FTC Issues EdTech & COPPA Policy Statement

May 19, 2022


Cross-posted from Public Interest Privacy Consulting LLC Blog


Today, the Federal Trade Commission (FTC) voted unanimously to adopt “a policy statement that announces the agency’s prioritization of the enforcement of COPPA as it applies to the use of education technology.” The full statement is available here. Overall, the policy statement is carefully characterized as existing legal requirements of COPPA that the FTC will focus on as they begin to ramp up their COPPA enforcement.

(Need a refresher on COPPA in schools? I'm a fan of this one from EdWeek)

I spoke during the public comment section of the meeting (here at ~1:18), primarily to urge the Commission to retain the ability of schools to consent on behalf of parents to the use of education technology in schools—a move that would make it very difficult, if not impossible, for schools to use education technology with students under 13.

I appreciated Commissioner Wilson's observation that policy statements like this may give "the illusion of taking action, especially when those policy statements break no new ground," and she hoped that FTC staff will now "turn to the important task of completing the COPPA rule review." It is frustrating that the FTC's workshops in 2017 and 2019 that highlighted this topic have not led to substantive guidance or rulemaking by the agency.

I also found it interesting that the word "surveillance" was used so often; for example, FTC Chair Lina Khan said that the statement "underscores how the substantive protections of the COPPA rule ensure that children can do their school work without having to surrender to commercial surveillance practices."

Here are a few of my initial takeaways on the sections highlighted in the policy statement:

Prohibition Against Mandatory Collection: "COPPA-covered companies, including edtech providers, must not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity. These businesses cannot stop students from engaging in an ed tech activity if they do not provide information beyond what is reasonably needed to administer the students."

  • This is (mostly) great - as FTC Chair Lina Khan put it, "Simply put, an ed tech provider cannot require that parents or schools sign off on sweeping data collection of children as a condition of children accessing the ed tech service." It is great that schools now have more leverage to push back when companies are collecting more information than necessary.
  • However, this likely raises implementation questions. Schools are legally required to collect certain student data, not only so those students can participate in a specific activity, but also to identify inequities - like whether students are serving all students equally - and to assist students. I hope that this policy statement does not create too much confusion about whether providers are allowed to collect other information when specifically directed to do so by the school.

Use Prohibitions: "ed tech companies are prohibited from using such information for any commercial purpose, including marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service."

  • This has always been clearly required under COPPA, FERPA, and many of the 100+ student privacy laws passed across the country.
  • However, I do get frustrated every time the FTC uses the phrase "commercial use" or "commercial purposes," and wish they provided more examples of what that might constitute in this context. For example, Chair Khan said that "for ed tech companies operating based on authorization from a school district or a school, the children's data they collect cannot end up as part of any score, algorithm, profile, or database that is used for targeted advertising or any other commercial use." Obviously, no one wants kids to receive advertising or have their information used without respect for the context in which it was collected. But what is considered "commercial use" when children's data is used in an algorithm? Just the fact that student data was used to improve a business's algorithm? What if that algorithm is just used for that educational product or a product developed in the future?

Retention Prohibitions:  "COPPA-covered companies, including ed tech providers, must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected. It is unreasonable, for example, for an ed tech provider to retain children’s data for speculative future potential uses."

  • It is important that COPPA's retention prohibitions be better (and clearer) in the edtech space. Right now, the default is often that ed tech providers just keep the data until and unless the school asks them to delete it, or within a certain amount of time after their contract with the school ends. As you might imagine, schools don't have a lot of staff or resources to examine the massive amount of data held by themselves, let alone their providers, which means it is likely that there is too much unnecessary data that is retained for no useful reason. And even the schools that want to delete likely unnecessary information sometimes can't because state record retention laws are often ridiculously outdated.
  • But what are "speculative future potential uses"? This matters in education - there is a lot of data that must be legally retained by schools (and, therefore, by a school's providers). Does this also limit an ed tech provider's ability to retain information when the school asks that it be kept for what the provider considers a "speculative future potential use"?

Security Requirements: "even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security"

  • This is my favorite line of the policy statement. Yes, this was already clearly covered under COPPA, but too many companies assume that it takes a security incident, like a breach, to trigger a COPPA violation or investigation. I hope to see many security improvements coming from edtech companies over the next few months.

What's Next?

Pay attention! Obviously, this is a major priority for the FTC. If you have the time, it is worth listening to all of the statements from commissioners (in this video from 20:17 - 45:08) to understand how strongly they feel about this issue.

Think I missed something important? Please reach out and let me know!