On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule.  The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.

The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online.  A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.

Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement.  Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:

  • Prohibition against mandatory collection of data: Ed tech vendors may not force students to disclose more personal information than necessary as a condition of student participation in an educational activity.
  • Data use prohibitions: If ed tech vendors are relying on school authorization for the collection of children’s personal information, they may only use that information to provide an educational service.  In this context, ed tech vendors are prohibited from using children’s personal information for any commercial purpose, including marketing and advertising.  While not in the text of the policy statement, Chair Khan also suggested ed tech vendors should not use children’s personal information as part of a score, algorithm, or commercial database.
  • Data retention prohibitions: Ed tech vendors may not retain children’s personal information for longer than necessary to fulfill the purpose for which the data was collected, nor may ed tech vendors retain children’s personal information for future speculative uses.
  • Data security requirements: Ed tech vendors must have reasonable procedures to maintain the confidentiality, security, and integrity of children’s personal information.

Commissioner Bedoya offered additional concrete guidance in regards to tracking data.  While he agreed that some tracking information is needed to provide services to children, he advised online operators to innovate by creating tracking mechanisms that protect privacy.  For example, he recommended the use of hashed identifiers that cannot be used to track children’s activities across platforms.

While the policy statement was adopted unanimously, Commissioners Phillips and Wilson both emphasized that the statement merely reflects the current Rule and Commission guidance, and urged the FTC to focus its efforts on completing the COPPA rulemaking process started in 2019.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.