FTC Warns EdTech Vendors About COPPA Compliance

The FTC issued a significant new policy statement on May 19, 2022, warning companies that supply educational technology (EdTech) to schools not to use data harvested by their applications for purposes unrelated to education. Although this policy statement was adopted just days after new Democratic Commissioner Alvaro Bedoya was sworn in, it was not a partisan or contested issue: all five commissioners voted in favor. It should therefore be viewed as reflecting commission policy that will likely persist across any changes in the administration that may occur in the future.

On some level, there is nothing new in the policy statement: all it does is restate existing obligations of online entities collecting information from minors under the Children's Online Privacy Protection Act (COPPA)[1] and the FCC's implementing rules.[2] What's new is the emphasis on the substantive obligations of entities collecting data from and about schoolchildren, as opposed to COPPA's well-known (and extensive) notice and consent procedures.

Adult consumers are generally presumed to know that they are revealing information about themselves and their browsing activity to the websites they visit and the apps they use (and to third-party advertising networks working with those websites and apps), as long as those information-gathering practices are reasonably disclosed in the websites' privacy policies. For the most part, "opt-out" consent is the default state of the consumer internet: information will be collected, used, or disclosed unless the consumer takes affirmative steps to say they don't want that to happen.[3] Challenges to this default state create concern, controversy, and pushback; recent examples would be the implementation of the GDPR (which required users' affirmative consent to tracking via cookies); California's CCPA (which made it easier for consumers to opt out by requiring a "Do Not Sell My Data" button on websites' landing pages); and Apple's "App Tracking Transparency Framework" (which requires that an app obtain affirmative consent from users before tracking users' activity across third-party apps and websites).

COPPA, however, has long required that children be treated differently from adults. Children are presumed to be unable to consent to the collection of data about them, and parents are presumed not to give default consent to the collection of information about their children. As a result, an online provider must "obtain verifiable parental consent before any collection, use, or disclosure of personal information from children." 16 C.F.R. §312.5. Because of this reversal of the normal online default state, a traditional focus of industry's COPPA compliance efforts has been to ensure that any online entity knowingly collecting data from children go through the prescribed (and somewhat burdensome) steps needed to "obtain verifiable parental consent."

The new policy statement takes these child-specific "notice and consent" requirements as a given, but then goes beyond those essentially procedural obligations to emphasize COPPA's substantive limitations on the collection, use, disclosure, and retention of personal information about children. The underlying concern is that children should not be targeted with advertising as they pursue their education, especially with the pandemic and the switch from in-person to remote learning. With the significant increase in school-issued devices and applications, the FTC fears that EdTech providers might slip back to the normal online default by collecting more information from children than they are entitled to; by using it in unauthorized ways; by keeping it for too long; and by not securing it properly. Each of these points is already specifically addressed by COPPA and the implementing rules. Even so, with the new policy statement, the FTC evidently wanted to make quite clear to EdTech providers that the agency intends to aggressively enforce those rules.

The policy statement makes the following specific points:

• Constraints on Collection: The COPPA rules forbid EdTech providers from conditioning participation in any activity – such as using an online learning app – on a child disclosing more information than is reasonably necessary to participate. What is "reasonably necessary" will, of course, depend on the context. For example, an app provider may need to know a child's grade level, or even how well the child performed previously, to know how challenging a learning activity to present on a given day. But why would an EdTech provider need a child's email address? As the FTC said, "if an ed tech provider does not reasonably need to be able to email students, it cannot condition the student's access to schoolwork on students providing their email addresses. Students must not be required to submit to unnecessary data collection in order to do their schoolwork."
• Limitations on Use: The presumption on the internet at large is that with proper notice an online entity can do more or less whatever it wants with information it gathers from users – such as developing user-specific profiles for future marketing or use by third-party advertising networks; or adding the user's data to a collection of such information to be subject to machine-learning analysis to increase future engagement; or for product development or market research. None of that is permitted with data gathered by EdTech providers pursuant to authorization from a school. Putting the matter bluntly, the FTC states that "ed tech companies are prohibited from using such information for any commercial purpose, including marketing [and] advertising … unrelated to the provision of the school-requested online service." Any EdTech provider that has viewed data gleaned from students engaged in online learning as a form of commercial asset, akin to online data about adults, needs to rethink its approach or potentially end up in the agency's enforcement crosshairs.
• Restrictions on Retention: Many online entities gather whatever information they can about users and then store it, often indefinitely, simply because it might be valuable in some (as-yet unknown) future context. This is not permitted under COPPA. Instead, an EdTech provider "must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected." 16 C.F.R. §312.10. The basic purpose of collecting information from children using an EdTech app for school is to permit them to achieve educational goals. Once the student has completed a lesson (or a school year), why would an EdTech provider need to retain that student's information? "Because we might be able to use it someday" is not a good enough answer. As the FTC says, "It is unreasonable … for an ed tech provider to retain children's data for speculative future potential uses."
• Substantive Security Obligations: While it may seem obvious, entities that collect personal information from children must protect it. In the language of the FTC's COPPA rule, EdTech providers "must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." 16 C.F.R. §312.8. What counts as sufficiently "reasonable" will vary with the nature of the entity involved, as well as the nature and sensitivity of the information being collected and retained. At a minimum, an EdTech entity that collects information from children should address the familiar triad of appropriate administrative, physical, and technical controls on access to the information. For example: train your employees on the need to protect the data and how to do so (administrative); keep the data on servers safe from being stolen or destroyed (physical); and encrypt the data and impose appropriate log-in credentials (including, if appropriate, two-factor authentication) before anyone can get at the data (technical). A key takeaway from the policy statement on this point is that it isn't enough for an entity to merely avoid a data breach: "even absent a breach … EdTech providers violate COPPA if they lack reasonable security." Here, the agency is signaling its view that it could bring an enforcement action against an EdTech provider without adequate security procedures even if the provider had never lost or mishandled any data.

* * * * *

As noted above, none of what the FTC is saying in its new policy statement is actually new: every requirement it articulates is already in the statute or its rules. But after two-plus years of pandemic-related changes in the learning environment – including, notably, a substantial and likely ongoing increase in schools' reliance on online learning tools – the agency clearly wants to put the EdTech industry on notice that under no circumstances should data collected from children be handled using the "business as usual" rules applicable to information from adults.