FTC Issues New Guidance Regarding Child Online Privacy Law in Light of COVID-19
April 2020
Number 32
In light of the COVID-19 pandemic, schools have transitioned to distance learning. Almost overnight, schools have become dependent on technology in order to provide students with education. This dependence, however, brings with it a multitude of questions, costs, and risks. For example, we all know that online user information is being actively gathered by countless companies. When schools provide access to district-owned or procured computers and software, is it the software company, the parents, or the school's responsibility to ensure students' information is not being improperly mined and utilized? Privacy laws are often overlooked, or viewed as barriers, as school administrators struggle to deliver educational programs. Recent guidance helps schools to streamline the process and includes the following measures:
The Federal Trade Commission (FTC) has issued guidance that reverses previous approaches on parental consent requirements under the Children's Online Privacy Protection Act (COPPA). COPPA outlines what companies must do to protect the online privacy and safety of children who use the companies' commercial websites, mobile applications, and online services. Generally, COPPA requires companies to provide notice and to obtain parental consent before collecting personal information online from children under 13 years old. On April 9, 2020, the FTC published a blog which included FAQs and guidance which ease requirements and allow schools to provide consent on behalf of parents for ed-tech vendors who provide educational services. The FTC limits their advisory to information collected for school-authorized educational purposes and not for other commercial purposes. Schools can provide such consent whether the learning takes place in the classroom or at home at the direction of the schools. In order for ed-tech services to obtain consent from schools instead of parents, the service must provide schools with notice of its data collection and use practices "in plain language." As a best practice, the FTC recommends that ed-tech vendors provide the required COPPA notice to parents as well as schools and to let parents review the data collected, when feasible.
Per the guidance from the FTC, schools must also provide parents with "notice of the websites and online services whose collection they have consented to" on their behalf. Additionally, school districts should consult with legal counsel and information security specialists to review their ed-tech vendor's privacy and security policies to determine whether the policies are appropriate. The guidance also details a list of questions that school districts should ask potential ed-tech vendors in order to understand how student information will be used, collected, and disclosed. COPPA is just one of many regulations that impact distance learning through technology. Understanding these practices will help school districts in deciding which technology to use in delivering distance learning programs to students during these difficult times.
The FTC guidance also directs ed-tech vendors to review the Protection of Pupil Rights Amendment (PPRA) and the Family Educational Rights and Privacy Act (FERPA) in order to ensure compliance with those laws. On March 30, 2020, the Student Privacy Policy Office at the United States Department of Education (SPPO), the organization responsible for implementing PPRA and FERPA, presented a webinar that addressed common scenarios and questions relating to compliance with FERPA during the pandemic. Notably, the presentation highlighted best practices and considerations for school districts when implementing virtual learning systems.
Relevant Links
The FTC's April 9, 2020, guidance is available at the following link:
https://www.ftc.gov/news-events/blogs/business-blog/2020/04/coppa-guidance-ed-tech-companies-schools-during-coronavirus
SPPO's March 30, 2020, webinar recording and presentation slides are available at the following links:
Related Resources
The legal and practical realities of the current crisis are ever-changing. In our continued effort to equip public agencies with useful insights, we have compiled a suite of links to several resource and guidance documents and webpages available from the federal and state governments regarding COVID-19. You can access them here: http://www.lozanosmith.com/covid19.php.
For more information on student privacy issues related to use of technology procured or owned by school districts, or to discuss any other issues arising from COVID-19, please contact one of our eight offices located statewide. You can also subscribe to our podcast, follow us on Facebook, Twitter and LinkedIn or download our mobile app.
Number 32
In light of the COVID-19 pandemic, schools have transitioned to distance learning. Almost overnight, schools have become dependent on technology in order to provide students with education. This dependence, however, brings with it a multitude of questions, costs, and risks. For example, we all know that online user information is being actively gathered by countless companies. When schools provide access to district-owned or procured computers and software, is it the software company, the parents, or the school's responsibility to ensure students' information is not being improperly mined and utilized? Privacy laws are often overlooked, or viewed as barriers, as school administrators struggle to deliver educational programs. Recent guidance helps schools to streamline the process and includes the following measures:
- Ed-tech companies must provide schools with notice of their data collection and use practices "in plain language."
- Schools are provided a list of questions to ask potential ed-tech vendors to learn how the student information will be used, collected, and disclosed.
- Ed-tech vendors are directed to review the student privacy laws to ensure their compliance.
The Federal Trade Commission (FTC) has issued guidance that reverses previous approaches on parental consent requirements under the Children's Online Privacy Protection Act (COPPA). COPPA outlines what companies must do to protect the online privacy and safety of children who use the companies' commercial websites, mobile applications, and online services. Generally, COPPA requires companies to provide notice and to obtain parental consent before collecting personal information online from children under 13 years old. On April 9, 2020, the FTC published a blog which included FAQs and guidance which ease requirements and allow schools to provide consent on behalf of parents for ed-tech vendors who provide educational services. The FTC limits their advisory to information collected for school-authorized educational purposes and not for other commercial purposes. Schools can provide such consent whether the learning takes place in the classroom or at home at the direction of the schools. In order for ed-tech services to obtain consent from schools instead of parents, the service must provide schools with notice of its data collection and use practices "in plain language." As a best practice, the FTC recommends that ed-tech vendors provide the required COPPA notice to parents as well as schools and to let parents review the data collected, when feasible.
Per the guidance from the FTC, schools must also provide parents with "notice of the websites and online services whose collection they have consented to" on their behalf. Additionally, school districts should consult with legal counsel and information security specialists to review their ed-tech vendor's privacy and security policies to determine whether the policies are appropriate. The guidance also details a list of questions that school districts should ask potential ed-tech vendors in order to understand how student information will be used, collected, and disclosed. COPPA is just one of many regulations that impact distance learning through technology. Understanding these practices will help school districts in deciding which technology to use in delivering distance learning programs to students during these difficult times.
The FTC guidance also directs ed-tech vendors to review the Protection of Pupil Rights Amendment (PPRA) and the Family Educational Rights and Privacy Act (FERPA) in order to ensure compliance with those laws. On March 30, 2020, the Student Privacy Policy Office at the United States Department of Education (SPPO), the organization responsible for implementing PPRA and FERPA, presented a webinar that addressed common scenarios and questions relating to compliance with FERPA during the pandemic. Notably, the presentation highlighted best practices and considerations for school districts when implementing virtual learning systems.
Relevant Links
The FTC's April 9, 2020, guidance is available at the following link:
https://www.ftc.gov/news-events/blogs/business-blog/2020/04/coppa-guidance-ed-tech-companies-schools-during-coronavirus
SPPO's March 30, 2020, webinar recording and presentation slides are available at the following links:
- Webinar Recording
- Webinar Presentation Slides
Related Resources
The legal and practical realities of the current crisis are ever-changing. In our continued effort to equip public agencies with useful insights, we have compiled a suite of links to several resource and guidance documents and webpages available from the federal and state governments regarding COVID-19. You can access them here: http://www.lozanosmith.com/covid19.php.
For more information on student privacy issues related to use of technology procured or owned by school districts, or to discuss any other issues arising from COVID-19, please contact one of our eight offices located statewide. You can also subscribe to our podcast, follow us on Facebook, Twitter and LinkedIn or download our mobile app.
As the information contained herein is necessarily general, its application to a particular set of facts and circumstances may vary. For this reason, this News Brief does not constitute legal advice. We recommend that you consult with your counsel prior to acting on the information contained herein.
