From Adventure Academy to Zoom: How to Select Educational Apps that Safeguard your Child’s Personal Data in the Era of At Home Learning

K-12 schools, colleges, and universities around the country have shuttered their doors—most, for the rest of the academic school year—in response to the COVID-19 pandemic.  Educational institutions are in uncharted waters, but most are rising to the occasion to provide engaging and robust online curricula to keep students educated and entertained.  For college students, most lectures as proceeding as usual, just from the comfort of home via Zoom.  K-12 schools are also turning to e-learning, using various platforms to offer students interactive experiences and activities.  But especially for younger students, parents are increasingly taking a hands-on approach and turning to home schooling their children through educational apps and other e-learning resources.  This proliferation of e-learning and educational technology (ed tech) presents increased privacy risks related to children’s unique vulnerabilities around data collection.    
  
To shed light on the significant privacy risks involved, the Campaign for a Commercial-Free Childhood, Center for Digital Democracy, and Institute for Public Representation at Georgetown University Law Center filed a request on March 26 for the Federal Trade Commission (FTC) to use its section 6(b) authority to conduct a study on companies collecting data from children, and another on ed tech companies that collect children’s data from them in schools.  They provided suggested questions and a list of companies for both the child data collection study and educational technology study.  

But parents can’t wait for the results of a federal agency privacy review.  They need to find educational tools now to make sure their children don’t fall behind during the pandemic.  Thus, they may not carefully read the privacy policies of the educational apps they choose, or understand what personal information is collected and how it is used.  Here, we highlight the relevant privacy laws that protect personally identifiable information as it relates to online learning and offer a few privacy pointers to keep in mind as learning goes digital. 

•    FERPA.  Whether K-12 or postsecondary learning is happening in physical classrooms or virtual ones, the Family Educational Rights and Privacy Act (FERPA) still applies to any educational institution receiving federal funding.  Note that FERPA does not apply to independent schools.  FERPA protects personally identifiable information (PII) in students’ educational records from unauthorized disclosure.  Parents should know, however, that if their child’s PII is disclosed pursuant to FERPA, a provider of an online learning software, for example, could collect metadata about student activity, including time spent online, desktop vs. mobile access, keystroke information, and success rates, and use it for a different purpose, if that information is properly de-identified.
•    Under FERPA, school districts and universities generally vet the ed tech tools they offer in order to verify that they appropriately safeguard students’ data and comply with FERPA, COPPA, and other federal and state privacy laws.  Teachers should check to see if the tools they wish to employ are on their district’s list, and if not, ask the district to vet them or look for vetted alternatives.  Likewise, parents can contact their school district to ask for a list of verified educational apps or learning platforms. 
•    COPPA.  While FERPA only applies to educational records, the Children’s Online Privacy Protections Act (COPPA) safeguards a broader scope of children’s information collected online.  It applies to operators of websites or online services directed to children under 13 years of age, and to operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.  COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13.  Teachers and school officials may provide this consent on behalf of parents for use of an educational program, but only for use in the educational context, meaning the information can only be used for an educational – not a commercial – purpose.  The FTC has published a “Consumer’s Guide” to COPPA that provides useful background.
•    State Laws.  Each state has its own privacy laws and all 50 states and the District of Columbia have also enacted legislation requiring companies to notify individuals of security breaches.  Since apps and online learning tools can be accessed all over the country, they should be making an effort to comply with all relevant state laws.  In practice, this means compliance with the most stringent state law. 

We know not all parents are lawyers, so we’ve provided a few easy-to-follow privacy pointers to help you review whether an app may present a privacy risk to your child’s personal data.  If you choose to use an educational app or e-learning tool that has not been vetted by a school district or university (and even if it has!), we recommend reading the privacy policy to look for red flags.  Here are some questions to ask: 

• If the learning tool or app collects PII, does it commit not to further share student information other than as needed to provide the educational product or service?  The app should promise never to sell your data.
• Does the app create a profile of the student for any reason besides educational purposes?  It shouldn’t.
• Does the app, tool, or website show advertisements to students?  If so, are those ads targeted based on data about students or behavioral ads that are based on tracking a student across the Internet.
  • Look for this symbol  – a sideways triangle with an “i” inside – which is an industry label indicating that a site allows behaviorally targeted advertising.  Particularly for younger children, parents should be wary.  Educational tools should generally not include targeted or behavioral advertising.  
• Does the app, tool, or website explain that it provides sufficient security for the data it collects, such as encrypting student data when it is stored or transmitted? 
• Does the app say that all bets are off if the company is sold?  A privacy policy should tell users that any sale or merger will require the new company to adhere to the same privacy protections.
• Does the app claim that it can change its privacy policy without notice at any time?  It can’t.  The FTC’s rules require that companies provide notice to users when their privacy policies change in a major or “material” way.  If they do, they must get new consent for collection and use of the personal data.
• When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?  The app should erase student data soon after an account is closed. 
• Google it!  With most of the country turning to online learning together, it’s likely a past user’s review or article could help you avoid stepping on a privacy landmine. 

For additional tips and helpful links, see the FERPA and Virtual Learning Related Resources released by the Department of Education’s Student Privacy Policy Office in light of the shift to online learning due to the COVID-19 pandemic.

Stay healthy and happy learning!

Subscribe To Viewpoints