Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.

The FTC’s announcement cited the increasing use of “Ed Tech” in the K-12 environment, including school-issued personal computing devices and online curriculum, as the impetus for holding the workshop.  The FTC enforces the COPPA Rule, which governs the online collection, use, and disclosure of personally identifiable information from children under the age of 13.  The Department of Education, on the other hand, has enforcement power over FERPA, which governs the use and disclosure of personally identifiable information in students’ education records.

The stated aim of the workshop is to “gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.” The FTC and the Department of Education have thus indicated a willingness to explore updating prior guidance on COPPA and FERPA to account for the increasing prominence of Ed Tech as well as the compliance experience of schools and providers

The announcement states that the FTC and Department of Education staff are seeking comment on the following questions:

  • Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students?  Are providers and schools adhering to the requirements in practice?
  • What practical challenges do stakeholders face in simultaneously complying with both COPPA and FERPA?
  • Under what circumstances is it appropriate for a school to provide COPPA consent, and what process should the Ed Tech provider use to obtain consent?  Who has the authority to provide and revoke consent and how?
  • COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors.  What are the appropriate limits on the use of this data?
  • How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?
  • Schools often use the “School Official Exception” to FERPA’s written consent requirement when disclosing personally identifiable information from education records to Ed Tech providers.  In your experience, what are some of the ways in which schools maintain “direct control” over Ed Tech providers under FERPA’s “School Official Exception?”  Should there be alignment between the “School Official Exception” and schools’ ability to provide consent for purposes of COPPA?

The FTC will accept comments in response to these topics through November 17, 2017.  The workshop is scheduled for December 1, 2017, and the FTC and Department of Education will publish an agenda and list of speakers for the workshop at a later date.

Tags: Children, Children's Online Privacy Protection Act, COPPA, Department of Education, Family Educational Rights and Privacy Act, Federal Trade Commission, FERPA, FTC, student privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their…

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and State Attorneys General on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence; data processing for robotics, autonomous vehicles, and other connected devices; biometrics; online advertising; the collection of personal information from children, teens, and students online; e-mail marketing; disclosures of video viewing information; and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Laura Kim Laura Kim

Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her…

Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her clients’ objectives.

As chair of Covington’s Advertising & Consumer Protection Investigations practice group, Laura represents corporate and individual clients in investigations before the FTC and State Attorneys General. She also provides pragmatic compliance advice on a wide range of consumer protection issues, including substantiating claims involving generative artificial intelligence, environmental benefits, and “Made in USA.” She counsels brands on emerging issues involving influencers, consumer reviews, AI-generated content, and subscription autorenewals. Laura regularly represents both challengers and advertisers before the NAD, achieving favorable outcomes in matters involving artificial intelligence, influencers, and claim substantiation.

During her twelve-year tenure at the FTC, Laura served as Assistant Director in two divisions of the Bureau of Consumer Protection, Attorney Advisor to Chairman William E. Kovacic, and Chief of Staff to Bureau Director Jessica Rich. She oversaw major rulemakings—including the Green Guides and the Telemarketing Sales Rule—and supervised dozens of investigations and enforcement actions. As Assistant Director in the Division of Enforcement, Laura also supervised compliance monitoring and enforcement proceedings for companies under federal court or Commission order.

Read more about Laura KimEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less