Education Week has just published a new resource for schools about the Children’s Online Privacy Protection Act. This online explainer includes exclusive new information from the Federal Trade Commission on schools’ role under the complicated 1998 law, known as COPPA.
Broadly speaking, this federal law requires operators of commercial websites, online services, and mobile apps to notify parents and obtain their consent before collecting any personal information on children under the age of 13.
The FTC, which enforces the law, says schools may grant that consent on behalf of parents. So while COPPA doesn’t directly regulate schools, it does have big implications for them. The law is also of critical importance for a wide range of ed-tech companies.
Despite the law’s significance, there’s been a lot of uncertainty around COPPA. In the course of preparing our new explainer, Education Week tried to get as many answers as we could, especially from the FTC itself.
For the big picture and lots of details around schools and COPPA, read the full explainer. But here are five important new insights and clarifications that FTC staff provided in their written response to our questions.
1. Schools can in many cases offer COPPA consent in lieu of parents, rather than having to obtain consent from parents and pass it on to operators.
This was a significant gray area for many schools, according to Sonja H. Trainor, the director of the Council of School Attorneys for the National School Boards Association. Some school lawyers believed it was necessary for schools to actually obtain verifiable COPPA consent from parents for every child under 13, for each online service or product that collects personal information from kids. The FTC’s response here indicates that in most situations, however, schools’ primary responsibility is to notify parents, not obtain consent from them. (There are a lot of what-ifs and what-abouts, most of which are covered in the full explainer.)
2. The bar for disclosing third-party trackers is higher than many ed-tech companies may realize.
Here’s what FTC staff said in response to Education Week’s question on this issue:
Generally speaking, an operator must disclose the existence of any third-party tracking services that are collecting personal information from children using the operator’s website or online service. Absent such notice, the operator could not obtain consent.
3. “Click-wrap agreements” aren’t good enough.
COPPA requires operators of websites, online services, and mobile apps that are either targeted to children under 13, or used by children under 13 with the operators’ knowledge, to do two basic things: notify parents (and schools) about their information-collection and information-use practices, and obtain verifiable consent for those practices. Here’s what FTC staff had to say about whether click-wrap agreements (generally speaking, those company terms and conditions that users are asked to click “I agree” to before using a site or service) are adequate:
Typically, a click-wrap agreement on its own would not suffice to meet this standard. Additionally, operators would need to be careful that any notice provided through a click-wrap agreement did not include unrelated, confusing, or contradictory materials.
4. Once schools provide COPPA consent for a child to use a particular service, that consent generally carries across school years.
Here’s what FTC staff told Education Week on this issue:
The consent [granted by a parent or school under COPPA] is specific to the particular website or online service offered and is not tied to the specific class or school year. However, COPPA requires the provider of the site or service to obtain a separate consent for any material change to its data collection or use practices.
5. After a user turns 13, ed-tech (and other) companies are limited in what they can do with information collected on that user before he or she turned 13.
Again, direct from FTC staff:
An operator cannot combine the previously collected personal information [from a child under 13] with the newly collected personal information [from the same child, once he or she is 13 or older], to engage in uses beyond what had previously been consented to by either parents or a school. And of course, any data collected from a child under 13 can only be retained as long as is reasonably necessary to fulfill the purpose for which the information was collected.
A version of this news article first appeared in the Digital Education blog.