When it comes to federal protections for students鈥 sensitive personal information, the Family Educational Rights and Privacy Act, or FERPA, tends to get most of the attention.
But schools also need to be familiar with the , commonly known as COPPA.
In a nutshell, COPPA requires operators of commercial websites, online services, and mobile apps to notify parents and obtain their consent before collecting any personal information on children under the age of 13. The aim is to give parents more control over what information is collected from their children online.
This law directly regulates companies, not schools. But as the digital revolution has moved into the classroom, schools have increasingly been put in the middle of the relationship between vendors and parents.
The Federal Trade Commission, which enforces COPPA, has said that schools can, in many situations, stand in for parents and let companies collect information from young children. In some cases, companies may try to shift some of the burden of COPPA compliance away from themselves and onto schools. And it鈥檚 clear that the law places significant indirect burdens on schools and educators.
Those dynamics have opened up multiple cans of worms, said Sonja H. Trainor, the director of the Council of School Attorneys for the National School Boards Association.
鈥淭he FTC has decided, not based on law or regulation, but as a practical reality, that schools can give consent on behalf of parents,鈥 Trainor said. 鈥淭hat is not without risk, and COPPA has a whole lot of gray area that gives school attorneys pause.鈥
In an emailed response to questions from Education Week, FTC staff members provided clarification and new insights on a number of key areas that have had both schools and vendors worried.
But despite whispers in the field that the Federal Trade Commission and the U.S. Department of Education may be gearing up to jointly issue a formal new document with more answers, the commission doesn鈥檛 鈥渃urrently have a timetable for release of additional business guidance,鈥 according to FTC staff.
In the meantime, what do school boards, superintendents, principals, teachers, parents, and companies serving the K-12 market need to know?
Education Week turned to federal officials and documents, education law experts, and leaders in the field of student-data privacy to get their advice.
What exactly is COPPA?
The Children鈥檚 Online Privacy Protection Act was enacted by Congress in 1998. The law requires the Federal Trade Commission to 鈥渋ssue and enforce regulations concerning children鈥檚 online privacy,鈥 according to the (which you might want to bookmark).
The commission put its first COPPA-related rules in place in 2000, and .
Who does COPPA apply to?
Two groups:
Operators of commercial websites, online services, and mobile apps that are directed at children under 13 and 鈥渃ollect, use, or disclose personal information鈥 from those kids.
And operators of websites and online services that are for a general audience but have 鈥渁ctual knowledge鈥 that they are collecting, using, or disclosing personal information from children under 13.
COPPA generally does not apply directly to state government agencies, schools, or nonprofits.
What does COPPA require companies to do?
The list is long. Among other things, COPPA-covered operators must:
- Post a 鈥渃lear and comprehensive鈥 online-privacy policy
- Give parents 鈥渄irect notice鈥 before collecting information from children under 13
- Obtain 鈥渧erifiable parental consent鈥 before collecting such information
- Allow parents to review their children鈥檚 information and request that it be deleted
- Allow parents to opt out of further collection, use, or sharing of information pertaining to their child
- Maintain the confidentiality and security of any child鈥檚 information that is collected
- Delete children鈥檚 information after it is 鈥渘o longer necessary to fulfill the purpose for which it was collected.鈥
What types of information are we talking about?
For COPPA purposes, 鈥減ersonal information鈥 can mean a child鈥檚 name, address, or Social Security number; his or her username or screen name, if that could be used to make contact with the child; some geolocation information; persistent identifiers that might allow the child to be tracked across time or across websites; and more.
Less clear, though, is whether COPPA covers information such as IP (internet protocol) address, device identification number, the type of browser being used, or other so-called metadata that can often be used to identify users.
It鈥檚 worth noting that COPPA applies only to information that is collected from children, not to information that is collected about children. So services that collect information from parents, for example, are not covered, even if some of that information pertains to their children.
OK, cut to the chase鈥攚here do K-12 schools come into the COPPA discussion?
Here鈥檚 the heart of the matter:
In its FAQs, the Federal Trade Commission says that under certain circumstances, 鈥渟chools may act as the parent鈥檚 agent and can consent to the collection of kids鈥 information on the parent鈥檚 behalf.鈥
There鈥檚 a lot to unpack in that.
Yes, there is.
Let鈥檚 start here: Do schools have to obtain parental consent to pass along to companies, or can schools grant consent in place of parents?
This is one of those big questions that have given schools pause. Trainor of the Council of School Attorneys, for example, said that some school lawyers have taken the FTC鈥檚 previous guidance to mean that their districts must get consent from every single parent, for every single product that collects information online from young children.
In its responses to Education Week, though, the FTC provided new clarity.
鈥淲hen schools give consent, the school may consent in lieu of the parents,鈥 according to staff at the commission.
That鈥檚 what often already happens in practice, said Bill Fitzgerald, the director of privacy-evaluation initiatives at Common Sense Media.
But there are still a number of issues for schools to consider.
Whether and how schools can grant COPPA consent varies under certain circumstances, Fitzgerald said.
And in addition to consent, the law requires parental notification. Generally, the FTC expects companies to publicly post a privacy policy that includes descriptions of what information is collected from children, how that information may be used and disclosed, contact information for any third parties that may also be collecting information through the site, and more. 69传媒 in turn are expected to make such notices available to parents. In practice, the details of that information exchange can get messy.
You said whether and how schools can grant COPPA consent varies under 鈥渃ertain circumstances.鈥 Explain.
First, according to the FTC, schools can grant consent on behalf of parents only when the operator of the website, online service, or app in question is providing a service that is 鈥渟olely for the benefit of students and the school system鈥 and is specific to 鈥渢he educational context.鈥
If the service isn鈥檛 just for education, the operator and/or the school clearly has to get verifiable consent directly from parents.
How are schools supposed to determine if a website or app is strictly educational?
Now you鈥檙e starting to see just how tricky this can get.
In its FAQs, the trade commission does provide a helpful list of questions for schools to ask operators when seeking to make this determination.
First and foremost, what information will be collected, and how will it be used?
And more specifically, will any information collected from children under 13 be used or shared for commercial purposes unrelated to education? Are schools allowed to review the information collected on students? Can schools request that student info be deleted?
If the answers to that second group of questions are, respectively, yes, no, or no, schools are not allowed to grant consent on behalf of parents, according to the FTC.
That sounds fairly straightforward.
In reality, it鈥檚 not.
Fitzgerald of Common Sense Media laid out a number of areas where this can get complex.
In many cases, he said, companies include in their terms of service a provision that it鈥檚 the school鈥檚 responsibility to get verifiable consent from parents. Companies may even stipulate that schools using their service are required to retain proof of that consent and produce it on demand. If it鈥檚 in the terms of service, it can be binding for schools that use the product, Fitzgerald said. The takeaway, he said, is that schools should read carefully all terms of service before letting students use a website, online service, or app.
Is that it?
No. Many vendors also allow third-party trackers (usually related to analytics or advertising) to be embedded into their sites and services. This complicates things tremendously, on all sides.
In its FAQs, the FTC says that operators are responsible for determining the 鈥渋nformation-collection practices of every third party that can collect information鈥 via their app, service, or site. And in response to questions from Education Week, FTC staff members went even further, writing that 鈥済enerally speaking, an operator must disclose the existence of any third-party tracking services that are collecting personal information from children using the operator鈥檚 website or online service.鈥
In practice, though, vendors often don鈥檛 provide that information to schools, or do so only in vague or conditional terms. In response to questions from Education Week, FTC staff said operators that don鈥檛 adequately disclose the activity of third-party trackers that collect information from users under 13 cannot obtain informed consent from either parents or schools. That declaration could have huge implications.
Is that it?
Not quite. There鈥檚 also a bigger reality that places schools in a bind when determining if and how they can grant COPPA consent on behalf of parents: Many of the online services in schools have both educational and commercial versions and applications.
Think about Google, for example. It鈥檚 not at all unusual for students to enter one of G Suite鈥檚 educational services through their student accounts, then venture out from there to one of Google鈥檚 commercial services, like Maps or Search.
For years, Google has declined to provide detailed answers to questions about in those circumstances鈥攎aking it difficult for schools to determine for COPPA purposes whether G Suite is strictly for the benefit of schools and students within the 鈥渆ducational context.鈥
That must worry educators. Can schools be held liable for COPPA violations, or for improperly granting consent to a company that commits COPPA violations?
There are a number of ways to think about this.
First, here鈥檚 how FTC staff responded when Education Week posed this exact question: 鈥淐OPPA applies to operators of commercial websites and online services. COPPA does not apply to schools.鈥
For Trainor of the Council of School Attorneys, though, the legal considerations for schools aren鈥檛 quite so cut-and-dried. Here鈥檚 what she had to say:
I wouldn鈥檛 say the liability concerns for schools are so extreme that they should be put above more everyday concerns, like budgets or student achievement. But I would say that school leaders should be aware that this is a fuzzy area of the law. And school boards should be asking their attorneys and state board associations what kind of liability might exist in their state.
And then there鈥檚 the broader issue of public trust and perception. If a school grants consent for an operator to collect information from young children, and that company turns around and violates COPPA, the school may not face any legal liability. But it鈥檚 almost certain the school will have some angry parents to contend with.
OK, let鈥檚 get practical for a second. How do schools notify parents and get their consent under COPPA?
Often through an Acceptable Use Policy or similar document that is sent home to parents at the beginning of the school year, said Fitzgerald of Common Sense Media. Sometimes, such a document describes the types of online services a school intends to use, what types of information they may collect, and how that information might be used. Even better, Fitzgerald said, is when schools provide a detailed list of exactly what websites/online services/apps students will be using, and what the information practices of each are.
This probably isn鈥檛 as straightforward as it sounds, either.
Nope.
For one thing, some privacy experts say that a one-time, blanket sign-off at the beginning of the school year may not be considered valid notification and consent under COPPA, especially if it doesn鈥檛 list the specific online services that children will be using.
Who in the school should be responsible for granting COPPA consent?
In its FAQs, the FTC recommends that this happen at the school or district level, and that responsibility for deciding 鈥渨hether a particular site鈥檚 or service鈥檚 information practices are appropriate鈥 not be delegated to teachers.
Many districts do in fact have that kind of review-and-approval process.
But don鈥檛 many teachers also make their own decisions about what sites and apps they use?
Yes.
In fact, that鈥檚 the of a lot of ed-tech companies: Go around (often slow, tedious) district approval processes by marketing directly to teachers and hoping for viral growth.
But that presents a couple of problems.
One is 鈥渃lick-wrap agreements.鈥 Often, these are the kinds of agreements that almost all of us are guilty of just clicking through without actually reading. Significantly, FTC staff said that 鈥渢ypically, a click-wrap agreement on its own would not suffice鈥 to meet COPPA standards around notification and consent. This point could have big implications for both companies and schools.
More broadly speaking, it鈥檚 still unclear whether a teacher can enter into a contract and provide COPPA consent on behalf of parents, even if it鈥檚 not via a click-wrap agreement, said Amelia Vance, the education-privacy-policy counsel at the Future of Privacy Forum.
Many schools seek to avoid any situation where a teacher can incur liability on behalf of the district鈥攁nd for good reason, she said.
鈥淵ou just naturally have less due diligence when a teacher is the one signing up,鈥 Vance said. 鈥淭hey have a million things to do in a day, and that doesn鈥檛 often include going through detailed privacy policies on a company鈥檚 website to verify that it鈥檚 in compliance with COPPA.鈥
Does consent for a child to use a site/service/app carry over from year to year, or do schools need to get fresh consent each school year?
This is yet another gray area that鈥檚 been troubling schools. The FTC provided some helpful insights to Education Week. Here鈥檚 what commission staff wrote in their response to our question:
The consent [granted by a parent or school under COPPA] is specific to the particular website or online service offered and is not tied to the specific class or school year. However, COPPA requires the provider of the site or service to obtain a separate consent for any material change to its data collection or use practices.
In practice, Fitzgerald said, this appears to mean that a parent or school granting a company consent to collect information online from a child 鈥渂asically lasts forever.鈥
That would seem to be true even if the nature of the site or service evolves dramatically over time, Vance added.
What about when kids move?
In this situation, the new school enrolling the child 鈥渟hould ensure that it has received the necessary notice from the operator and given consent for the child鈥檚 use,鈥 according to FTC staff.
In practice, Vance said, that appears to mean that COPPA consent is not transferable from school to school. That appears to be especially true when a child moves between states that may have different student-data-privacy laws of their own.
Vance also raised another question: When a child under 13 moves, what happens to the COPPA-covered information that companies hold on that child?
鈥淭he first thing parents do when they move is not go find all the companies who are storing their child鈥檚 information and make sure it鈥檚 deleted,鈥 she said. 鈥淎nd there鈥檚 not really a clear process by which schools can go to companies and let them know a child is no longer there.鈥
Well, what鈥檚 the answer?
It鈥檚 not clear.
What happens when an operator collects information on a child under 13, and then that child turns 13?
According to FTC staff, COPPA does not require any new consent for newly collected personal information after a child turns 13.
Other privacy laws likely apply, though.
And FTC staff did have this to say, which again could have big implications for schools and ed-tech companies:
An operator cannot combine the previously collected personal information [from a child under 13] with the newly collected personal information [from the same child, once he or she is 13 or older], to engage in uses beyond what had previously been consented to by either parents or a school. And of course, any data collected from a child under 13 can only be retained as long as is reasonably necessary to fulfill the purpose for which the information was collected.
Let鈥檚 say a school successfully and appropriately provides COPPA consent for its students to use a particular app. Do parents still retain their rights under the law?
Good question. Remember, COPPA isn鈥檛 just about consent. It also requires operators to let parents review their children鈥檚 information, request that it be deleted, and more.
Unfortunately, the FTC鈥檚 response to Education Week didn鈥檛 provide much clarity.
Trainor, the director of the school attorneys鈥 group, said this is another gray area.
鈥淚 think parents might be able to make that request directly of an operator under COPPA,鈥 she said. 鈥淏ut it鈥檚 fuzzy.鈥
What about schools? Under COPPA, can they request to review/delete the information collected from children under 13? Should they? Does this ever happen?
Yes, it does happen, but probably not as often as it should, privacy advocates say.
Fitzgerald of Common Sense Media is among those who would 鈥渓ove to see schools and parents get together and submit sample requests鈥 just to see what happens.
What are the penalties for COPPA violations?
Operators can be hit with a civil penalty of up to $40,654 per violation.
For companies with lots of young users, that could potentially add up quickly, as the heads of the fictional video-chat company Pied Piper (from the popular HBO show 鈥淪ilicon Valley鈥) discovered when they faced the .
If a parent, school, or anyone else has a complaint, concern, or question about COPPA, they can email the FTC at CoppaHotLine@ftc.gov.
Have any companies actually been sanctioned under COPPA?
Yes.
The most recent was in 2015, when two developers behind popular kids鈥 apps such as My Cake Shop and Cat Basket agreed to pay $360,000 in civil penalties as part of a settlement with the FTC.
Large, well-known general-audience companies have been caught up in COPPA troubles, too. In 2014, Yelp agreed to pay a $450,000 civil penalty over a complaint that it had for years collected personal information from children without first getting parental consent.
And one of the larger COPPA settlements came in 2012, when the operator of fan websites for music stars such as Justin Bieber and Rihanna agreed to pay a $1 million civil penalty.
鈥淓ven a bad case of Bieber Fever doesn鈥檛 excuse [operators鈥橾 legal obligation to get parental consent before collecting personal information from children,鈥 FTC Chairman Jon Leibowitz said at the time.