The FTC issued a important new policy statement on May 19, 2022, warning companies that provide educational technology (EdTech) to schools not to use data collected by their apps for purposes unrelated to education. Although this policy statement was adopted just days after new Democratic Commissioner Alvaro Bedoya was sworn in, it was not a partisan or contested issue: all five commissioners voted in favour. It should therefore be seen as reflecting the policy of the commission which is likely to persist despite any change in administration that may occur in the future.
Adult consumers are generally presumed to know that they reveal information about themselves and their browsing activity to the websites they visit and the apps they use (and to third-party ad networks working with those websites and apps ), so long as such information-collection practices are reasonably disclosed in the websites’ privacy policies. For the most part, “opt-out” consent is the default state of the consumer Internet: information will be collected, used, or disclosed unless the consumer takes affirmative action to say they do not want let that happen. Challenges to this default state create concern, controversy, and backlash; recent examples would be the implementation of the GDPR (which required users’ affirmative consent to tracking via cookies); the California CCPA (which made it easier to opt out of consumers by requiring a “Do Not Sell My Data” button on website landing pages); and Apple’s “App Tracking Transparency Framework” (which requires an app to obtain affirmative consent from users before tracking user activity on third-party apps and websites).
However, COPPA has long required that children be treated differently from adults. Children are presumed incapable of consenting to the collection of data concerning them, and parents are presumed not give their default consent to the collection of information about their children. Accordingly, an online provider must “obtain verifiable parental consent before any collection, use or disclosure of children’s personal information”. 16 CFR §312.5. Because of this reversal of the normal default state online, one of the traditional goals of industry COPPA compliance efforts has been to ensure that any online entity knowingly collecting data from children goes through the prescribed (and somewhat cumbersome) steps necessary to “obtain verifiable parental consent”. “
The new policy statement takes these child-specific “notice and consent” requirements for granted, but then goes beyond these essentially procedural obligations to focus on COPPA. substantive restrictions on the collection, use, disclosure and retention of personal information about children. The underlying concern is that children should not be targeted by advertising while they continue their education, especially with the pandemic and the shift from in-person to remote learning. With the significant increase in school-issued devices and apps, the FTC is concerned that EdTech vendors are reverting to the normal default online by collecting more information from children than they have. right ; by using it in an unauthorized manner; keeping it too long; and not securing it properly. Each of these points is already specifically addressed by COPPA and the rules of application. Even so, with the new policy statement, the FTC obviously wanted to make it clear to EdTech vendors that the agency intends to aggressively enforce these rules.
The policy statement makes the following specific points:
- Constraints on collection: COPPA rules prohibit EdTech providers from conditioning participation in any activity — such as use of an e-learning app — on a child disclosing more information than they is reasonably necessary to participate. What is “reasonably necessary” will, of course, depend on the context. For example, an app provider might need to know a child’s grade level, or even past performance, to know how difficult a learning activity is to present on a given day. But why would an EdTech provider need a child’s email address? As the FTC stated, “If an educational technology provider does not reasonably need to be able to send email to students, it cannot condition the student’s access to schoolwork on the provision of their email address. Students should not be required to submit to unnecessary data collection in order to do their homework.”
- Usage limits: The presumption on the Internet as a whole is that with proper notice, an online entity can do more or less what it wants with the information it collects from users – such as developing user-specific profiles to future marketing or use by third-party advertising networks; or add user data to a collection of such information to be subjected to machine learning analysis to increase future engagement; or for product development or market research. None of this is permitted with data collected by EdTech providers pursuant to a school’s permission. Frankly speaking, the FTC states that “educational technology companies are prohibited to use this information to any commercial purpose, including marketing [and] The advertisement …unrelated to the provision of the online service requested by the school.” Any EdTech provider that has viewed data collected from students engaged in online learning as a form of business asset, similar to online data on adults, must rethink its approach or potentially end in the crosshairs of agency enforcement.
- Storage Restrictions: Many online entities gather all the information they can about users and then store it, often indefinitely, simply because it might be useful in some (as yet unknown) future context. This is not authorized by COPPA. Instead, an EdTech Provider “must retain Personal Information collected from a Child no longer than reasonably necessary to fulfill the purpose for which it was collected.” 16 CFR §312.10. The fundamental purpose of collecting information from children using an EdTech app for school is to enable them to achieve educational goals. After the student has completed a lesson (or school year), why would an EdTech provider need to retain that student’s information? “Because we might be able to use it one day” is not a sufficient answer. As the FTC puts it, “it is unreasonable…for an ed technology provider to retain children’s data for potential speculative future uses.”
- Substantial security obligations: Although it may seem obvious, entities that collect personal information from children must protect it. In the language of the FTC’s COPPA Rule, EdTech vendors “must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” 16 CFR §312.8. What is considered sufficiently “reasonable” will vary depending on the nature of the entity involved, as well as the nature and sensitivity of the information collected and maintained. At a minimum, an EdTech entity that collects information from children must address the familiar triad of appropriate administrative, physical, and technical controls over access to information. For example: train your employees on the need to protect data and how to do it (administrative); keep data on servers safe from theft or (physical) destruction; and encrypt data and enforce appropriate login credentials (including, where applicable, two-factor authentication) before anyone can access the data (technical). A key takeaway from the policy statement on this point is that it is not enough for an entity to simply avoid a data breach: “even if there is no breach…EdTech vendors violate COPPA if they lack reasonable security”. Here, the agency reports that it could take legal action against an EdTech provider without proper security procedures, even if the provider had never lost or mishandled data.
* * * * *
As noted above, nothing the FTC says in its new policy statement is actually new: every requirement it sets out is already in the law or its rules. But after more than two years of pandemic-related changes to the learning environment — including, among other things, a substantial and likely continuing increase in schools’ reliance on online learning tools — the agency wants to give a clear warning. EdTech industry that under no circumstances should data collected from children be treated under the “business as usual” rules applicable to information from adults.
 Laws recently enacted by the states of Virginia, Colorado, and Connecticut require companies to obtain prior consent before processing (which includes collecting) any “sensitive personal information” as defined in those laws. These laws will come into force in 2023.