On Tuesday, April 22nd, the Federal Trade Commission announced that it has updated its “Complying with COPPA: Frequently Asked Questions: A Guide for Business and Parents and Small Entity Compliance Guide” to address consent for the collection of student information.
The recent updates to Section M, repeated in full below with the entire FAQs available here, focuses on the disclosure use of students’ data by third party website and web service providers in the education setting. The rights of parents under COPPA to be informed and notified of such use is front and center.
The updates come after many schools have set the standard of disclosure by creating Acceptable Use Policies and otherwise disclosing to parents how their child’s information is disclosued and used.
The full, revised Section M follows:
M. COPPA AND SCHOOLS
1. Can an educational institution consent to a website or app’s collection, use or disclosure of personal information from students?
Yes. Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. In these cases, the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf. However, the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose. Whether the website or app can rely on the school to provide consent is addressed in FAQ M.2 below. FAQ M.5 provides examples of other “commercial purposes.”
Whether the operator gets consent from the school or the parent, the operator must still comply with other COPPA requirements. For example, the operator must provide the school with all the required notices, as noted above, and must provide parents, upon request, a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information.
In addition, the school must consider its obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children’s education records. FERPA is administered by the U.S. Department of Education. For general information on FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Schools also must comply with the Protection of Pupil Rights Amendment, which is also administered by the Department of Education. See http://www2.ed.gov/policy/gen/guid/fpco/index.html.
2. Under what circumstances can an operator of a website or online service rely upon an educational institution to provide consent?
Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision. See FAQ M.6 below.
If, however, an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent. Operators may not use the personal information collected from children based on a school’s consent for another commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context.
Where an operator gets consent from the school rather than the parent, the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example.
3. Who should provide consent – an individual teacher, the school administration, or the school district?
As a best practice, we recommend that schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher. Many schools have a process for assessing sites’ and services’ practices so that this task does not fall on individual teachers’ shoulders.
4. When the school gives consent, what are the school’s obligations regarding notifying the parent?
As a best practice, the school should consider providing parents with a notice of the websites and online services whose collection it has consented to on behalf of the parent. Schools can identify, for example, sites and services that have been approved for use district-wide or for the particular school. In addition, the school may also want to make the operators’ direct notices regarding their information practices available to interested parents. This allows the parent to assess the site’s or service’s practices and to exercise their rights under COPPA – for example, to review the child’s personal information. Many school systems have implemented Acceptable Use Policies for Internet Use (AUPs) to educate parents and students about in-school Internet use; the school could maintain this information on a website or provide a link to the information at the beginning of the school year.
5. What information should a school seek from an operator before entering into an arrangement that permits the collection, use, or disclosure of personal information from students?
In deciding whether to use online technologies with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are:
•What types of personal information will the operator collect from students?
•How does the operator use this personal information?
•Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
•Does the operator enable parents to review and have deleted the personal information collected from their children? If not, the school cannot consent on behalf of the parent.
•What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
•What are the operator’s data retention and deletion policies for children’s personal information?
6. I’m an educator and I want students in my school to share information for class projects using a publicly available online social network that permits children to participate with prior parental consent. Can I register students in lieu of having their parents register them?
This question assumes that your school hasn’t entered into an arrangement with the social network for the provision of school-related activities, but rather that you intend to use a service that is more broadly available to children and possibly other users. The Commission has recognized the school’s ability to act in the stead of parents in order to provide in-school Internet access. However, where the activities and the associated collection or disclosure of children’s personal information will extend beyond school-related activities, the school should, as a best practice, effectively notify parents of its intent to allow children to participate in such online activities before giving consent on parents’ behalf.