Virtual and remote learning are now household terms across the nation after the COVID-19 pandemic has caused most schools to shut their doors – their physical doors, that is. With the increased use of online services to provide remote learning to school-aged children, particular concerns arise regarding their privacy in connection with the use of those services.
The Children’s Online Privacy Protection Act of 1998 (COPPA) was enacted for the purpose of placing parents in control over what personal information is collected online from their children under the age of 13, as well as providing various other protections to this vulnerable group. Under COPPA, the Federal Trade Commission (FTC) is tasked with promulgating regulations to achieve these goals. “Personal information” can include anything as simple as a child’s name or online username to something as sensitive as their social security number.
So how does COPPA pertain to schools and educators? Many school districts engage third-party online platforms to provide virtual learning to their students, in which the school may consent to the collection of the student’s personal information on behalf of the parents. However, a school’s power to consent to such collection is limited compared to that granted to a parent. A school may only consent to the collection of personal information for the use and benefit of the school and for no other commercial purpose. Moreover, the online third-party service must allow the school to review and delete the personal information collected from their students for the school to consent to such collection.
Before engaging with an online platform, a school should ask these questions:
- What types of personal information will be collected from students?
- How will the personal information be used?
- Will the personal information be used for commercial purposes that are not for the school’s benefit?
- Is the school permitted to review and delete the collected information?
- What security and confidentiality measures does the provider take with respect to the personal information collected?
- What is the provider’s data retention policy?
Under COPPA, a third-party online service is required to provide a notice, upon request, that includes all or most of the information listed above. As a best practice, the FTC recommends that schools or school districts should be the ones engaging with these third-party services and consenting to the collection of personal information, rather than individual educators. The FTC suggests that schools should make available to parents the notice that is provided by the third-party service. Schools must also remain conscientious of other obligations, such as those under the Family Educational Rights and Privacy Act (FERPA) and applicable state law.
If you have any questions regarding COPPA and its impact on your school’s use of online services, please reach out to any member of the Barley Snyder Education Practice Group.