FTC to Ed Tech: Protecting kids’ privacy is your responsibility
Whether your business is engaged in the business of educational technology or you have children in schools where ED technology is used, you may want to read the FTC’s Educational Technology Policy Statement and the Online Privacy Protection Act. children. The key: children should not give up their privacy rights to do homework or attend distance learning classes. That is why companies cannot require parents and schools to accept the comprehensive supervision of children as a condition of the use of learning tools.
For 22 years, the COPPA rule has been at the heart of the FTC’s efforts to ensure that children’s privacy is protected in the digital world. But two converging developments suggest the need for clarity on how the FTC will continue to enforce the COPPA.
One of the novelties is the proliferation of technologies that monetize the collection of personal information. Businesses can get closer and closer to the target, which raises serious concerns about whether they are building child profiles. This was part of the driving force behind amending the COPPA in 2013 to broaden the definition of “personal information” to include persistent identifiers used to target ads to children and to hold third parties, such as advertising networks, responsible for collecting and collecting. child information law.
The other important change is the introduction of devices and applications of educational technology in the classroom, an accelerated development by the move to remote school motivated by COVID. Sure, educational technology may have the potential to improve learning, but at what cost? The FTC’s concern is that ed tech should not become a pretext for companies to collect personal information in the classroom and at home. Parents are understandably concerned about the information that technology companies are collecting, how they can use it, and how much it can be shared with third parties. In addition, many parents are concerned about the extent to which educational technology could turn their children into a captive audience for advertisers.
What about a warning and consent system? Permit sheets may work for zoo excursions, but they seem inappropriate in this context. By enacting the COPPA, Congress enabled the FTC to do more than just administer notice and consent procedures. As the Policy Statement makes clear, “The Commission’s COPPA authority requires significant substantive restrictions on the ability of operators to collect, use and store children’s data, and the requirements for keeping such data secure. The Commission intends to make fully meet these requirements, especially in school and learning settings where parents may feel that they have no alternative. “
Please read the Policy Statement for more details, but there is a key message that industry members need to hear. In investigating possible violations of COPPA by providers of ed technology and other covered online services, the FTC “intends to examine compliance with the full scope of the prohibitions and substantive requirements of the COPPA Rule and the Statutory Language.” . In particular, the FTC will focus on:
- Prohibition of compulsory collection. Companies covered by COPPA should not condition a child’s participation in the disclosure of more information than is reasonably necessary to participate. For example, if an educational technology company does not need to send emails to students, the company may not require children’s email addresses.
- Prohibitions on use. The companies covered by COPPA are strictly limited in how they can use the personal information collected from children. For example, ed tech operators who collect personal information in accordance with school authorization may only use it to provide the requested online education service. This is explained in the policy statement: “In this context, ed tech companies are prohibited from using this information for any commercial purpose, including marketing, advertising or other commercial purposes unrelated to the provision of the online service requested by the school.”
- Retention prohibitions. Companies covered by COPPA may not retain the personal information collected from children for longer than is reasonably necessary to fulfill the purpose for which it was collected. That would violate Section 310.12 of the COPPA Rule.
- Security requirements. COPPA-covered companies must have procedures in place to maintain the confidentiality, security, and integrity of children’s personal information. Even in the absence of a data breach, not having these procedures in place would be a breach Article 310.8.
In the event that a technology company is considering transmitting compliance to school administrators, parents, or others, for example, through contractual provisions or terms of service, the Policy Statement makes it clear that it is a no-brainer. The responsibility for implementing strong privacy protections lies directly with technology companies and is an obligation they cannot evade.
The policy statement concludes where technology companies need to start: “From now on, the Commission will closely monitor the providers of these services and will not hesitate to act when providers breach their legal obligations regarding the privacy of children.” .
The FTC Children’s privacy page provides compliance resources, including Complying with COPPA: Frequently Asked Questions.