On May 19, 2022, the Federal Trade Commission (FTC) unanimously approved a policy statement on education technology (EdTech) and the Children’s Online Privacy Protection Act (COPPA). Characterized as part of a larger effort to “crack down on companies that illegally surveil children learning online,” the policy statement itself merely highlights pre-existing obligations under COPPA for companies that knowingly process children’s data to minimize the data collected and to employ appropriate security to protect that data.
COPPA Check-in. COPPA was enacted by Congress in 1998, with the FTC’s COPPA Rule promulgated in 2000. The law places a variety of obligations on operators of online services directed to children under 13 or who knowingly collect personal information from children under 13. The FTC is the principal enforcement agency, with states and certain other federal regulators also playing a role.
Commissioner Commentary. After hearing comments from the public, the Commission turned to voting on the policy statement. All of the commissioners expressed concern with EdTech companies accessing student data, particularly as software has become increasingly necessary during the COVID-19 pandemic. Chair Lina Khan noted in her remarks that she does not believe the well-known parental consent is effective at limiting data collection, which is consistent with her general skepticism of the utility of user consents in the privacy context. The two Republican commissioners, Christine Wilson and Noah Phillips, explained that, although they supported the policy statement, they were frustrated that the agency had issued this statement while it had an open rulemaking to update the COPPA Rule. Commissioner Wilson also indicated that she supported the policy statement reluctantly but ultimately supported the policy statement because it set no new requirements and was consistent with prior staff guidance.
What’s in the Policy Statement? The policy statement itself does not break any new ground or explain how the agency may enforce or prioritize aspects of COPPA. But the release highlighted four substantive COPPA provisions (beyond parental consent) and how they might apply to EdTech:
- Minimization. Companies cannot require collection of information that is not “reasonably needed” to allow participation in the relevant activity. The FTC gives the example that if a company does not need a student’s email address to operate the program, then the company would violate the rule by collecting email addresses.
- Use Prohibitions. In an extension of the minimization requirement, the statement explains that companies can use children’s data only for the educational purposes that justified its collection and not for other purposes, including marketing.
- Retention. Again, in an extension of minimization, the statement explained that companies can only retain data for a period that is reasonably necessary. The statement elaborated slightly, explaining that it would be “unreasonable” to retain children’s data “for speculative future potential uses.”
- Security. Companies must use procedures to maintain “confidentiality, security, and integrity” in children’s information.
What Does This Mean? EdTech companies—including any company or entity that handles children’s data—should take notice. Not necessarily of the policy statement’s content, which does not break any new ground. But this policy statement is a clear sign that the FTC intends to focus enforcement resources on COPPA and privacy protections for children. So companies in this industry should carefully review their data practices because the consequences can be severe, including civil penalties of $46,517 per violation and injunctive relief that includes deletion of any improperly obtained data and related work product, and even the algorithm utilized to obtain such data.