The FTC recently updated its FAQs on the Children’s Online Privacy Protection Act (‘COPPA”). COPPA governs the collection, use, and disclosure of information on children under the age of 13 by operators of commercial websites and online services, including education technology vendors. Though many of the updates clarify and expand upon the operators’ responsibilities for compliance with the law, the guidance provides significant clarification for schools on the rights and responsibilities for COPPA compliance. This new guidance is particularly vital as schools and districts construct remote learning plans dependent on the use of technology. The following are key updates to the guidance.
COPPA Compliance is the Operator’s Responsibility:
First, the guidance makes clear that compliance with the COPPA is the responsibility of the operator. Notably, the guidance states, “Operators should not state in the Terms of Service or anywhere else that the school is responsible for complying with COPPA, as it is the responsibility of the operator to comply with the Rule.” As schools contract with technology providers, agreement language should not place responsibility for compliance on the school but rather should reflect the operator’s responsibilities under COPPA.
Same Notice to Schools as Parents
Under COPPA, operators must provide robust notice to parents regarding collection, use, or disclosure of personal information from children. COPPA allows districts to consent, in place of a parent, under COPPA as long as the operator limits use of the child’s information to the educational purpose authorized by the school. What the new FAQ makes clear is, that in order for the operator to rely on consent obtained from the school, the operator must provide the school with the same type of direct notice regarding its practices as to the collection, use, or disclosure of personal information from children as it would otherwise provide to the parent. In addition, the operator, upon request from the school, must provide the school a description of the types of personal information collected; an opportunity to review the child’s personal information and the right to have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information. Schools should use both the notice and the description of the types of information collected from the operator as evidence that the operator’s use of the data is limited to the educational context.
COPPA Coverage Expanded
As technology continues to evolve, the application of COPPA continues to expand. The guidance now explicitly applies to mobile apps and ‘IoT’ devices. Schools should confirm operators’ COPPA compliance when using any of these technology platforms and devices.