In late April, the Federal Trade Commission announced updates to its Children's Online Privacy Protection Act (COPPA) FAQs to clarify COPPA's application in schools, outlining both requirements and best practices for schools and data vendors.
Recognizing that school districts are increasingly using third-party online tools to aid in education (e.g., online research and organization tools, homework help-lines, web-based testing, and personalized education modules), the revised FAQs clarify that schools may consent on parents' behalf to a website or mobile app's collection, use, or disclosure of students' personal information, so long as that collection, use, or disclosure is solely for the benefit and use of the school and not for any commercial purpose. Schools must, therefore, ensure that they understand a vendor's stated purposes behind its information collection, use, and disclosure practices. If the vendor intends to use the student information for online behavioral advertising (i.e., advertising based on a user's online activities over time and across websites), creating commercial "user profiles," or otherwise using or sharing the information for any commercial purpose, schools may not consent on behalf of parents.
In two new FAQs, the FTC offers additional best practices for schools. The FTC recommends that schools or school districts, rather than individual teachers, be responsible for determining whether an operator's information practices are appropriate. The FTC also recommends that schools be fully transparent with parents about their information practices. For example, the new FAQs recommend that schools voluntarily share information with parents about any approved vendors, by identifying the approved sites and services and/or by providing these vendors' direct notices about their information practices. In addition, the FAQs recommend that schools provide links to, or host on their website, the school's Acceptable Use Policies for Internet Use. Another revised FAQ recognizes that schools may consent to students using publicly available social media, which may collect and disclose students' personal information outside the school-related context. The FAQ recommends, however, that, as a best practice, schools notify parents of any plans to use social media before giving consent.
Finally, the revised FAQs clarify that operators must comply with COPPA's other requirements, even when school consent is given. They must, for example, provide schools with required notices (of data collection, use, and disclosure), and must provide requesting parents a description of data collected, an opportunity to review and/or delete their children's data, and the option to opt-out of further collection and use. The FAQs reiterate that operators may not use student data for any commercial (or non-educational) use, and must ensure their methods for obtaining consent are "reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example."
Reflecting the nationwide increased scrutiny of information practices affecting students, the FTC's revised guidance comes on the heels of an announcement that InBloom, a non-profit repository for public schoolchildren's data, will close its doors after parents and lawmakers raised concerns about children's privacy and data security. The Gates Foundation-funded start-up was much heralded for its potential to help schools "personalize" student learning: InBloom would enable schools to aggregate student data in an encrypted, cloud-based database, which schools could then feed into software tools that would help teachers customize their teaching to their students' particular needs. However, some parents, privacy advocates, and lawmakers raised concerns about the sensitivity of the data being shared with third parties, parents' potential loss of control over that data, and the possibility that inBloom could become an attractive target for hackers. With the FTC's, parents' and lawmakers' focused attention on children's privacy, and the recent example of InBloom's demise, educators and online educational vendors alike would be well advised to engage parents early and often on partnerships that implicate children's data collection.