On May 19, 2022, The Federal Trade Commission (FTC) revealed that they are “committed to ensuring that educational technology tools and their attendant benefits do not become an excuse to ignore critical privacy protections for children.” Specifically, the FTC will be more closely monitoring all companies covered by the Children’s Online Privacy Protection Act of 1998 (COPPA), with particular attention to ed tech, to ensure that children have access to educational tools without being subject to surveillance capitalism.
During the meeting, many FTC Commissioners indicated that ensuring children’s online privacy is one of the FTC’s top priorities. FTC Commissioner Noah Joshua Phillips and Commissioner Christine Wilson encouraged the commission to prioritize further work on the COPPA rulemaking process that they started three years ago.
The Policy Statement on Education Technology and the Children’s Online Privacy Protection Act passed by unanimous vote.
The FTC issued a new policy statement to clarify existing provisions in COPPA that often go overlooked.
FTC Chair Lina Khan emphasized that, while COPPA is known primarily for its notice and consent provisions, companies covered under COPPA should be on notice to comply with the provisions in COPPA that govern the collection, use, retention, and security of the data.
The following are the key points from the FTC’s Policy Statement:
Mandatory Data Collection Practices are Prohibited for Children’s Data.
COPPA-covered companies, including ed tech, may not require data collection (from the child) as a condition of the child’s ability to participate in the ed tech activity. “For example, if an ed tech provider does not reasonably need to be able to email students, it cannot condition the student’s access to schoolwork on students providing their email addresses.” COPPA-covered companies cannot collect any more data than is “reasonably necessary,” which prohibits the overcollection of data and establishes the key principle of data minimization. Commissioner Rebecca Kelly Slaughter asserted that COPPA provides the strongest data minimization law in the US, but it has not been fully enforced… yet.
There are Strict Limitations on the Use of Children’s Data.
Ed Tech Companies may only use children’s information for providing the education service(s). Children’s data may not be used for any commercial purposes, including advertising and marketing.
Children’s Data may not be retained for “longer than reasonably necessary to fulfill the purpose for which it was collected.”
Ed Tech Companies’ retention practices must be reasonable relative to the service being provided and the purpose for which the data was collected. Children’s data cannot be stored or retained for an indefinite duration.
COPPA-covered Companies must take reasonable security measures when maintaining Children’s data.
Notably, the FTC mentioned that, “even absent a breach, Ed Tech providers violate COPPA if they lack reasonable security.”
At the end of the policy statement, the FTC warns “going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”
A Step in the right direction
This policy is a welcome move from the FTC. Last year we published two in-depth K12 ed tech research papers that highlight how ed tech routinely shares kids’ data with advertisers and advertising networks. In Spotlight Report #4, we highlight one ad-supported platform in particular: MaxPreps (owned by ViacomCBS), which is included in several Blackboard school apps. MaxPreps continues to show behavioral (retargeting) ads to student users of these school apps as of the time of this writing (see this page from the MaxPreps site which includes retargeting ads: Emily Turpin | PCA, Christiansburg, VA | MaxPreps), even though we flagged this problematic service for the FTC back in December of 2021.
Commissioner Alvaro Bedoya noted in a tweet following the vote that the free apps that students are more likely to use “collect much more data than paid apps”. Which illustrates a key problem we’ve seen in our current US-wide benchmark: schools routinely endorse or mandate student use of off-the-shelf free apps or web services. These services don’t have contractual agreements with the schools regarding student data usage, nor are they properly audited for student data sharing.
In the case of MaxPreps, school athletic coaches can enter into relationships with the service on behalf of the school. This raises concerns about appropriate consent, in addition to the sharing of student data with countless advertising networks. Thus, it is crucial that these service providers comply with every aspect of COPPA.
More work to be done
There is more work to be done on the COPPA front. There are currently two proposed revisions to COPPA, one in the Senate and one in the House. Both of these address much needed updates to COPPA, and we’ll be publishing more details about them in future posts.