New Regulatory Guidance on COPPA Puts the Spotlight on Student Privacy

Student privacy has become a hot topic as regulators and legislatures alike, take a close look at how companies handle student data.  At the forefront of this issue is the Children’s Online Privacy Protection Act (COPPA), a federal statute enforced by the Federal Trade Commission (“FTC”) and designed to protect and regulate the collection of personal information from students younger than thirteen.  This is accomplished, in part, by requiring websites or other online services (collectively, “operators”) to get parents’ permission before they collect, use, or disclose a child’s personal information.  Among others, COPPA also requires operators to properly secure the data they collect and disclose their information sharing practices. To help organizations comply with COPPA, the FTC has published a list of Frequently Asked Questions (FAQs).  Although not binding, these FAQs provide valuable insight into how the FTC interprets COPPA and what they expect in terms of compliance.  Recently, the FTC revised the FAQs pertaining to student privacy and provided some much needed clarity on the circumstances in which a school or educational institution may consent to the collection of information from students.    Here are a few highlights:

• The prior FAQs acknowledged that schools could consent on behalf of the parent, but did not provide clear guidance when the school could consent.  Instead, the FAQs noted that it would “depend on the nature of the relationship between the online service and the school or child, and the nature of the collection.”  The new FAQs make it clear that a school may consent to the collection of personal information on behalf of the parent, so long as the information is used solely for benefit of the school.  Moreover, the revisions make it clear that information collected based on consent provided by a school may not be used for any other purpose.  The reasoning behind this revision is because the scope of the school’s authority to act on behalf of the parent is limited to the school context.  If an operator of an online service wants to use the information collected for commercial purposes, such as in connection with online behavioral advertising, then the operator cannot rely on consent provided by a school.  Instead, the operator must receive consent directly from the parent for those commercial purposes.
• As previously mentioned, the prior FAQs created some uncertainty surrounding a school’s authority to consent to the collection of information.  As a result, operators often found themselves in a situation where they were seeking dual consent from both the school and the parent out of an abundance of caution.  The latest revisions have alleviated some of that burden by allowing operators to rely on the consent provided by the school, so long as the method of securing consent is reasonably calculated to ensure that a school is actually providing consent, and not a child pretending to be a teacher.  However, the FTC did not provide guidance on what is or is not reasonably calculated to ensure the individual provide consent is the school and not a child.
• Although not addressed in the previous version, the latest FTC guidance points out that an operator is not required to provide notice of its privacy practices directly the parents if notice was provided to the school.  This may seem counterintuitive, but the reasoning is that the school is the entity providing the consent and as a result, the operator must provide notice to the school, not the parent.  As a word of caution, the FTC strongly encourages schools to notify parents when consenting on their behalf and provide those parents with access to the privacy policies of operators who collect personal information using the school’s consent.  The FTC considers this recommendation as a best practice that schools would be wise to heed.

The guidance provided by the FTC in the updated FAQs should prove useful to educational institutions and companies who provide online services to those institutions.  It is worth pointing out that receiving consent from a school does not exempt the operator from other COPPA requirements.  An operator must still provide the school with the required privacy notices and give parents the opportunity to review the personal information collected from the child.  If the operator does not enable parents to review information collected from their children and delete that information if requested, then the school cannot provide consent on the parents’ behalf.  This highlights the importance of evaluating the operator’s information practices before the school provides consent.  Remember, compliance with COPPA should not be the only consideration.  The FTC points out that schools must also comply with Family Educational Rights and Privacy Act and the Protection of Pupil Rights Amendment.

There is no doubt that the FTC is taking a close look at student privacy, but they are not the only ones. Last month, Kentucky enacted H.B. 232, a breach notification law that includes a separate provision addressing the privacy of student data.  Unlike other breach notification laws, H.B. 232 restricts the ways in which student data is stored in the cloud and prohibits cloud providers from processing student data without parental permission for “any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services.”  But unlike COPPA, H.B. 232 does not have a provision allowing schools to consent on the parents behalf.  At least two other states, California and Louisiana, are considering legislation related to student data and earlier this month, the Whitehouse released a report calling for an update to student data privacy laws, citing a need to protect students against their data being shared or used inappropriately.

For some companies, the increased scrutiny on student privacy is becoming too much to handle, with at least one cloud provider shutting down entirely.  As reported in the New York Times, inBloom was a non-profit corporation offering a cloud storage system to public schools to help manage student data.  Citing regulatory issues and increased public concern about data misuse, inBloom decide to close its doors.

In a similar although less drastic development, Google announced that it would no longer scan student or teacher Gmail messages or use data from its “Apps for Education” product for advertising purposes.  Previously, Google did not place ads in its education apps, but the company still scanned them for information that was later used to target ads to other users.  Google had already been feeling the pressure as it faced a class action lawsuit in California surrounding these same practices.  However, its decision to halt the scanning of student data came less than a week after the publication of the revised COPPA FAQs and just days after the enactment of H.B. 232.

All of these developments confirm that student privacy has become a hot topic and illustrate how companies continue to struggle with how to properly collect and use student data.  This is no longer an issue that just affects schools.  All companies that collect, use or store student data should ensure they are in compliance with current regulation and pay close attention to any upcoming developments in this area of the law.