The FTC has just published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions.

The “COPPA and Schools” FAQs cover in detail the key topic of consent in the school setting and provide compliance guidance for covered entities. Specifically, these new FAQs make it clear that:

  • An educational institution may consent, as a parent’s agent, to a website or mobile app’s collection, use or disclosure of personal information from the institution’s students, but only in the educational context which is limited to collection of personal information from students for the use and benefit of the school and for no other commercial purpose.  The operator’s method for obtaining consent from an educational institution must be reasonably calculated, in light of the available technology, to ensure that the educational institution is in fact providing the consent and not a student. Further, when a school provides consent to an operator, as a best practice, the school should consider notifying parents of the website and online service whose collection it has consented to and make the operator’s direct notices regarding their information practices available to interested parents. The FTC suggests maintaining this information on a school website accessible by parents or providing parents a link to the information at the beginning of the school year.
  •  An operator of a website or online service that has contracted with an educational institution to collect personal information from students of such educational institution for the use and benefit of the school and for no other commercial purpose is not required to obtain consent directly from parents and may rely upon the educational institution to provide consent for the collection of personal information from the students. The operator must provide the school full notice of the operator’s collection, use, and disclosure practices so that the educational institution can make an informed decision as to whether or not to provide consent. The FTC made it very clear that if an operator intends to use or disclose the students’ personal information for its own commercial purposes in addition to the provision of services to the educational institutions, it will need to obtain parental consent.
  • As a best practice, the evaluation of the suitability of an operator’s online service in the school setting as well as of the operator’s personal information collection, use, and disclosure practices and the ultimate decision of whether or not to grant consent should be made at the school or school district level, and not by individual teachers.
  • Where students’ activities and the associated collection or disclosure of their personal information extend beyond school-related activities (e.g., a teacher wants her/his students to share information for class projects using a publicly available online social network that permits children to participate with prior parental consent ), as a best practice, the school should effectively notify parents of its intent to allow children to participate in such online activities before providing consent on the parents’ behalf.

The FTC recommends that schools and school districts consider and pose the following questions to operators in the process of making these important determinations:

  1. What type of personal information will the operator collect from students?
  2. How will this personal information be used by the operator? Will the operator use or share the personal information collected from students for commercial purposes such as online behavioral advertising or building user profiles not related to the provision of the online service?  The FTC makes it very clear that if the answer to this second question is “YES,” the school cannot provide consent on the parents’ behalf.
  3. Does the operator enable parents to review and have deleted the personal information collected from their children? The FTC makes it very clear that if the answer to this question is “NO,” the school cannot provide consent on the parents’ behalf.
  4. What measures does the operator have in place to protect the security, confidentiality, and integrity of the personal information that it collects?
  5. What are the operator’s data retention and deletion policies for personal information?

The FTC noted in these FAQs that even after obtaining consent from an educational institution as described above, an operator remains responsible for compliance with the other COPPA requirements, such as the notice requirements and the requirement to provide parents an opportunity to review the personal information provided by their children, to have information deleted, and to prevent further use or collection of personal information from their children. The Commission further noted that in addition to COPPA, schools must consider their compliance obligations under the Family Educational Rights and Privacy Act (FERPA), a Federal law that protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education and with the Protection of Pupil Rights Amendment.