Education Week has just published a new resource for schools about the Children鈥檚 Online Privacy Protection Act. This online explainer includes exclusive new information from the Federal Trade Commission on schools鈥 role under the complicated 1998 law, known as COPPA.
Broadly speaking, this federal law requires operators of commercial websites, online services, and mobile apps to notify parents and obtain their consent before collecting any personal information on children under the age of 13.
The FTC, which enforces the law, says schools may grant that consent on behalf of parents. So while COPPA doesn鈥檛 directly regulate schools, it does have big implications for them. The law is also of critical importance for a wide range of ed-tech companies.
Despite the law鈥檚 significance, there鈥檚 been a lot of uncertainty around COPPA. In the course of preparing our new explainer, Education Week tried to get as many answers as we could, especially from the FTC itself.
For the big picture and lots of details around schools and COPPA, read the full explainer. But here are five important new insights and clarifications that FTC staff provided in their written response to our questions.
1. 69传媒 can in many cases offer COPPA consent in lieu of parents, rather than having to obtain consent from parents and pass it on to operators.
This was a significant gray area for many schools, according to Sonja H. Trainor, the director of the Council of School Attorneys for the National School Boards Association. Some school lawyers believed it was necessary for schools to actually obtain verifiable COPPA consent from parents for every child under 13, for each online service or product that collects personal information from kids. The FTC鈥檚 response here indicates that in most situations, however, schools鈥 primary responsibility is to notify parents, not obtain consent from them. (There are a lot of what-ifs and what-abouts, most of which are covered in the full explainer.)
2. The bar for disclosing third-party trackers is higher than many ed-tech companies may realize.
Here鈥檚 what FTC staff said in response to Education Week鈥檚 question on this issue:
Generally speaking, an operator must disclose the existence of any third-party tracking services that are collecting personal information from children using the operator鈥檚 website or online service. Absent such notice, the operator could not obtain consent.
3. 鈥淐lick-wrap agreements鈥 aren鈥檛 good enough.
COPPA requires operators of websites, online services, and mobile apps that are either targeted to children under 13, or used by children under 13 with the operators鈥 knowledge, to do two basic things: notify parents (and schools) about their information-collection and information-use practices, and obtain verifiable consent for those practices. Here鈥檚 what FTC staff had to say about whether click-wrap agreements (generally speaking, those company terms and conditions that users are asked to click 鈥淚 agree鈥 to before using a site or service) are adequate:
Typically, a click-wrap agreement on its own would not suffice to meet this standard. Additionally, operators would need to be careful that any notice provided through a click-wrap agreement did not include unrelated, confusing, or contradictory materials.
4. Once schools provide COPPA consent for a child to use a particular service, that consent generally carries across school years.
Here鈥檚 what FTC staff told Education Week on this issue:
The consent [granted by a parent or school under COPPA] is specific to the particular website or online service offered and is not tied to the specific class or school year. However, COPPA requires the provider of the site or service to obtain a separate consent for any material change to its data collection or use practices.
5. After a user turns 13, ed-tech (and other) companies are limited in what they can do with information collected on that user before he or she turned 13.
Again, direct from FTC staff:
An operator cannot combine the previously collected personal information [from a child under 13] with the newly collected personal information [from the same child, once he or she is 13 or older], to engage in uses beyond what had previously been consented to by either parents or a school. And of course, any data collected from a child under 13 can only be retained as long as is reasonably necessary to fulfill the purpose for which the information was collected.
See also: