Last week the Federal Trade Commission announced on its blog that it has updated its frequently asked questions (FAQs) about the interplay between schools and the Children’s Online Privacy Protection Act (COPPA). Although nothing in the guidance is new, it is a good reminder of the often confusing rules governing consent for online services and apps in the school context.
What is COPPA?
COPPA and the related FTC regulation implementing it generally apply to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. Operators covered by COPPA and the FTC rule must do a number of things to comply with the rule, including providing notice to parents about what data they collect and how they use it, and obtaining verifiable parental consent, with limited exceptions, before collecting personal information online from children.
Under COPPA and the FTC rule, there are some circumstances where a school district can collect the required parental consent to avoid having to coordinate between parents and the online service providers. That issue is what the FTC FAQs address, and the FTC updated them to streamline and clarify the rules, which are often confusing to stakeholders.
The FTC FAQs
So what’s in the FAQs? Here are key takeaways for school leaders:
- Schools can consent to a website or app’s collection, use or disclosure of personal information from students, but only where they are contracting with third-party website operators to offer online programs solely for the benefit of their students and for the school system, and for no other commercial purpose. The FAQs provide the example of homework help lines, individualized education modules, online research and organizational tools, and web-based testing services as permissible types of websites and apps for which a school can provide permission. Although not addressed in the FAQs, schools should have a form in place to collect consent for the services and apps it is using so that it can show that it has obtained the necessary parental consent if needed.
- In contrast, where an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent and schools cannot consent for parents.
- In order for an operator to get consent from a school, the operator must provide the school with all the notices required under COPPA and comply with other requirements of COPPA, such as deleting children’s personal information once the information is no longer needed for its educational purpose.
- Perhaps the main takeaway is that any agreement between the website or app and the school has to address the requirements of COPPA and make clear that the website or app will only use the data collected for permissible purposes. The FAQs include a set of very useful questions that school districts can ask website or app contractors to ensure that COPPA is being adequately addressed.
The FAQs also address a number of other issues, such as what notice the FTC advises should be provided to parents when a school district enters into an agreement that includes providing consent for students under COPPA. The FAQs remind schools that even if an agreement complies with COPPA, moreover, care must be taken to ensure the agreement also comports with other federal laws, such as the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and state laws. A state law in Illinois is working its way through the legislature and will likely be passed soon, and there are already laws on the books in numerous other states.
The FTC also advises that schools not allow individual teachers to decide when they can provide consent for students under COPPA. Rather, the school or school district should determine whether a particular site’s or service’s information practices are appropriate. I agree with this advice because even though it is not required by the law, it can keep schools out of quite a bit of trouble if teachers or other staff members misunderstand the legal requirements of these laws. School districts should put in place administrative procedures explaining to staff how to obtain authorization to use a particular website with students under age thirteen.
Finally, although not addressed in the FAQs, note that although COPPA does not require applying these rules to students over age 13, there may be practical and legal reasons to consider following similar steps for older students. For instance, some websites may require parental consent for students under age 18, regardless of whether they collect information from students or not. As a practical matter, school districts may want to have procedures in place to prevent inadvertently violating the terms of service for such sites.