On January 11, the U.S. Federal Trade Commission published a Notice of Proposed Rulemaking, marking a significant step in updating its Children’s Online Privacy Protection (COPPA) Rule, which has not seen changes since 2013. This proposal comes after years of deliberation, with the FTC seeking feedback since 2019.
There’s a lot to unpack in the 176-page proposal. To start, here are five key issues that edtech providers should consider:
- Clarifying the school authorization exception. The collection of a child’s personal information online typically requires direct consent from parents. The new rule proposes to clarify the exception that operators (edtech providers) may obtain authorization from a “school” instead, but only when certain safeguards are met. This would include a clearly written contract laying out the privacy protection, identifying the staff providing consent, and that the school has authorized the person to provide such consent.This change intends to streamline data collection processes in educational contexts without compromising the essence of informed parental consent. The proposal also broadens the definition of “school” to encompass individual schools, local educational agencies, and state educational agencies.
- Reinforcing the responsibility of edtech providers. A notable inclusion in the rule is the definition of “school-authorized education purpose.” Edtech platforms can use personal information obtained through school authorization only for delivering the requested online education service. They are expressly forbidden from employing this data for any commercial purpose, including marketing, advertising, or other unrelated commercial activities; this was a key factor in the 2022 settlement between the FTC and Edmodo.This term would clearly exclude any form of marketing, emphasizing that while personalization of services is permissible, it must not extend to any kind of marketing — even educational services.
- No mandatory data collection. The updated rules assert that edtech companies and other COPPA-covered entities are prohibited from conditioning a child’s participation in an activity on the disclosure of more information than is reasonably necessary. This change is aimed at curbing the excessive collection of children’s data under the guise of participation requirements.
- Retention of personal information. The updated rule would mandate that edtech providers, along with other COPPA-covered companies, must not retain personal information collected from a child for a period longer than is reasonably necessary to fulfill the purpose for which it was collected. The FTC clarifies that retention of children’s data for speculative future uses is considered unreasonable. This provision is a clear move to prevent the unnecessary accumulation of children’s data over time.
- The importance of data security should go without saying. Edtech providers and other COPPA-covered companies are required to implement and maintain robust procedures to ensure the confidentiality, security, and integrity of children’s personal information. This requirement is critical, as it holds companies accountable for the protection of children’s data, even in the absence of a data breach. The FTC underlines that a lack of reasonable security measures, by itself, constitutes a violation of COPPA.
What’s next: The comment period is open for the next 60 days. Edtech providers, along with other stakeholders, are encouraged to review the rules and provide feedback.