COPPA and Schools: The (Other) Federal Student Privacy Law, Explained
When it comes to federal protections for students’ sensitive personal information, the Family Educational Rights and Privacy Act, or FERPA, tends to get most of the attention.
But schools also need to be familiar with the Children’s Online Privacy Protection Act, commonly known as COPPA.
In a nutshell, COPPA requires operators of commercial websites, online services, and mobile apps to notify parents and obtain their consent before collecting any personal information on children under the age of 13. The aim is to give parents more control over what information is collected from their children online.
> What Exactly Is COPPA?
> Who Does COPPA Apply to?
> What Does COPPA Require Companies to Do?
> How Can Schools Grant COPPA Consent?
> Can Schools Be Held Liable for COPPA Violations?
> Do Parents Still Retain Their Rights Under the Law?
> What Are the Penalties for COPPA Violations?
This law directly regulates companies, not schools. But as the digital revolution has moved into the classroom, schools have increasingly been put in the middle of the relationship between vendors and parents.
The Federal Trade Commission, which enforces COPPA, has said that schools can, in many situations, stand in for parents and let companies collect information from young children. In some cases, companies may try to shift some of the burden of COPPA compliance away from themselves and onto schools. And it’s clear that the law places significant indirect burdens on schools and educators.
Those dynamics have opened up multiple cans of worms, said Sonja H. Trainor, the director of the Council of School Attorneys for the National School Boards Association.
“The FTC has decided, not based on law or regulation, but as a practical reality, that schools can give consent on behalf of parents,” Trainor said. “That is not without risk, and COPPA has a whole lot of gray area that gives school attorneys pause.”
In an emailed response to questions from Education Week, FTC staff members provided clarification and new insights on a number of key areas that have had both schools and vendors worried.
But despite whispers in the field that the Federal Trade Commission and the U.S. Department of Education may be gearing up to jointly issue a formal new document with more answers, the commission doesn’t “currently have a timetable for release of additional business guidance,” according to FTC staff.
In the meantime, what do school boards, superintendents, principals, teachers, parents, and companies serving the K-12 market need to know?
Education Week turned to federal officials and documents, education law experts, and leaders in the field of student-data privacy to get their advice.
What exactly is COPPA?
The Children’s Online Privacy Protection Act was enacted by Congress in 1998. The law requires the Federal Trade Commission to “issue and enforce regulations concerning children’s online privacy,” according to the FTC’s frequently-asked-questions page (which you might want to bookmark).
The commission put its first COPPA-related rules in place in 2000, and amended them in 2013.
Who does COPPA apply to?
Operators of commercial websites, online services, and mobile apps that are directed at children under 13 and “collect, use, or disclose personal information” from those kids.
And operators of websites and online services that are for a general audience but have “actual knowledge” that they are collecting, using, or disclosing personal information from children under 13.
COPPA generally does not apply directly to state government agencies, schools, or nonprofits.
What does COPPA require companies to do?
The list is long. Among other things, COPPA-covered operators must:
- Give parents “direct notice” before collecting information from children under 13
- Obtain “verifiable parental consent” before collecting such information
- Allow parents to review their children’s information and request that it be deleted
- Allow parents to opt out of further collection, use, or sharing of information pertaining to their child
- Maintain the confidentiality and security of any child’s information that is collected
- Delete children’s information after it is “no longer necessary to fulfill the purpose for which it was collected.”
What types of information are we talking about?
Schools are increasingly looking at teaching digital citizenship - the appropriate use of technology. It’s a lesson some believe should start as young as elementary school. View more ed-tech videos.
For COPPA purposes, “personal information” can mean a child’s name, address, or Social Security number; his or her username or screen name, if that could be used to make contact with the child; some geolocation information; persistent identifiers that might allow the child to be tracked across time or across websites; and more.
Less clear, though, is whether COPPA covers information such as IP (internet protocol) address, device identification number, the type of browser being used, or other so-called metadata that can often be used to identify users.
It’s worth noting that COPPA applies only to information that is collected from children, not to information that is collected about children. So services that collect information from parents, for example, are not covered, even if some of that information pertains to their children.
OK, cut to the chase—where do K-12 schools come into the COPPA discussion?
Here’s the heart of the matter:
In its FAQs, the Federal Trade Commission says that under certain circumstances, “schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.”
There’s a lot to unpack in that.
Yes, there is.
Let’s start here: Do schools have to obtain parental consent to pass along to companies, or can schools grant consent in place of parents?
This is one of those big questions that have given schools pause. Trainor of the Council of School Attorneys, for example, said that some school lawyers have taken the FTC’s previous guidance to mean that their districts must get consent from every single parent, for every single product that collects information online from young children.
In its responses to Education Week, though, the FTC provided new clarity.
“When schools give consent, the school may consent in lieu of the parents,” according to staff at the commission.
That’s what often already happens in practice, said Bill Fitzgerald, the director of privacy-evaluation initiatives at Common Sense Media.
But there are still a number of issues for schools to consider.
Whether and how schools can grant COPPA consent varies under certain circumstances, Fitzgerald said.
You said whether and how schools can grant COPPA consent varies under “certain circumstances.” Explain.
First, according to the FTC, schools can grant consent on behalf of parents only when the operator of the website, online service, or app in question is providing a service that is “solely for the benefit of students and the school system” and is specific to “the educational context.”
If the service isn’t just for education, the operator and/or the school clearly has to get verifiable consent directly from parents.
How are schools supposed to determine if a website or app is strictly educational?
Now you’re starting to see just how tricky this can get.
In its FAQs, the trade commission does provide a helpful list of questions for schools to ask operators when seeking to make this determination.
First and foremost, what information will be collected, and how will it be used?
And more specifically, will any information collected from children under 13 be used or shared for commercial purposes unrelated to education? Are schools allowed to review the information collected on students? Can schools request that student info be deleted?
If the answers to that second group of questions are, respectively, yes, no, or no, schools are not allowed to grant consent on behalf of parents, according to the FTC.
That sounds fairly straightforward.
In reality, it’s not.
Fitzgerald of Common Sense Media laid out a number of areas where this can get complex.
In many cases, he said, companies include in their terms of service a provision that it’s the school’s responsibility to get verifiable consent from parents. Companies may even stipulate that schools using their service are required to retain proof of that consent and produce it on demand. If it’s in the terms of service, it can be binding for schools that use the product, Fitzgerald said. The takeaway, he said, is that schools should read carefully all terms of service before letting students use a website, online service, or app.
Is that it?
No. Many vendors also allow third-party trackers (usually related to analytics or advertising) to be embedded into their sites and services. This complicates things tremendously, on all sides.
In its FAQs, the FTC says that operators are responsible for determining the “information-collection practices of every third party that can collect information” via their app, service, or site. And in response to questions from Education Week, FTC staff members went even further, writing that “generally speaking, an operator must disclose the existence of any third-party tracking services that are collecting personal information from children using the operator’s website or online service.”
In practice, though, vendors often don’t provide that information to schools, or do so only in vague or conditional terms. In response to questions from Education Week, FTC staff said operators that don’t adequately disclose the activity of third-party trackers that collect information from users under 13 cannot obtain informed consent from either parents or schools. That declaration could have huge implications.
Is that it?
Not quite. There’s also a bigger reality that places schools in a bind when determining if and how they can grant COPPA consent on behalf of parents: Many of the online services in schools have both educational and commercial versions and applications.
Think about Google, for example. It’s not at all unusual for students to enter one of G Suite’s educational services through their student accounts, then venture out from there to one of Google’s commercial services, like Maps or Search.
For years, Google has declined to provide detailed answers to questions about exactly how it collects and uses information generated by students in those circumstances—making it difficult for schools to determine for COPPA purposes whether G Suite is strictly for the benefit of schools and students within the “educational context.”
That must worry educators. Can schools be held liable for COPPA violations, or for improperly granting consent to a company that commits COPPA violations?
There are a number of ways to think about this.
First, here’s how FTC staff responded when Education Week posed this exact question: “COPPA applies to operators of commercial websites and online services. COPPA does not apply to schools.”
For Trainor of the Council of School Attorneys, though, the legal considerations for schools aren’t quite so cut-and-dried. Here’s what she had to say:
I wouldn’t say the liability concerns for schools are so extreme that they should be put above more everyday concerns, like budgets or student achievement. But I would say that school leaders should be aware that this is a fuzzy area of the law. And school boards should be asking their attorneys and state board associations what kind of liability might exist in their state.
And then there’s the broader issue of public trust and perception. If a school grants consent for an operator to collect information from young children, and that company turns around and violates COPPA, the school may not face any legal liability. But it’s almost certain the school will have some angry parents to contend with.
OK, let’s get practical for a second. How do schools notify parents and get their consent under COPPA?
Often through an Acceptable Use Policy or similar document that is sent home to parents at the beginning of the school year, said Fitzgerald of Common Sense Media. Sometimes, such a document describes the types of online services a school intends to use, what types of information they may collect, and how that information might be used. Even better, Fitzgerald said, is when schools provide a detailed list of exactly what websites/online services/apps students will be using, and what the information practices of each are.
This probably isn’t as straightforward as it sounds, either.
For one thing, some privacy experts say that a one-time, blanket sign-off at the beginning of the school year may not be considered valid notification and consent under COPPA, especially if it doesn’t list the specific online services that children will be using.
Who in the school should be responsible for granting COPPA consent?
In its FAQs, the FTC recommends that this happen at the school or district level, and that responsibility for deciding “whether a particular site’s or service’s information practices are appropriate” not be delegated to teachers.
Many districts do in fact have that kind of review-and-approval process.
But don’t many teachers also make their own decisions about what sites and apps they use?
In fact, that’s the explicit business model of a lot of ed-tech companies: Go around (often slow, tedious) district approval processes by marketing directly to teachers and hoping for viral growth.
But that presents a couple of problems.
One is “click-wrap agreements.” Often, these are the kinds of agreements that almost all of us are guilty of just clicking through without actually reading. Significantly, FTC staff said that “typically, a click-wrap agreement on its own would not suffice” to meet COPPA standards around notification and consent. This point could have big implications for both companies and schools.
More broadly speaking, it’s still unclear whether a teacher can enter into a contract and provide COPPA consent on behalf of parents, even if it’s not via a click-wrap agreement, said Amelia Vance, the education-privacy-policy counsel at the Future of Privacy Forum.
Many schools seek to avoid any situation where a teacher can incur liability on behalf of the district—and for good reason, she said.
“You just naturally have less due diligence when a teacher is the one signing up,” Vance said. “They have a million things to do in a day, and that doesn’t often include going through detailed privacy policies on a company’s website to verify that it’s in compliance with COPPA.”
Does consent for a child to use a site/service/app carry over from year to year, or do schools need to get fresh consent each school year?
This is yet another gray area that’s been troubling schools. The FTC provided some helpful insights to Education Week. Here’s what commission staff wrote in their response to our question:
The consent [granted by a parent or school under COPPA] is specific to the particular website or online service offered and is not tied to the specific class or school year. However, COPPA requires the provider of the site or service to obtain a separate consent for any material change to its data collection or use practices.
In practice, Fitzgerald said, this appears to mean that a parent or school granting a company consent to collect information online from a child “basically lasts forever.”
That would seem to be true even if the nature of the site or service evolves dramatically over time, Vance added.
What about when kids move?
In this situation, the new school enrolling the child “should ensure that it has received the necessary notice from the operator and given consent for the child’s use,” according to FTC staff.
In practice, Vance said, that appears to mean that COPPA consent is not transferable from school to school. That appears to be especially true when a child moves between states that may have different student-data-privacy laws of their own.
Vance also raised another question: When a child under 13 moves, what happens to the COPPA-covered information that companies hold on that child?
“The first thing parents do when they move is not go find all the companies who are storing their child’s information and make sure it’s deleted,” she said. “And there’s not really a clear process by which schools can go to companies and let them know a child is no longer there.”
Well, what’s the answer?
It’s not clear.
What happens when an operator collects information on a child under 13, and then that child turns 13?
According to FTC staff, COPPA does not require any new consent for newly collected personal information after a child turns 13.
Other privacy laws likely apply, though.
And FTC staff did have this to say, which again could have big implications for schools and ed-tech companies:
An operator cannot combine the previously collected personal information [from a child under 13] with the newly collected personal information [from the same child, once he or she is 13 or older], to engage in uses beyond what had previously been consented to by either parents or a school. And of course, any data collected from a child under 13 can only be retained as long as is reasonably necessary to fulfill the purpose for which the information was collected.
Let’s say a school successfully and appropriately provides COPPA consent for its students to use a particular app. Do parents still retain their rights under the law?
Good question. Remember, COPPA isn’t just about consent. It also requires operators to let parents review their children’s information, request that it be deleted, and more.
Unfortunately, the FTC’s response to Education Week didn’t provide much clarity.
Trainor, the director of the school attorneys’ group, said this is another gray area.
“I think parents might be able to make that request directly of an operator under COPPA,” she said. “But it’s fuzzy.”
What about schools? Under COPPA, can they request to review/delete the information collected from children under 13? Should they? Does this ever happen?
Yes, it does happen, but probably not as often as it should, privacy advocates say.
Fitzgerald of Common Sense Media is among those who would “love to see schools and parents get together and submit sample requests” just to see what happens.
What are the penalties for COPPA violations?
Operators can be hit with a civil penalty of up to $40,654 per violation.
For companies with lots of young users, that could potentially add up quickly, as the heads of the fictional video-chat company Pied Piper (from the popular HBO show “Silicon Valley”) discovered when they faced the possibility of $21 billion in COPPA penalties.
If a parent, school, or anyone else has a complaint, concern, or question about COPPA, they can email the FTC at [email protected].
Have any companies actually been sanctioned under COPPA?
The most recent was in 2015, when two developers behind popular kids’ apps such as My Cake Shop and Cat Basket agreed to pay $360,000 in civil penalties as part of a settlement with the FTC.
Large, well-known general-audience companies have been caught up in COPPA troubles, too. In 2014, Yelp agreed to pay a $450,000 civil penalty over a complaint that it had for years collected personal information from children without first getting parental consent.
And one of the larger COPPA settlements came in 2012, when the operator of fan websites for music stars such as Justin Bieber and Rihanna agreed to pay a $1 million civil penalty.
“Even a bad case of Bieber Fever doesn’t excuse [operators’] legal obligation to get parental consent before collecting personal information from children,” FTC Chairman Jon Leibowitz said at the time.
- Updated Privacy Toolkit Offers Guidance on Federal Laws, Vendor Contracts
- Student Data Privacy: An Education Week Special Report
- Coalition Calls for Modernizing COPPA
Video Playlist: Technology in Education
Browse Education Week’s collection of videos on ed-tech issues: