No COPPA Outs: The FTC Casts its Eye on Educational Technology Tools
Since the beginning of the COVID-19 pandemic and the accompanying increased reliance on remote learning, the availability and usage of educational technology (“EdTech”) tools has exploded. The increased use of EdTech tools has in turn led to a surge in the amount of children’s personal information collected and shared by EdTech companies. To that end, a recent study revealed that nearly 90% of EdTech tools analyzed and shared students’ data—including data collected about their contacts, locations, and keystrokes—with marketers and data brokers targeting children through internet-based advertisements.
In response, the Federal Trade Commission, which enforces the Children’s Online Privacy Protection Act (“COPPA”) through the COPPA Rule, has shown heightened interest in data collection and sharing practices in the EdTech sector.
Late last month, the FTC voted unanimously to adopt a new Policy Statement on Education Technology and the Children’s Online Privacy Protection Act addressing the use of EdTech tools in children’s schooling. In the four-page document, the Commission emphasized its concern that children are a “captive audience” who are targeted with advertising while pursuing an education. Moreover, the FTC explained, with the increase in school-issued applications on home computers and school-issued devices in homes, the potential for the collection and distribution of personal information relating not just to children, but also to their families in general, is nearly limitless if not checked.
The Policy Statement thus explains that the FTC intends to take a hardline approach when investigating COPPA violations by EdTech providers, and highlights four aspects of COPPA compliance to which the agency intends to give special attention going forward:
- the prohibition against mandatory collection of children’s personal information;
- prohibitions on secondary commercial uses of children’s personal information;
- limitations on the retention of children’s personal information; and
- the implementation of reasonable security measures to protect children’s personal information.
This post explores the Policy Statement’s discussion of each of those aspects of COPPA compliance, and what EdTech providers can do to avoid raising the FTC’s ire.
Prohibition Against Mandatory Collection
Consistent with the express language of the FTC’s COPPA Rule, the Policy Statement confirms that EdTech companies cannot “condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity.” For example, the Policy Statement explains, an EdTech provider that does not reasonably need to email students cannot condition a student’s access to their schoolwork on the student’s provision of their email address.
In line with that FTC’s guidance, EdTech providers should scrutinize the scope of their data collection activities to ensure that those activities are narrowly tailored to what is necessary to enable the EdTech provider to deliver its offering to the student. In other words, the FTC has made clear that when it comes to EdTech offerings subject to COPPA, data minimization is the name of the game.
The Policy Statement also reminds EdTech companies that they are strictly limited in how they may use personal information collected from children in the educational context. As the statement explains, when an EdTech provider is relying on consent provided by a school to collect the child’s personal information, COPPA prohibits the provider from using that information for its own commercial purposes unrelated to the provision of the school-requested online service.
The FTC’s prior guidance on this issue notes that using students’ personal information in connection with online behavioral advertising, and building user profiles for commercial purposes that aren’t related to the provision of the online service, are examples of commercial purposes for which a provider cannot rely on authorization from a school. Instead, if a provider intends to use a child’s personal information for those purposes, it must obtain consent directly from the child’s parent.
The Policy Statement also highlights the COPPA Rule’s restrictions on retaining children’s personal information. To that end, the FTC reminds EdTech providers that they must not retain children’s personal information longer than is reasonably necessary to fulfill the purpose for which it was collected, and makes clear that retaining that information for “speculative future potential uses” is not reasonable.
Thus, EdTech providers should assess their data retention policies and procedures to make sure they are not holding onto children’s personal information for longer than necessary, and that they take appropriate measures to securely delete the information once it is no longer necessary.
Finally, the Policy Statement emphasizes the critical role that data security plays in COPPA compliance by making it clear that a failure to implement reasonable security measures is an actionable violation of COPPA “even absent a breach.”
EdTech providers should thus assess their data security programs to confirm that the measures it takes to protect children’s personal information are reasonable and up-to-date in light of known threats to the confidentiality, security, and integrity of children’s personal information. Those measures should include a plan to securely dispose of children’s data once the company no longer has a legitimate purpose for holding it or upon request by a parent.
The Policy Statement is a clear signal that, going forward, the FTC intends to pay increased attention to EdTech providers, and will take action when it believes they have failed to adhere to their obligations under COPPA, including and especially in the four areas of focus noted above.
Please reach out to any member of our team to discuss the Policy Statement’s implications for your educational technology offerings, and how to align your company’s compliance practices with FTC expectations and reduce associated legal risk.