On May 19, 2022, the FTC issued a stern warning to ed-tech providers regarding compliance with COPPA suggesting enhanced enforcement in this area. Citing “the steady proliferation of technologies that allow, and business models that depend on, the online collection and monetization of consumers’ personal information” and “the development of ever more sophisticated targeting practices,” the Federal Trade Commission (FTC) voted unanimously to issue a policy statement regarding collection of children’s information by ed tech providers. The Policy Statement of the Federal Trade Commission on Education Technology and the Children's Online Privacy Protection Act states that the FTC “intends to scrutinize compliance with the full breadth of the substantive provisions of the COPPA Rule and statutory language.” The FTC’s statement highlights COPPA’s limitations on collection, use and retention of children’s personal information and security requirements, all of which apply to COPPA-covered ed tech companies:
Prohibition Against Mandatory Collection: Participation in any activity must not be conditioned on a child disclosing more information than is reasonably necessary for the child to participate in that activity. An ed tech company that does not reasonably need to email students cannot condition a student’s access to their schoolwork on the student providing an email address.
Use Prohibitions: Personal information collected from children must not be used for a purpose other than that for which it was collected. An ed tech company collecting a child’s personal information pursuant to a school authorization is prohibited from using that information for any commercial purpose unrelated to the school-requested on-line education service.
Retention Prohibitions: Personal information collected from a child must not be retained longer than reasonably necessary to fulfill the purpose for which it was collected. An ed-tech company must not retain a child’s personal information for future speculative uses.
Security Requirements: Reasonable security measures to ensure the confidentiality, security, and integrity of children’s personal information are required.
“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection in the FTC’s press release.
The policy statement concludes by stating that from this point forward, the FTC “will closely scrutinize the providers of [ed-tech] services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”
Related Resources:
Sheila Sokolowski is a partner at Hintze Law with over 20 years of privacy experience, including a deep focus on health and ed-tech privacy.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.