On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule.  The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.

The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online.  A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.

Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement.  Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:

  • Prohibition against mandatory collection of data: Ed tech vendors may not force students to disclose more personal information than necessary as a condition of student participation in an educational activity.
  • Data use prohibitions: If ed tech vendors are relying on school authorization for the collection of children’s personal information, they may only use that information to provide an educational service.  In this context, ed tech vendors are prohibited from using children’s personal information for any commercial purpose, including marketing and advertising.  While not in the text of the policy statement, Chair Khan also suggested ed tech vendors should not use children’s personal information as part of a score, algorithm, or commercial database.
  • Data retention prohibitions: Ed tech vendors may not retain children’s personal information for longer than necessary to fulfill the purpose for which the data was collected, nor may ed tech vendors retain children’s personal information for future speculative uses.
  • Data security requirements: Ed tech vendors must have reasonable procedures to maintain the confidentiality, security, and integrity of children’s personal information.

Commissioner Bedoya offered additional concrete guidance in regards to tracking data.  While he agreed that some tracking information is needed to provide services to children, he advised online operators to innovate by creating tracking mechanisms that protect privacy.  For example, he recommended the use of hashed identifiers that cannot be used to track children’s activities across platforms.

While the policy statement was adopted unanimously, Commissioners Phillips and Wilson both emphasized that the statement merely reflects the current Rule and Commission guidance, and urged the FTC to focus its efforts on completing the COPPA rulemaking process started in 2019.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy…

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy notices and terms of use, responding to cyber and data security incidents, and evaluating privacy and cybersecurity risks in corporate transactions. In particular, she advises clients on substantive requirements relating to children’s and student privacy, including COPPA, FERPA, age-appropriate design code laws, and social media laws.

As part of her practice, Jenna regularly represents clients in data privacy investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general. She also supports clients in proactive engagement with regulators and policymakers to ensure their perspectives are heard.

Jenna also maintains an active pro bono practice with a focus on supporting families in adoptions, guardianships, and immigration matters.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.