COPPA, COVID, and EdTech: Essentials for Schools and Vendors

Education has moved online, and students as young as pre-kindergarten are engaging in hours of remote learning via educational technology each school day. This has led all of us to think about the myriad of state and federal laws that protect student privacy online even more than before. We have addressed some of those issues in previous alerts on FERPA and virtual learning and balancing privacy and educational continuity. Recent Federal Trade Commission guidance on the Children’s Online Privacy Protection Act has brought that federal law into the spotlight, however, and warrants consideration by both school leaders and EdTech vendors. The guidance reminds schools that they can use EdTech services that collect, use, or disclose personal information about students under the age of 13 in certain circumstances, avoiding the need to collect parent or guardian consent for each individual student, but only if the EdTech vendor provides the school notice of its data collection and use practices and agrees to collect personal information from students only for the use and benefit of the school and not for any other commercial purpose. The FTC reminds schools to consult with their attorneys to review the privacy and security policies of the ed tech services they use. In the meantime, here are some of the essential takeaways from the FTC guidance for K-12 schools.  

What is COPPA? 

COPPA applies to EdTech companies that collect, use, or disclose personal information from children under age 13 online. Previous FTC guidance explains that operators of commercial websites and online services (including mobile apps) who are subject to the rule must comply with a number of requirements in the law, including posting a clear and comprehensive online privacy policy describing how they collect information from children, obtaining verifiable parental consent before collecting personal information from children, and using reasonable measures to protect information collected from children.  

How Does COPPA Apply in Schools?  

Especially during the coronavirus disease 2019 (COVID-19) public health crisis, schools are partnering with EdTech vendors more than ever, including with students under the age of 13. Schools have operational services such as a school’s cafeteria system or a student information system that may require registration and a login. Macro-curricular services, like Google Apps for education, that districts or individual schools use or authorize on a school-wide basis may also collect applicable information. And one of the greatest concerns is micro-curricular services, which are those that individual departments, teachers, or other employees use with students on a case-by-case basis. In any of these cases, if information is collected, used, or disclosed by an EdTech vendor, COPPA likely applies. 

The most important requirement of COPPA for schools is that EdTech vendors must obtain parental consent before collecting certain data from children under the age of 13. The FTC guidance reminds schools that they can consent on behalf of parents to avoid having to coordinate between parents and EdTech companies to use a service with children under 13, but only if certain conditions (discussed below) are met.  

COPPA works together with state and federal laws governing student record information, such as FERPA, the Illinois School Student Records Act (ISSRA), and the Illinois Student Online Personal Protection Act (SOPPA). Such laws are even broader than COPPA and generally require obtaining parental consent before sharing student information with an EdTech vendor unless the vendor complies with certain legal requirements that allow the school to consent on a student’s behalf. 

When Can a School Provide Consent under COPPA?  

Under COPPA, a school can consent on a parent’s behalf only when: 

• The data collected is used only for a school authorized educational purpose; 
• The company provides the school notices required under COPPA;  
• If the school requests it, the company provides the school a description of the types of personal information collected; an opportunity to review a child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information; and 
• Operators to delete children’s personal information once the information is no longer needed for its educational purpose. 

The FTC also recommends that, as a best practice, schools consider sharing the notices provided by the company with parents and allowing parents the ability to review personal information collected. These responsibilities are in addition to any obligations under FERPA or state laws; they allow, however, an EdTech vendor to rely on proxy consent from a school district instead of requiring direct consent from each student’s parent or guardian. 

Why Not Collect Parental Consent?  

As schools are learning even more these days, it can be difficult if not impossible to collect parental consent for every student that the institution would like to use a certain EdTech product with. EdTech is increasingly becoming part of the curriculum, moreover, and so just as you would not typically allow a student to opt out of math, it is not often pedagogically sound to allow a student to opt out of the use of EdTech. For these reasons, most laws, including COPPA, FERPA, and Illinois student privacy law, include exceptions if a company is working closely enough with a school and agrees to certain protections of student data.  

How Do I Protect My School from COPPA Violations? 

When it comes to operational and macro-curricular buckets of EdTech in schools, school business officials and others who sign off on agreements with EdTech vendors should keep COPPA’s requirements in mind before agreeing to use any new EdTech service. Schools should not only look forward to new contracts, but should audit their existing catalogue of EdTech to determine if all student privacy protections are being met. The new FTC guidance reminds school districts of the importance of working with their attorneys and information security specialists on these types of agreements.  

A bigger risk for schools relates to micro-curricular services. School Districts must be aware of, vet, and approve the technology teachers are using with students. We recommend notifying administrators and educators of the school or district’s expectations and providing a method by which they can request to have an EdTech service approved. Many school districts create a “white list” that includes the names and information for resources that have already been approved that can be used immediately with students. 

For more information on COPPA, a review of any existing or proposed agreement, or assistance with creating a white list, contact the authors of this post or any other Franczek attorney.