Jacqueline Brown
Associate Editor
Loyola University Chicago School of Law, JD 2022
As thousands of schools across the country comply with state and local social distancing orders due to the global pandemic COVID-19 for this 2020-21 school year, many schools are now faced with having to educate students from their homes in either hybrid or fully remote models. Millions of students are now utilizing online educational services to aid in remote learning. Although these education technology companies (“EdTech”) are now providing crucial remote learning opportunities for students, school districts must also keep students’ privacy rights in mind. Many of these EdTech services will collect and use personal information of students who use their services. This is where the Federal Trade Commission’s Children’s Online Privacy Protection Act (“COPPA”) pertains.
What is COPPA and how is it relevant to remote learning?
COPPA imposes obligations to operators of commercial websites and online services directed to children under 13 years of age, including many EdTech services, on what they must do to protect children’s privacy and safety online. COPPA requires companies to have certain information in their privacy policy and to get parental consent before collecting some types of information from kids under the age of 13. It also requires these companies to maintain reasonable data security practices. Although COPPA does not apply directly to schools, these services have increasingly moved into the classroom and are heavily relied upon in the age of remote learning. Therefore, schools should not ignore these regulations.
On April 9, 2020, the Federal Trade Commission issued guidance under COPPA for these times of heavy reliance on EdTech service. However, now in the educational context and under certain conditions, schools can consent on behalf of parents to the collection of student personal information. In order for an EdTech service to rely upon an educational institution to provide consent, the information must be used for a school-authorized educational purpose and for no other commercial purpose. The EdTech service must also provide the school with full COPPA-required notice of its collection, use, and disclosure practices, so that the school may make an informed decision to use their service.
Companies that violate any obligation provided by COPPA may be subject to both enforcement actions by the FTC and state attorneys general and litigation, with penalties imposed up to $43,280 per violation. It is unclear what the penalties to schools who violate COPPA will be, however, considering the increased use in EdTech services in remote learning, and with the responsibility on the schools to obtain parental consent, it is likely penalties for districts will be high. Regulators at the state and federal levels are increasingly focused on COPPA compliance, and this trend will likely only increase as more child-directed content is developed online.
Why is the Family Educational Rights and Privacy Act (FERPA) relevant?
In addition to COPPA, EdTech services and school districts should review the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA). FERPA gives parents of students under the age of 18 years old: (1) the right to access education records and seek amendment of such records; (2) the general right to consent to the disclosure of any personally identifiable information (PII) from student education records; and (3) the right to file a complaint under FERPA.
The Department of Education issued comprehensive guidance on FERPA and distance learning during COVID-19 that explains that if certain circumstances are met, schools may rely on FERPA’s “school official” exception to disclose students’ education records, or personal information in those records, to EdTech providers. Additionally, student data may be protected under state law. Because certain options for online learning may not comply with these relevant state and federal laws, the Federal Trade Commission recommends that schools or districts consult with their attorneys and information security specialists to review the privacy and security policies of the EdTech services they use and not delegate those decisions to classroom teachers.
To ensure compliance with regulations like COPPA and FERPA during remote learning, school districts must keep students’ privacy rights in mind when using EdTech services. With penalties so high, it is crucial school districts follow guidance from the federal trade commission closely and ensure they have policies to ensure compliance with these regulations to have a successful school year.