No Spring Break for Student Privacy

"Privacy, Unmasked" is a multi-part series that explores the impact of COVID-19 on individual privacy rights and privacy and security regulation and enforcement. New blogs will be posted in this space on Tuesdays.

As teachers, parents, and students across the country continue to adjust to remote learning, in many cases trading schoolhouses and classrooms for online portals and videoconference software, educational institutions and vendors alike must be careful to remember the A, B, Cs of student privacy. Recent guidance from the Federal Trade Commission (FTC) and from the Department of Education (the Department) provides some helpful lessons and important questions to ask when evaluating whether common distance learning practices make the grade.

COPPA: Schools May Consent to Collection but Only for Educational Purposes

The FTC issued a general reminder on April 9, 2020 that preexisting education privacy rules apply even when class is virtually in session. In a blog post on “Remote learning and children’s privacy,” the FTC reiterated that the Children’s Online Privacy Protection Act (COPPA) requires websites and online services directed at children to obtain consent from parents before collecting personal information from children under 13 years old.

As the FTC explains, COPPA imposes requirements on operators of online services, who must obtain consent from parents in order to collect and use children’s personal information, and does not apply directly to schools. However, schools may become involved when they provide consent, in lieu of parents, to the collection of student personal information by education technology (EdTech) companies. The FTC’s post was accompanied by COPPA guidance addressed both to schools and EdTech companies.

We provided an overview of COPPA’s requirements—alongside the newer requirements of the California Consumer Privacy Act—last month. Importantly, schools’ ability to consent to collection of children’s information under COPPA is limited to situations where the personal information is used solely for educational purposes. In other words, schools may not consent to collection where any commercial use is planned, such as when EdTech companies plan to use students’ personal information for targeted advertising or building user profiles for commercial purposes.

Of course, “personal information” is defined broadly in COPPA to include not just names, addresses, and other contact information, but screen names and persistent identifiers such as cookies, IP addresses, processor or device serial numbers, or unique device identifiers when such information is used to track users over time and across the internet.

FERPA: Don’t Forget the Rules for Educational Records

In addition to COPPA, educational institutions and EdTech companies should consider the potential impact of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment on any use of virtual classroom technology.

FERPA generally requires consent to disclose students’ education records or personally identifiable information in those records. The Department recently clarified in a webinar on FERPA and virtual learning during COVID-19 that disclosure to providers of video conferencing or virtual learning software was permissible without obtaining consent under the “school official exception,” but only if certain conditions are met, including prohibitions on unapproved redisclosure or on the use of educational records or personally identifiable information for unauthorized purposes.

The Department also cautioned that schools should consider their policies regarding non-student participation in virtual classrooms and consider whether virtual class recordings may qualify as “education records” for purposes of the statute.

Biometric Information and Other State Laws: Do Your Homework on Local Law

As we have discussed previously, over 40 states have student privacy laws that regulate state education agencies, local education agencies, and educational vendors. Technology companies that are new to the education space should be especially vigilant of the privacy landscape in the states where they offer services.

For EdTech companies that collect biometric information—such as for authentication purposes—state biometric information privacy laws may pose additional obligations. Currently, Illinois, Texas, and Washington all have biometric information privacy statutes that regulate the collection, use, retention, and disclosure of such information.

The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.

DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.

This article was originally featured as a privacy and security advisory on DWT.com on May 05, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.