As teachers, parents, and students across the country continue to adjust to remote learning, in many cases trading schoolhouses and classrooms for online portals and videoconference software, educational institutions and vendors alike must be careful to remember the A, B, Cs of student privacy. Recent guidance from the Federal Trade Commission (FTC) and from the Department of Education (the Department) provides some helpful lessons and important questions to ask when evaluating whether common distance learning practices make the grade.
COPPA: Schools May Consent to Collection but Only for Educational Purposes
The FTC issued a general reminder on April 9, 2020 that preexisting education privacy rules apply even when class is virtually in session. In a blog post on “Remote learning and children’s privacy,” the FTC reiterated that the Children’s Online Privacy Protection Act (COPPA) requires websites and online services directed at children to obtain consent from parents before collecting personal information from children under 13 years old.
As the FTC explains, COPPA imposes requirements on operators of online services, who must obtain consent from parents in order to collect and use children’s personal information, and does not apply directly to schools. However, schools may become involved when they provide consent, in lieu of parents, to the collection of student personal information by education technology (EdTech) companies. The FTC’s post was accompanied by COPPA guidance addressed both to schools and EdTech companies.
We provided an overview of COPPA’s requirements—alongside the newer requirements of the California Consumer Privacy Act—last month. Importantly, schools’ ability to consent to collection of children’s information under COPPA is limited to situations where the personal information is used solely for educational purposes. In other words, schools may not consent to collection where any commercial use is planned, such as when EdTech companies plan to use students’ personal information for targeted advertising or building user profiles for commercial purposes.
Of course, “personal information” is defined broadly in COPPA to include not just names, addresses, and other contact information, but screen names and persistent identifiers such as cookies, IP addresses, processor or device serial numbers, or unique device identifiers when such information is used to track users over time and across the internet.
FERPA: Don’t Forget the Rules for Educational Records
In addition to COPPA, educational institutions and EdTech companies should consider the potential impact of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment on any use of virtual classroom technology.
FERPA generally requires consent to disclose students’ education records or personally identifiable information in those records. The Department recently clarified in a webinar on FERPA and virtual learning during COVID-19 that disclosure to providers of video conferencing or virtual learning software was permissible without obtaining consent under the “school official exception,” but only if certain conditions are met, including prohibitions on unapproved redisclosure or on the use of educational records or personally identifiable information for unauthorized purposes.
The Department also cautioned that schools should consider their policies regarding non-student participation in virtual classrooms and consider whether virtual class recordings may qualify as “education records” for purposes of the statute.
Biometric Information and Other State Laws: Do Your Homework on Local Law
As we have discussed previously, over 40 states have student privacy laws that regulate state education agencies, local education agencies, and educational vendors. Technology companies that are new to the education space should be especially vigilant of the privacy landscape in the states where they offer services.
For EdTech companies that collect biometric information—such as for authentication purposes—state biometric information privacy laws may pose additional obligations. Currently, Illinois, Texas, and Washington all have biometric information privacy statutes that regulate the collection, use, retention, and disclosure of such information.