On May 19, 2022, the Federal Trade Commission voted 5-0 to adopt a policy statement regarding increased scrutiny of the Children’s Online Privacy Protection Act (COPPA) violations involving education technology companies.  The statement reaffirmed COPPA provisions around limiting educational technology’s collection, use, retention and security requirements for children’s data. The FTC stated:

“When Congress enacted the [COPPA], it empowered the Commission with tools beyond administering compliance with notice and consent regimes. The Commission’s COPPA authority demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure. The Commission intends to fully enforce these requirements—including in school and learning settings where parents may feel they lack alternatives.”

The FTC states that the development and proliferation of more sophisticated technologies has raised concerns that businesses might engage in harmful conduct, which led to the FTC’s 2013 revisions to the COPPA Rule, including provisions to hold third party advertising networks liable for collection of children’s personal information from child-directed sites in violation of the Rule and to expand the definition of personal information to include persistent identifiers used to target advertising to children. The FTC further cited online learning devices and services during the COVID-19 pandemic as making concerns about data collection in the educational context “particularly acute.”

In a separate statement, President Joe Biden applauded the FTC, stating that children and families “shouldn’t be forced to accept tracking and surveillance” to access online educational products.  Biden said the FTC “is making it clear that such requirements would violate the [COPPA], and that the agency will be cracking down on companies that persist in exploiting our children to make money.”

The FTC intends to scrutinize compliance with the “full breadth” of the COPPA rules and statute, focusing particular emphasis on:

  • Prohibitions Against Mandatory Collection. Prohibitions against businesses requiring collection of personal information beyond what is reasonably needed for the child to participate in the activity.
  • Use Prohibitions. Restrictions and limitations on how COPPA-covered companies can use children’s personal information, such as for marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service.
  • Retention Prohibitions. COPPA-covered companies must not retain personal information longer than reasonably necessary to fulfill the purpose for which it was collected (e.g., for speculative future potential uses).
  • Security Requirements. COPPA-covered companies must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. A COPPA-covered company’s lack of reasonable security can violate COPPA even absent a breach.

The Policy Statement concludes that:

“Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools. Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”

To view the FTC policy statement, click here.

To view President Biden’s statement, click here.