In today’s environment – when data breaches seem to be in the news nearly every day – the media, regulators and many others are hyper-focused on privacy issues. Schools and educational institutions are no exception when it comes to news stories highlighting privacy-related goofs or failures. In K-12 institutions, where privacy infrastructure is often lacking or even non-existent, privacy concerns are especially acute. There is little doubt that Internet and online technologies used inside and outside of classrooms have changed how our children learn. There is a federal privacy law – The Family Educational Rights and Privacy Act – that specifically applies to schools receiving federal funding. But FERPA was passed in 1974, when the ideas of individualized online learning programs, mobile apps, and web-based testing services were nothing but dreams. With the recent proliferation of these new technologies, however, the technologies the Federal Trade Commission –self-appointed federal “czar” of all things privacy-related – is especially attuned to compliance by developers and operators of online education-related services with the Children’s Online Privacy Protection Act.
COPPA’s primary goal is to put parents of children under age 13 in control over what information online entities can collect from their children. COPPA requires operators of commercial websites and services targeted at children to notify parents directly and to obtain verifiable parental consent before their websites and services are allowed to collect personal information (i.e., names, email addresses, geolocation information, IP addresses) from children under 13. It is important to note that schools and educational institutions, particularly public schools, are not covered by COPPA, because they don’t fall within the legal definition of “commercial operators,” whose status is covered by COPPA. But schools that contract with technology vendors who are covered by COPPA may encounter operational and administrative challenges in implementing safeguards and processes to keep sensitive student data from being exploited for unauthorized commercial purposes. Therefore, schools have a special incentive to play an active role in ensuring operators’ compliance with the COPPA, and the FTC is encouraging schools’ involvement in that compliance.
Specifically, the FTC has recently clarified the interplay between COPPA and schools. These updated guidelines will help educational institutions strengthen policies and practices aimed at protecting children’s personal information when working with commercial technology operators. Not surprisingly, the FTC emphasizes that the compliance burden is on the operators of commercial websites and services that target children under 13. Generally, an operator must give notice and obtain verifiable parental consent directly from parents before its websites or services may collect personal information from children under 13. But when schools contract with these technology vendors for educational purposes, the FTC allows schools to act as parents’ agents to consent to the operator’s collection of children’s personal information. In other words, operators are not required to obtain consent directly from parents when the personal information collected from students is for the use and benefit of students and the school (i.e., homework help lines, web-based testing services, individualized learning modules. . . etc.). Operators must still comply with all notice requirements under COPPA, including a description of the types of information collected and the purpose for collection, and providing opportunity for review of personal information collected and deletion of information. But, under the FTC’s guidance, operators’ compliance obligations can be fulfilled by obtaining direct consent granted by the school, rather than the operator having to go directly to the parents of each student.
(Operators must obtain direct parental consent if the information collected is for “commercial purposes.”)
In addition, the FTC’s recent guidance offers several screening questions for schools before contracting with technology vendors, and potential vendors would be wise in considering the answers to these questions before an educational institution asks them:
- What types of personal information will the operator collect from students?
- How does the operator use this personal information?
- Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school?
- Does the operator enable the school to review and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.
- What measure does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
- What are the operator’s data retention and deletion policies for children’s personal information?
These screening questions serve as a basic protection of students’ data privacy for schools when working with operators. Beyond these questions, however, the FTC encourages schools to monitor and scrutinize their operators’ data collection practices continuously to reduce the risk of students’ personal information being misused for unauthorized commercial purposes during their contractual period. This ongoing effort could eventually require schools to have committed resources and a robust infrastructure to implement safeguards for detecting and monitoring potential risk of data misuse and potential violation of COPPA. But, as noted above, K-12 educational institutions often lack these types of resources. So, the FTC has also articulated some “best practices” that may help schools to protect children’s personal information when they work with technology vendors in the process of obtaining parental consent.
The FTC suggests:
- consider making COPPA notices that the operators are required to provide to schools available to parents;
- consider the feasibility of allowing parents to review the personal information collected;
- ensure operators delete children’s personal information once the information collected is no longer needed for educational purposes.
Additionally, when schools give consent on behalf of parents, schools should consider providing parents with a notice of the websites and online services whose collection it has consented to on behalf of the parent. However, because school resources are often limited, vendors should be prepared for schools to ask vendors to take on the administrative costs and expenses of providing this information to parents.
As schools become increasingly reliant on the Internet and mobile technology in student instruction and assessment, privacy concerns and the ongoing effort to protect student data will continue to be a priority. The FTC’s guidance – to both educational institutions and their vendors – will assist vendors in their COPPA compliance, with the coordination and assistance of institutions they serve. Vendors seeking to serve the education industry should be familiar with the guidance and use it as a model to assure educational institutions of the vendor’s COPPA compliance.