On May 19, the Federal Trade Commission (“FTC”) unanimously adopted a policy statement reminding educational technology providers (“educational technology providers”) of their duty to comply with the substantial privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the COPPA Rule issued by the Commission. The policy statement reiterates the requirements of the rule and previous informal guidance from Commission staff, and clarifies that educational technology providers may not subject children to commercial data surveillance and monetization practices when they use technology in the classroom.
The FTC’s COPPA rule, which went into effect in 2000 and was last amended in 2013, aims to give parents control over the information collected from their children online. A major part of the rule is that online commercial operators must (1) notify parents of data collection and (2) obtain parental consent before collecting personal information from children under 13.
Recognizing the unique benefits of ed technology, the new policy statement reminds ed technology providers that their compliance with the rule goes beyond the notice and consent requirement. Specifically, the FTC intends to review the activities of educational technology vendors in the following areas:
- Prohibition of mandatory data collection: Educational technology providers cannot force students to disclose more personal information than necessary as a condition of student participation in an educational activity.
- Prohibitions on the use of data: If educational technology providers rely on school permission to collect children’s personal information, they may only use that information to provide an educational service. In this context, educational technology providers are prohibited from using children’s personal information for commercial purposes, including marketing and advertising. Although not in the text of the policy statement, President Khan also suggested that educational technology providers should not use children’s personal information as part of a score, algorithm or a commercial database.
- Data retention prohibitions: Educational technology providers may not retain children’s personal information longer than necessary to fulfill the purpose for which the data was collected, nor may educational technology providers retain children’s personal information for future speculative purposes.
- Data security requirements: Educational technology providers must have reasonable procedures to maintain the confidentiality, security and integrity of children’s personal information.
Commissioner Bedoya offered additional concrete guidance on data monitoring. While he agrees that some tracking information is necessary to provide services to children, he advises online operators to innovate by creating tracking mechanisms that protect privacy. For example, he recommended the use of hashed IDs which cannot be used to track children’s activities on all platforms.
While the policy statement passed unanimously, Commissioners Phillips and Wilson both stressed that the statement only reflects the current rule and the Commission’s guidance, and urged the FTC to focus its efforts on the completion of the COPPA rulemaking process begun in 2019.