Update: On March 20, 2015, the Federal Trade Commission quietly announced further slight modifications to “Part M” of its FAQs pertaining to COPPA guidance for schools. First, the FTC deleted the FAQ M.6 hypothetical on whether educators may register students for online social networks because, the FTC said, it wanted to better streamline the FAQs and the hypo is addressed in FAQs M.1 and M.2. The FTC also revised FAQ M.1 to include language stating that, where a website or app operator limits use of a child’s information to the educational context authorized by the school, “the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.” New language in FAQ M.1 also encourages schools to make all notices that operators are required to provide to schools under COPPA available to parents, consider the feasibility of allowing parents to review personal information collected, and ensure operators delete personal information once no longer needed for the stated educational purpose. There is also a new note of caution that student data might also be protected under state laws, such as California’s recently-enacted Student Online Personal Information Protection Act.
Originally posted on April 29, 2014: As part of our ongoing updates on guidance the Federal Trade Commission offers through its Frequently Asked Questions (FAQs) relating to its updated Children’s Online Privacy Protection Act (COPPA) Rule, we note that recently the FTC quietly posted some updates to “Part M” of the FAQs, which contains guidance on “COPPA and Schools.” A redline showing the extent of the changes can be found here.
COPPA requires notice to parents and verifiable parental consent prior to the online collection of personal information from children under the age of 13, and is implemented by the FTC under the COPPA Rule. The FTC implemented the first major overhaul in the more-than ten-year existence of the COPPA Rule last year. Revisions included updates to account for technological developments and evolving popular online practices–primarily, social networking, smartphone Internet access, and the use of geolocation information. Since then, the FTC has periodically updated the COPPA FAQs to provide guidance on the revised, more complex COPPA regulatory framework.
In the current FAQ revisions, the FTC explains that insofar as schools are permitted to contract with third-party websites for online services designed to benefit their students and the school system, schools may consent to disclosure of children’s personal information on behalf of their parents, in certain circumstances. Principally, the school’s scope of authority to disclose the personal information is limited to the educational context. Consequently, operators cannot use the information obtained under consent granted by schools for any other commercial purposes. Operators must provide all required notices to the schools and, upon request, must give parents a chance to review the information submitted, delete the information provided, and prevent future use of their children’s information.
The FTC recommends as best practices that schools or school districts, rather than individual teachers, should decide whether to provide consent, and that they should notify parents regarding what websites/services have been granted consent to the collection of student data on behalf of the parents. To help parents exercise their rights under COPPA, the FAQs suggest that schools may want to give interested parents access to operators’ information use practices.
Under this rubric, schools must understand how operators will collect, use, and disclose students’ personal information, as well as whether the operator’s intended use will exceed the school’s ability to consent on the parents’ behalf. As another best practice, the FTC recommends that schools should effectively notify parents of their intentions before consenting on parents’ behalf to any activity where an educator wishes to allow students to share information for educational purposes on publically available social networks, and/or where the activity and collection/disclosure of student information will extend beyond school-related activities.
Finally, schools must in all cases also comply with the Protection of Pupil Rights Amendment (PPRA), which applies to programs receiving funds from the U.S. Department of Education (DOE). The PPRA protects parent and student rights by ensuring that schools (and contractors) make instructional materials available for inspection by parents if they are used in connection with DOE-funded surveys, analyses, or evaluations in which their children participate, and by requiring that schools (and contractors) obtain written parental consent before minor students are required to participate in any such DOE-funded activity that reveals:
- Political affiliations;
- Mental and psychological problems potentially embarrassing to the student and his/her family;
- Sex behavior and attitudes;
- Illegal, anti-social, self-incriminating and demeaning behavior;
- Critical appraisals of other individuals with whom respondents have close family relationships;
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; or
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
The updated FAQs should prove useful to educational institutions whose activities implicate the online provision of children’s personal information.