Privacy Monday - March 23, 2015: COPPA Refresh
On Friday, the FTC published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions. Specifically, nearly a year after the last update to the “COPPA and Schools FAQs”, the Commission revisited its answers to FAQs M.1, M.2, and M.5 and deleted FAQ M.6 in an attempt to streamline the FAQs to provide further clarity on the key topics of notice and consent, best practices for educational institutions, and the interplay between COPPA and other federal and state laws that may apply in the education space. To access our blog post on the prior update to the COPPA and Schools FAQs please click here.
FAQ M.1 (1) discusses how an educational institution can consent to a website or app’s collection, use or disclosure of personal information from students in compliance with COPPA and other federal and state laws that may be applicable and what an operator must do to obtain consent from a school under COPPA, and (2) provides advice on best practices for schools. The answers to FAQ M.1 make it very clear that:
- school districts that contract with third-party website operators to offer online programs for the benefit of their students and the school system (e.g., homework help lines, individualized education modules, online research and organizational tools, or web-based testing services) may act as the parent’s agent and can consent to the collection and use of students’ information on the parent’s behalf so long as the students’ information is collected for the use and benefit of the school and for no other commercial purpose, and
- operators seeking consents from a school must provide the school with all the notices required under COPPA and, upon request from the school, must provide the school: (1) a description of the types of personal information collected; (2) an opportunity to review the student’s personal information and/or have the information deleted; and (3) the opportunity to prevent further use or online collection of a student’s personal information. Provided that the operator’s use of the child’s information is limited to the educational context authorized by the school, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.
- As a best practice, schools should: (1) consider making such notices available to parents, and consider the feasibility of allowing parents to review the personal information collected and (2) ensure operators to delete children’s personal information once the information is no longer needed for its educational purpose.
- Schools must consider their compliance obligations under: (1) the Family Educational Rights and Privacy Act (FERPA), a Federal law that protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education and with the Protection of Pupil Rights Amendment and (2) state laws, such as California’s Student Online Personal Information Protection Act (for more information on this law please see our prior blog post) and laws in Oklahoma, Idaho, and Arizona requiring educators to include express provisions in contracts with private vendors to safeguard privacy and security or to prohibit secondary uses of student data without parental consent.
FAQ M.4 discusses schools’ obligations to notify parents when a school gives consent to a third-party website or online service operator to collect and use students’ personal information on the parents’ behalf. As a best practice, the FTC advises schools to notify parents of the identity of the websites and online services whose collection it has consented to on the parent’s behalf (e.g., schools can identify websites and services that have been approved for use, either at the school level or the district level) and to consider making the operator’s direct notices regarding their information practices available to interested parents (e.g., either via the school’s Acceptable Use Policy for Internet use, if one is in place, via a school website accessible by parents or by providing parents a link to the information at the beginning of the school year).
FAQ M.5 discussed what information a school should seek from a third-party operator before entering into an agreement that permits the collection, use, or disclosure of personal information from students and provides examples of what would constitute “commercial purposes.” The FTC recommends that schools consider and pose the following questions to operators in the process of making these important determinations:
- What type of personal information will the operator collect from students?
- How will the operator use this personal information?
- Will the operator use or share the students’ personal information for commercial purposes not related to the provision of the online services requested by the school (e.g., online behavioral advertising or building user profiles for commercial purposes not related to the provision of the online service)? The FTC makes it very clear that if the answer to this second question is “YES,” the school cannot provide consent on the parents’ behalf.
- Does the operator enable the school to review and have deleted the personal information collected from their students? The FTC again makes it very clear that if the answer to this question is “NO,” the school cannot provide consent on the parents’ behalf.
- What measures does the operator have in place to protect the security, confidentiality, and integrity of the personal information that it collects?
- What are the operator’s data retention and deletion policies for children’s personal information?
As a part of this analysis, schools are reminded of their obligations under the Protection of Pupil Rights Amendment, Local Educational Agencies (LEAs) which requires schools to: (1) adopt policies and (2) provide direct notification to parents at least annually regarding the specific or approximate dates of, and the rights of parents to opt their children out of participation in, activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing the information to others for that purpose).
The FTC noted in its official blog post announcing the updates that FAQ M.6 was deleted since the topic of that FAQ is already covered in FAQs M.1 and M.2. FAQ M.6 presented a hypothetical scenario where students’ activities and the associated collection or disclosure of their personal information extended beyond school-related activities (e.g., a teacher wants her/his students to share information for class projects using a publicly available online social network that permits children to participate with prior parental consent ), and advised schools, as a best practice, to notify parents of the school’s intent to allow children to participate in such online activities before providing consent on the parents’ behalf.