On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule.  The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.

The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online.  A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.

Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement.  Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:

  • Prohibition against mandatory collection of data: Ed tech vendors may not force students to disclose more personal information than necessary as a condition of student participation in an educational activity.
  • Data use prohibitions: If ed tech vendors are relying on school authorization for the collection of children’s personal information, they may only use that information to provide an educational service.  In this context, ed tech vendors are prohibited from using children’s personal information for any commercial purpose, including marketing and advertising.  While not in the text of the policy statement, Chair Khan also suggested ed tech vendors should not use children’s personal information as part of a score, algorithm, or commercial database.
  • Data retention prohibitions: Ed tech vendors may not retain children’s personal information for longer than necessary to fulfill the purpose for which the data was collected, nor may ed tech vendors retain children’s personal information for future speculative uses.
  • Data security requirements: Ed tech vendors must have reasonable procedures to maintain the confidentiality, security, and integrity of children’s personal information.

Commissioner Bedoya offered additional concrete guidance in regards to tracking data.  While he agreed that some tracking information is needed to provide services to children, he advised online operators to innovate by creating tracking mechanisms that protect privacy.  For example, he recommended the use of hashed identifiers that cannot be used to track children’s activities across platforms.

While the policy statement was adopted unanimously, Commissioners Phillips and Wilson both emphasized that the statement merely reflects the current Rule and Commission guidance, and urged the FTC to focus its efforts on completing the COPPA rulemaking process started in 2019.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Litigation and Investigations Practice Group. She also maintains an active pro bono practice with a focus on immigration.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.