TrustArc Blog

EdTech Companies: Tips on Compliance with the Applicable Regulatory Framework (COPPA)

April 02, 2015

By Shreya Vora, Esq., CIPP/US

Educational technology is really taking off. Kids today use tablets and computers at school, learning apps and a bevy of other online tools. When building products for the education technology sector, all business owners need to consider privacy – everyone from budding entrepreneurs to established companies to large multi-national corporations.  When your technology is aimed at kids there are laws as well as best practices to follow in order to mitigate risk and ensure consumer trust.

Understanding the legal landscape within which your technology is operating is essential to ensuring your company’s survival and success. Failure to comply can lead to hefty fines, the loss of business, reputational damage, and a media nightmare. Understanding the laws and best practices in your industry will empower you to design and update your technology with children’s privacy issues in mind. It goes without saying that given the speed of technological innovation, many of the applicable laws have necessitated (and continue to necessitate) reform to truly address the risks posed by education technology, as well as the data gathered about children through such technology (i.e. what can be done with metadata, data retention policies, use of information for advertising purposes — the list goes on). That said, for those working in this space, there are some key regulations to keep in mind (though this is by no means a comprehensive list).

The “Family Educational Rights and Privacy Act” (FERPA, 1974) and “Protection of Pupil Rights Amendment” (PPRA, 1974), for example, are federal laws applicable to any school receiving funding from the US Department of Education (DOE). FERPA and PPRA are complementary regulations: FERPA is aimed at protecting student records, while PPRA is focused on protection of information collected about students through school surveys, for example. The “Children’s Online Privacy Protection Act” (COPPA), probably the most well-known children’s data protection act, was enacted in 1998 (with updates proposed by the FTC in 2011) to limit companies from collecting information on children under the age of 13.

COPPA applies to operators of websites and online services that are directed to and/or are collecting personal information from kids 13 or younger. This means that even if a website is not directed at kids, but it knowingly collects personal information of minors, it is subject to compliance with the regulation. The FTC actively enforces COPPA, and though fines can vary, they have levied fines as high as $3 million dollars for violations.

If COPPA does apply to you:

Know that…

  1. “Personal information” includes name, address, email, SSN, location, phone, or other identifying information.
  2. “Collection” can include passively tracking information (i.e. via a beacon or a cookie).

Do…

Review the FTC’s website

               1.     Create a privacy policy

Your policy must include basic information such as name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service. The policy should describe clearly what information you will collect and also how you plan to use/disclose it. The notice must also notify parents of the process for access/modification/deletion of information collected.

               2.     Provide direct notice to parent

Notices should be provided to a parent via a “just in time” direct message that explains your information practices. The notice must be specific as to “(1) the personal information… already obtained from the child; (2) the purpose of the notification; (3) actions that the parent must or may take; and (4) how the operator intends to use the personal information collected.” The notice must also link to your privacy policy (link to your policy is not enough).

               3.     Obtain verifiable parental consent before collecting

Verifiable parental consent requires that “[a]n operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology.”

One interesting challenge with this is whether you can rely on consent from a school in lieu of parental consent. According to COPPA, a school (not an individual teacher) can act as an agent of a child’s parent and consent to collection/use of data. However, this agency is limited: the “school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.” This means that as the creator of the technology you need to have contracted with the school for their use of the technology, and the data cannot be used for a commercial purpose (i.e. data is only for use of and benefit of the school). 

Don’t…

  1. Expect your privacy policy to serve as a “notice” to a parent.
  2. Use data collected for any purpose except as set forth in your privacy policy.
  3. Keep data longer than needed.
  4. Assume no one is watching – the FTC does take action.

The ed-tech industry is expanding the benefits of technological innovation to the next generation. Ed-tech is a noble cause, but also is one that is subject to high standards given the highly sensitive information those in this industry can have access to. With the right information and by building your product in a manner that ensures compliance with the requirements of the relevant regulations, including COPPA, you can be on-track to building a successful product that is within the requirements of the law. There is a lot of information available about compliance, and taking the time to understand this legal framework is invaluable for the future of your ed-tech company.

 

[DISCLAIMER: This post in no manner constitutes legal advice and in no way creates an attorney-client relationship. This post and the thoughts contained herein are my own and do not represent the positions, strategies or opinions of my employer.]