they are using that information, and who they are potentially sharing that information with.
The Policy Statement addresses some of these concerns and provides notice that the FTC will scrutinize compliance with COPPA and will investigate potential violations by ed tech providers and other covered online services. The FTC specifically notes that it will focus on investigating these potential violations of COPPA:
- Prohibition against mandatory collection – Students must not be required to submit to unnecessary data collection in order to do their schoolwork.
- Use prohibitions – Operators of ed tech that collect personal information pursuant to school or parent authorization may only use the collected information to provide the requested online education services.
- Retention prohibitions – Ed tech companies may not retain the personal information collected from a child longer than is reasonably necessary to fulfill the purpose for which it was collected.
- Security requirements – Ed tech companies must have procedures in place to maintain the confidentiality, security, and integrity of children’s personal information, regardless of threat of breach.
The FTC’s Policy Statement emphasizes that it is against the law for companies to force parents and schools to surrender children’s privacy rights to allow them to do schoolwork online or attend class remotely. Additionally, ed tech companies cannot deny access to their technology when parents or schools refuse to give consent for commercial surveillance. The FTC confirms that parents should not have to choose between their child’s privacy and their access to education, because the privacy of children under the age of 13 is protected by law. The FTC states that they will closely scrutinize the providers of these ed tech services and will not hesitate to act where ed tech providers fail to meet their legal obligations with respect to children’s privacy. Companies that fail to abide with all COPPA requirements may face civil penalties and/or additional requirements and limitations on their business practices.
The FTC's May 19, 2022, guidance is available at the following link:
As explicitly stated in the FTC’s Policy Statement, agreements between ed tech providers and schools or parents must reflect the fact that the ed tech providers are the ones responsible for complying with COPPA, not the schools or parents. Still, school districts should be generally aware of COPPA’s restrictions on the use of children’s data, both when negotiating agreements and when issues arise. Furthermore, it is important to note that there are additional state and federal laws which may overlap with COPPA or create separate obligations for both ed tech providers and local educational agencies regarding children’s data privacy and the retention of children’s personal data.
If you have any questions about the FTC’s recent policy statement, or COPPA, please contact the authors of this Client News Brief or an attorney at one of our eight offices located statewide. You can also subscribe to our podcast, follow us on Facebook, Twitter and LinkedIn or download our mobile app.