The use of education technologies (EdTech) has exploded in recent years. In fact, between online learning sites, one to one device deployments in school districts and personalized curriculum services, virtually every student today has some online or digital component to their learning. This is true as early as kindergarten, or even preschool, depending on the district. Considering the plethora of EdTech touchpoints and the number of years each student spends in the school system, students amass a significant data footprint.
Much EdTech is subject to the Children’s Online Privacy Protection Act (COPPA), which requires service providers to establish verifiable parental consent before collecting personal information from children under the age of 13. COPPA was created in 2000 and revised as recently as 2013. Typically, the FTC only performs rule reviews every ten years or so, but due to rapid changes in the technology landscape, the FTC announced a rule review of COPPA in July 2019 and collected comments through December 2019.
Previous FTC Guidance on the Issue of Parental Consent in Schools
While COPPA makes it clear that verifiable parental consent is required to collect personal information, the FTC also offered guidance, not yet codified in the text of COPPA, that school systems may be able to provide that consent by acting as the agent of the parent. The FTC’s Frequently Asked Questions on COPPA notes:
“schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf. However, the school’s ability to consent for the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.”
Under this “school as agent” construct, the FTC notes that the EdTech provider must provide the school with the statutorily mandated disclosures: a description of the information collected and how the information is used, an opportunity to review the information, the ability to opt out of information collection and the right to be forgotten. However, having satisfied this disclosure obligation, the EdTech provider can “presume that the school has obtained the parent’s consent.” While the FTC notes that, as a best practice, “schools should consider making such notices available to parents, and consider the feasibility of allowing parents to review the personal information collected,” the FTC stops short of requiring the schools to actually notify the parents of the technologies employed or to pass on to parents the actual information provided by the EdTech providers.
This guidance is not codified, so some school districts still seek parental consent, some provide it on behalf of the parents and some permit parents to opt out of EdTech offerings. Some educators have called for additional direction from the FTC as to when schools can provide consent, what obligations service providers have and what rights parents have with respect to information collected from students.
In fact, in Question 23 of the overall COPPA rule review, the FTC suggests a possible exception to COPPA’s parental consent requirement, and seeks comments on several sub-questions that highlight considerations relating to the possible parental consent exception. The exception that is being considered is akin to the “school official exception” existing under the Family Educational Rights and Privacy ACT (FERPA), which permits schools to share students’ school records with “school officials,” including contractors or service providers, as long as the official, contractor or service provider is acting under the direct control of the school and pursuant to a contract that stipulates what information can be shared and limiting the use of that information to a “legitimate educational interest.” Each school must inform constituents on an annual basis of its “legitimate educational interests,” but this is generally understood to mean information can be shared if the recipient “needs to review an educational record in order to fulfill his or her professional responsibility.” Even if the FTC decides to move forward with a COPPA exception that would permit schools to provide student information without parental consent in the EdTech context, additional guidelines and procedures will be needed to ensure the appropriate implementation of any such exception. This article summarizes comments submitted in response to Question 23 and its sub-questions.
The school official exception works well in the FERPA context, but FERPA relates to programs utilized by the school district that support the “required institutional services and functions of the school.” Thus the sharing of educational records in the FERPA context occurs in connection with subcontracting institutional and operational functions. The personal information at issue with EdTech may be more personal in nature, tracking a particular student’s specific performance at specific tasks.
Many school districts and content developers support the exception, noting that the burden of obtaining parental consent is stifling the efficient and widespread creation and deployment of compelling educational content. Especially for the smaller content developer, there could be significant costs and administrative burdens in complying with COPPA’s requirements. Further, as between the content provider and the school, the school may be in a better position to deal with parents on the issues of consent or deletion rights.
From a purely administrative point of view, the schools have a compelling argument for being able to provide consent for the community. If individual families are required to provide the consent, not only would the schools have to track which family has approved which EdTech technology, the schools would also have to come up with alternative curriculum options for those students that do not want to use the available EdTech. It is rare for 100% of a population to provide consent, whether because they oppose the technology or because they simply do not respond to the school’s consent request. Proponents of the exception also argue that schools, as the consumers of the EdTech offerings, are in the best position to perform the due diligence on and judge the efficacy of the privacy practices of the EdTech providers. Certainly schools are more likely to be able to negotiate better data protection terms from the EdTech providers than a single parent acting alone would be able to obtain. Opponents of the exception on the other hand argue that school officials may not be highly skilled or knowledgeable when it comes to assessing EdTech privacy practices, and even where school systems have trained privacy experts on staff to evaluate the offerings, permitting schools to provide the consent may not be consistent with the original stated purpose of COPPA to provide parents control over their child’s personal information.
Who at the School Should Provide Consent?
One possibility for the school system to obtain consent would be at the time the school system is negotiating its contract with the EdTech provider. However, many EdTech solutions are utilized at the discretion of individual teachers in individual classrooms and not on a district-wide basis. The school district may have a representative that is fully aware of the protections and requirements of COPPA, but it is unlikely that each individual teacher has sufficient familiarity to appropriately evaluate the EdTech. In fact, until there is an issue with a teacher-selected application, the appropriate school official may not even know the application is being used. So, if an exception is instituted, the FTC must be explicit about whom within the school district is authorized to make this decision on behalf of the students and families.
Determining educational purpose vs commercial purpose
The exception to COPPA’s parental consent requirement would likely only be available when there is an educational purpose, and not available when there is a commercial purpose.
Most commentators agree that marketing directly to users would run afoul of the educational purpose requirement. However, absent a clearly commercial purpose such as advertising or marketing, the line between educational and commercial may not always be clear. Some commentators to the FTC rule review suggest that school officials may be too heavily invested in the benefits to be obtained from the technology to objectively evaluate the risks. Other commentators note that the negotiations between the schools and the EdTech providers are private and therefore it is not clear to what extent families’ rights are being considered.
For example, one area of focus in the FTC rule review is whether the EdTech providers should be permitted to use the collected information and data to improve their services, or whether the EdTech providers should be required to de-identify the information before using it for internal purposes or even for service enhancements. Several commentators note that the EdTech providers do obtain commercial benefit from the use of usage data, even when such data is de-identified. Proponents of the exception however note that it is critical to continued improvement of EdTech services to permit the providers to incorporate the usage data in service improvements.
Providing Notice of the EdTech Provider’s Information Practices
Even under the current guidance, there is a requirement that the EdTech provider have defined policies as to the collection, use and treatment of the personal information. The COPPA FAQs suggest that simply providing those notices to the school suffices to meet the parental notification requirement as well. However, there is not an explicit requirement on the schools to provide such notices to parents. Several commentators urge the FTC to require schools to publish the notices if a school moves forward with any exception to the parental consent requirement.
Parental Deletion Rights
The right to request deletion and to opt out of the use of one’s personal information are principles codified in many data protection regimes, and the FTC specifically asks for comments on whether or not the parent should have the right to request deletion in the context of a school official exception. Commentators that support the exception also support denying the right to request deletion because it would be difficult for the school districts to track such requests. In addition, schools argue that the data may be useful to the schools and allowing parents to delete it could adversely affect the overall offering. Critics of the exception on the other hand point out that most privacy law constructs permit individual users ultimate control over their own data.
The last FTC review of COPPA commenced in 2010 and did not result in a rule change until 2013, so whatever change is made is not likely to happen in the near future. Currently, the FTC is still reviewing the more than 81,000 comments that were posted in connection with the 2019 request for comments. In the meantime, school districts will continue to utilize EdTech, and EdTech providers will continue to face uncertainty in the market.