Remote learning has become the new normal amid orders across the globe to stay home and shelter in place to combat the spread of COVID-19. While it is fortunate that technology allows students to continue the school year at home, remote learning presents an obstacle where children’s privacy is concerned.
In the United States, the Children’s Online Privacy Protection Act (COPPA) governs the collection of personal information from children under the age of 13. It generally requires the provider of a website or online service directed at children to obtain “verifiable parental consent” before collecting any personal information from children. In general, “verifiable parental consent” can be obtained in a number of ways—for example, through a signed consent form that is returned via mail or electronic scan, or the use of a credit card or other online payment system that provides notification of each separate transaction to the account holder—but whatever method is used must be reasonably designed to ensure that the person giving the consent is the child’s parent or legal guardian. In the past, the Federal Trade Commission (FTC) has explained how educational institutions can provide consent to a website or mobile application’s collection of personal information from students. It recently provided a helpful reminder for the education technology (EdTech) companies that are enabling remote learning in this brave new world, and for the schools and parents as well, of the requirements surrounding consent in this context.
In a blog post written by FTC attorney Lisa Weintraub Schifferle, the FTC reiterated that schools can provide consent on behalf of parents to the collection of their students’ personal information in the educational context, “but only if such information is used for a school-authorized educational purpose and for no other commercial purpose.” While this guidance is not a new interpretation of COPPA, it serves as a useful reminder for EdTech companies in this trying time, easing the burden they would otherwise have if they were to need to obtain verifiable parental consent for each individual student under 13. The FTC has previously clarified that as a best practice, schools or school districts should be providing consent, rather than individual teachers, as many schools and districts already have processes in place for assessing sites’ and services’ practices. The companies must still provide COPPA notices to the schools of the data collection and use practices of their educational tools, and such notices must be written in such a way that students, parents and educators can easily understand. The FTC notes that these COPPA notices should be made available to parents as well—for example, by the company on the company’s website, or by the school to parents—and if possible, the company should allow parents to review or access the personal information that is collected from the child.
While COPPA does not apply to schools themselves, it is now more important than ever for schools to be doing their due diligence on each EdTech tool they are using by carefully reviewing the tools’ privacy and security policies. Schools should ensure these companies are deleting the students’ personal information once it is no longer needed for its educational purpose. Parents can also help by talking to their children about how to stay safe online.