Think You Are COPPA Compliant? Think Again!
The education landscape is constantly evolving with new learning environments, digital tools and a growing and complex set of federal and state regulations that govern student digital privacy. Schools and service providers have a responsibility to students and their parents to safeguard data and adhere to specific privacy practices that are clear and transparent.
In order to take steps to proactively protect students and ensure a valuable online experience while supporting your brand and business growth, double check you are compliant with the Children’s Online Privacy Protection Act (COPPA) and be proactive with your commitment to safeguard students privacy by signing the Student Privacy Pledge.
As an FTC approved COPPA Safe Harbor since 2004, we have spoken to countless developers and online service providers over the years who are quick to tell us they are COPPA compliant and do not trigger COPPA since no personal data is directly being collected from children under 13. Companies also like to boast their lawyer has made sure they are COPPA compliant. Being in the trenches for over a decade helping companies obtain COPPA certification, we can tell you in most cases, companies are not 100 percent buttoned up as they should be, especially in the school setting. Just because your lawyer says you are COPPA compliant, think again. It’s important to have a third party audit your online service/platform with scanning/tracking tools that can look at all third parties running in your properties. In addition, the audit should include a human review to experience the process as a child, teen, parent, teacher and/or general consumer. We recommend these reviews on a quarterly basis to make sure all parties involved don’t drop out of compliance.
COPPA compliance matters now more than ever.
Companies used to not think about security in their design processes. Now, we can’t afford not to. The same is true with privacy – especially regarding children. With more kids online with their own devices, Europe’s General Data Protection Regulation (GDPR) now in force, and a widespread acknowledgement that all consumers, not just our youngest, are in need of better data security and privacy protections, companies cannot turn a blind eye to complying with COPPA. Fines for failing to comply with the law were recently increased up to $41,484 per violation.
Since enactment of the COPPA Rule, the FTC has brought 31 cases to enforce it, in addition to enforcement from state attorney generals like New York’s Operation Child Tracker and New Mexico’s AG suing Google, Twitter and other companies for violating children’s privacy.
In 2018 the record shattering COPPA violation by Verizon’s Oath (previously AOL) hit the company with a $5 million fine and in February 2019, video social networking app, Musical.ly, now known as TikTok, with a $5.7M settlement. Then last week, the FTC settled an enforcement action against Unixiz, Inc., operator of the website i-Dressup.com, over several aspects of the site that failed to comply with COPPA from parental consent provisions and data security requirements. It's only time for a big enforcement to happen in the EdTech space.
Besides the obvious cost of the fine, companies need to take into consideration the PR and legal fees, in addition to the damage that can be done to a company’s brand. Whether you are a parent or a business that interacts with kids, violations to children’s online privacy costs everyone.
How to comply with COPPA?
COPPA requires that online services and operators adhere to specific guidelines regarding the collection and handling of personal information (PI). Here are some tips on how to comply:
- Understand how to define and handle your audience under COPPA.
- Understand what constitutes personal information (e.g., user generated content, first & last name, persistent identifiers, etc.).
- Notify parents and get their verifiable parental consent before collecting, using, or disclosing a child’s personal information, unless the collection fits into one of the Rule’s exceptions. [See Schools and consent under COPPA section below.]
- Understand the different levels of parental consent depending on what data is collected and if it is shared or made public.
- Adhere to data minimization practices by not retaining personal information longer than reasonably necessary for purpose for which it was collected.
- Take reasonable measures to avoid loss or exposure of personal information when deleting it from your records.
- Provide parents access to review, request deletion of and withdraw consent for collection of personal information from their child.
Schools and consent under COPPA
When a school district has a contract in place with publishers and online service operators (e.g., web-based testing services, education learning modules, homework help-lines, online research and organizational tools) the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.
However, it’s important to note, the school’s ability to consent for the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose (FTC COPPA FAQs M.1). The operator must provide the school with all the notices required under COPPA and upon request from the school, must provide the school the following:
- a description of the types of personal information collected from the students;
- the opportunity to review students’ personal information and/or have the information deleted;
- the opportunity for the school and their students’ parents to opt out/prevent further use or online collection of their students’ personal information.
However, publishers and online operators will need to obtain parental consent if they intend to use or disclose children’s personal information for their own commercial purposes, in addition to the provision of services to the school. Operators may not use the personal information collected from children based on a school’s consent for another commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context.
Where an operator gets consent from the school rather than the parent, the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example. For more details, visit the FTC’s COPPA FAQs, section M where COPPA and schools are addressed.
Other laws to take into consideration
Students may be protected under state law, too. The Data Quality Campaign reported that 49 states introduced over 400 bills related to student data privacy from 2013 to 2016. To date, 73 of those bills have been signed into law across 36 states—and the number is growing. For example, Oklahoma, Idaho, and Arizona require educators to include express provisions in contracts with private vendors to safeguard privacy and security or to prohibit secondary uses of student data without parental consent.
California’s Student Online Personal Information Protection Act, among other things, places restrictions on the use of K-12 students’ information for targeted advertising, profiling, or onward disclosure.
Schools must also consider their obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children’s education records. For general information on FERPA, see https://studentprivacy.ed.gov/.
Schools have a lot on their plate, including integrating new online tools that they may or may not be comfortable analyzing or approving for school use. They have their own privacy regulations to adhere to and as a commercial operator under COPPA, you have yours.
If you haven’t already secured an agreement with the school district, know your responsibility as a commercial operator and make sure you are 100% COPPA compliant. As a commercial operator, parental consent is your responsibility to obtain. Asking an educator to help by delivering a privacy notice to the parent and perhaps obtaining the consent mandated on your behalf may or may not be okay depending on the school district’s policy. Do your homework. Make sure you are not turning a blind eye to educators stepping out of their role and assuming the parents right and responsibility. Ultimately, you need to be transparent and diligent of your handling of students’ personal data. Building trust with school districts, educators and parents are foundational.
About the Author
Denise G. Tayloe is a recognized leader and authority in children’s online privacy, customer identity and consent management. Tayloe's company helps organizations navigate the opportunities and challenges of implementing the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR) for minors and student digital privacy in the US. For more information, visit http://www.privo.com/