FTC Issues COPPA Guidance to Schools and EdTech Companies During the Pandemic

Because of school closures, millions of students are now using online, education technology services to engage in remote learning from home.  Finding the right technology which protects student privacy and ensures data security has not been easy for the school districts.  As we reported earlier this week in our blog,  the New York City’s Department of Education has barred teachers and administrators from using a popular web conferencing platform Zoom for remote learning purposes over concerns about security breaches, such as “Zoom-bombing.”

To address some of these issues, the Federal Trade Commission on April 9, 2020 published Children’s Online Privacy Protection Act (COPPA) Guidance for Ed Tech Companies and Schools during the Coronavirus.  COPPA outlines what operators of commercial websites and online services, including some ed tech services, must do to protect children’s privacy and safety online.

COPPA generally requires companies that collect personal information online from children under the age of 13 to provide notice of their data collection and use practices and obtain verifiable parental consent.  As the FTC Guidance notes, COPPA does not impose obligations on schools themselves.  Rather, schools can consent on behalf of the parents to the collection of student personal information by the ed tech companies, but only if such information is used for a school-authorized educational purpose and for no other commercial purpose.  The FTC notes that even where the ed tech companies obtain the required consent from schools, as a best practice, they should make the COPPA-required notice of their data collection and use practices available to parents, and, where feasible, let parents review the personal information collected.  The FTC further notes that the ed tech companies should use plain language in their notices that students, parents, and educators can easily understand.

The FTC Guidelines provide that schools and school districts should decide, in consultation with their attorneys, whether a particular site’s or service’s privacy and information practices are appropriate, and should not delegate that decision to school teachers.   Schools and school districts should also provide parents a notice of the websites and online services whose collection they have consented to on behalf of the parents.

The FTC advises that in deciding which online technologies to use with students, schools should be careful to understand how an operator will collect, use, and disclose personal information from its students.  Among the issues that the schools should inquire of their ed tech providers include: (1) the types of personal information they collect from students, (2) how they use this information, (3) whether they share the information for commercial purposes not related to the provision of the online services requested by the school, (4) whether they let the school review and have deleted the personal information collected from their students, (5) what measures they take to protect the security, confidentiality, and integrity of the personal information they collect, and (6) what data retention and deletion policies they employ for children’s personal information.

The FTC Guidelines is an important reminder of the vendor risk management for all organizations, not only schools and school districts in the context of COPPA.  Third-party vendors pose potential risks in the protection of personal information from improper usage and sharing and remain a high-risk area for data breaches.  The same questions that the schools should pose to their ed tech vendors should be asked, as part of vendor due diligence, by all organizations sharing personal data with their providers. Effectively managing vendor risk will help protect your organization’s and your customers’ data.