Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.

The FTC’s announcement cited the increasing use of “Ed Tech” in the K-12 environment, including school-issued personal computing devices and online curriculum, as the impetus for holding the workshop.  The FTC enforces the COPPA Rule, which governs the online collection, use, and disclosure of personally identifiable information from children under the age of 13.  The Department of Education, on the other hand, has enforcement power over FERPA, which governs the use and disclosure of personally identifiable information in students’ education records.

The stated aim of the workshop is to “gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.” The FTC and the Department of Education have thus indicated a willingness to explore updating prior guidance on COPPA and FERPA to account for the increasing prominence of Ed Tech as well as the compliance experience of schools and providers

The announcement states that the FTC and Department of Education staff are seeking comment on the following questions:

  • Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students?  Are providers and schools adhering to the requirements in practice?
  • What practical challenges do stakeholders face in simultaneously complying with both COPPA and FERPA?
  • Under what circumstances is it appropriate for a school to provide COPPA consent, and what process should the Ed Tech provider use to obtain consent?  Who has the authority to provide and revoke consent and how?
  • COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors.  What are the appropriate limits on the use of this data?
  • How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?
  • Schools often use the “School Official Exception” to FERPA’s written consent requirement when disclosing personally identifiable information from education records to Ed Tech providers.  In your experience, what are some of the ways in which schools maintain “direct control” over Ed Tech providers under FERPA’s “School Official Exception?”  Should there be alignment between the “School Official Exception” and schools’ ability to provide consent for purposes of COPPA?

The FTC will accept comments in response to these topics through November 17, 2017.  The workshop is scheduled for December 1, 2017, and the FTC and Department of Education will publish an agenda and list of speakers for the workshop at a later date.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Laura Kim Laura Kim

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises…

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises on a wide range of consumer protection issues, including green claims, influencers, native advertising, claim substantiation, Made in USA claims, children’s privacy, subscription auto-renewal marketing, and other digital advertising matters. In addition, Laura actively practices before the NAD, including recent successful resolution of matters for both challengers and advertisers. She is the Chair of Covington’s Advertising and Consumer Protection Investigations Group and participates in the firm’s Internet of Things Initiative.

Laura re-joined Covington after a twelve-year tenure at the FTC, where she served as Assistant Director in two divisions of the Bureau of Consumer Protection, as well as Chief of Staff in the Bureau of Consumer Protection and Attorney Advisor to former Chairman William E. Kovacic. She worked on key FTC Rules and Guides such as the Green Guides, Jewelry Guides, and the Telemarketing Sales Rule. She supervised these and other rule making proceedings and oversaw dozens of the Commission’s investigations and enforcement actions involving compliance with these rules. Laura also supervised compliance monitoring for companies under federal court or Commission order.

Laura also served as Deputy Chief Enforcement Officer at the U.S. Department of Education, where she helped establish a new Enforcement Office within Federal Student Aid. In this role, she managed investigations of higher education institutions and oversaw issuance of fines and adverse actions for institutions in violation of federal student aid regulations. Laura also supervised the borrower defense to repayment division and the Clery campus safety and security division.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.