On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule. The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.
The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online. A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.
Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement. Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:
- Prohibition against mandatory collection of data: Ed tech vendors may not force students to disclose more personal information than necessary as a condition of student participation in an educational activity.
- Data use prohibitions: If ed tech vendors are relying on school authorization for the collection of children’s personal information, they may only use that information to provide an educational service. In this context, ed tech vendors are prohibited from using children’s personal information for any commercial purpose, including marketing and advertising. While not in the text of the policy statement, Chair Khan also suggested ed tech vendors should not use children’s personal information as part of a score, algorithm, or commercial database.
- Data retention prohibitions: Ed tech vendors may not retain children’s personal information for longer than necessary to fulfill the purpose for which the data was collected, nor may ed tech vendors retain children’s personal information for future speculative uses.
- Data security requirements: Ed tech vendors must have reasonable procedures to maintain the confidentiality, security, and integrity of children’s personal information.
Commissioner Bedoya offered additional concrete guidance in regards to tracking data. While he agreed that some tracking information is needed to provide services to children, he advised online operators to innovate by creating tracking mechanisms that protect privacy. For example, he recommended the use of hashed identifiers that cannot be used to track children’s activities across platforms.
While the policy statement was adopted unanimously, Commissioners Phillips and Wilson both emphasized that the statement merely reflects the current Rule and Commission guidance, and urged the FTC to focus its efforts on completing the COPPA rulemaking process started in 2019.