On January 23, 2015, Senior Attorney Lesley Fair at the Federal Trade Commission (“FTC”) posted on the Agency’s business blog clarifying how the Children’s Online Privacy Protection Act (“COPPA”) applies to schools. COPPA seeks to protect the privacy of children by allowing parents to control what personal information about their children under the age of thirteen may be collected by “operators” of websites or online services, including apps, that are either directed to children or that knowingly collect personally identifiable information from children. Subject to certain regulatory exceptions, the entities covered by COPPA must notify parents and obtain consent before collecting, using, or disclosing any personal information from children under thirteen. “Operator” is defined as a person operating an online website or service who collects personal information about users “where such website or online service is operated for commercial purposes.”
Given the increasing use of technology in the classroom, the FTC often receives questions about how COPPA applies in the school setting. In her blog post, Fair explained that schools do not fall within the definition of “operator” since they are usually part of the local government and not commercial entities, placing schools outside of COPPA’s legal coverage. However, COPPA may still come into play when schools allow or require students to use sites and services that are covered. For example, schools may partner with companies such as Google or Apple to provide educational services. In such cases, schools may provide consent to the “operator” on the parent’s behalf solely to the extent such personal information from students is collected for educational purposes. “COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission,” Fair wrote. However, many apps or websites that can be used in the classroom may also be used outside of the classroom for entertainment or additional purposes, and thus COPPA may still be triggered if personal information is collected for commercial uses.
The blog post also explained that some providers of online testing are not covered by COPPA. In particular, the FTC was questioned about the development of tests by two groups of state educational agencies—the nonprofit Partnership for Assessment of Readiness College and Careers and the Smarter Balanced Assessment Consortium. Fair noted that COPPA’s reach does not extend to state governments or nonprofits.
While embracing the use of technology to promote learning in the classroom, educational institutions should be mindful of student privacy and their role in protecting it. Even when COPPA does not apply, it is important for schools to remember the privacy obligations they have under the Family Educational Rights and Privacy Act.