The Federal Trade Commission (FTC) issued a policy statement on May 19, 2022, making clear that it intends to increase its enforcement of the Children’s Online Privacy Protection Act (COPPA) against education technology (EdTech) providers who fail to adequately protect the privacy rights of students (which, in the COPPA context, means students under 13 years old).
The policy statement highlights four key ways in which the FTC plans to scrutinize and enforce student privacy protections against COPPA-covered entities, including EdTech providers:
- Mandatory collection prohibition: Businesses cannot condition access to an activity on the collection of more data than is reasonably necessary for a child to participate in the activity.
- Limits on use of data: Businesses can only use the data they collect from students in the context of educational services. The data cannot go towards targeted advertising or other commercial uses.
- Retention prohibitions: Businesses can only retain data they collect from students for as long as reasonably necessary to fulfill the purpose for which it was collected. Speculative potential future uses are insufficient to justify indefinite data retention.
- Security requirements: To the extent business collect and retain student data, they must protect its confidentiality, security, and integrity. Even if a business does not suffer a breach, it can violate COPPA by failing to adequately keep student data confidential and secure.
FTC Chair Lina Khan emphasized during an Open Commission Meeting that the Covid-19 pandemic has led to an explosion in the use of remote learning technologies. The policy statement makes clear that the increasing prevalence of EdTech devices and apps, both in physical classrooms and in virtual ones, cannot be used to require parents and schools to agree to invasive surveillance of children or to the monetization of their data.
The policy statement received support from all five FTC Commissioners, including recently confirmed Commissioner Alvaro Bedoya. This rare consensus suggests that serious enforcement efforts are likely forthcoming. There is hope that by forecasting a pending crackdown on EdTech companies that allegedly violate COPPA, the FTC is also signaling that it will soon complete the COPPA rule review it began in 2019. But, as of today, there is no formal timetable for such guidance or rulemaking.
Whether just entering the fray, already embedded in hundreds of schools and districts, or somewhere in between, EdTech companies should ensure they are familiar with COPPA (particularly the revised FAQs published in July 2020), the Family Educational Rights and Privacy Act (FERPA), and the patchwork of state student privacy laws. Failing to do so poses regulatory, contractual, and reputational risks that are poised to grow as pressure from the FTC, schools and districts, and parents mounts.