The Federal Trade Commission recently announced that it is updating COPPA (Children’s Online Privacy Protection Act). Many of the proposed changes are aimed at better protecting student data by requiring technology providers to take a bigger role in that effort, as well as limiting the ability to monetize student information.
Data privacy rules are generally outdated. COPPA became law in 2000 and hasn’t been updated since. When enacted, COPPA made it illegal for websites and online services to collect personal information from children under 13 without parents’ verifiable consent.
This isn’t to say that there are no student data privacy laws on the books since then. In 2016, California passed the Student Online Personal Information Protection Act (SOPIPA), which started an avalanche of student data privacy legislation across the country. Only a year after it took effect, 22 states had adopted all or parts of the law.
All this to say that student data privacy has played out on a national scale as a big game of chicken. The federal government hasn’t acted, wondering what states will do, and states are looking for guidance from the feds. It’s set up a very interesting landscape for this issue, especially as technology in schools — especially emerging ones such as AR, VR, and AI – have grown in the classroom.
Be it state or federal, all laws are outdated for the current edtech landscape in which students and educators operate. This also means it is long past due for an update.
Key Proposed COPPA Updates
After the FTC announced it was considering revisions to COPPA, it received more than 175,000 comments in response. Stakeholders included parents, educators, industry members, researchers, and others.
According to the FTC, here is a recap of the key proposed changes and what each means:
- Requiring separate opt-in consent for third-party disclosures. This means that the default settings for edtech platforms and products would automatically be set to “no sharing” for students, and parents would have to specifically opt in to share or allow data to be shared with third-party advertisers.
- Limiting the “support for internal operations” exception. Currently, edtech companies can collect information if it’s for internal business operations. The FTC wants to limit this going forward, as well as have companies post detailed disclosures on how any collected data is used or shared any with advertisers.
- Limiting companies’ nudging of kids to stay online. This is pretty straightforward–companies wouldn’t be allowed to use certain COPPA exceptions to send push notifications to encourage kids to keep using edtech products or platforms. This would also include getting parental consent to even send push notifications.
- Limiting data retention. The FTC proposal would limit how long edtech companies could retain student data to essentially the time the student is actively using the product or platform, and not do anything with the data afterward. Also data retention policies would have to be clearly disclosed and publicly available.
- Codifying edtech guidance. As the edtech industry has grown exponentially since COPPA was first enacted, this would formalize FTC guidance and safeguards, such as in cases when schools and districts allow edtech companies to collect student data for school-authorized purposes and not resale to advertisers.
- Increasing accountability for Safe Harbor programs. This would increase transparency and accountability of COPPA’s Safe Harbor programs, including public disclosure of membership lists.
- Strengthening data security requirements. This would focus on generally creating more stringent rules and safeguards that edtech companies have to follow when dealing with student data.
- A change to the definition of “personal information” to include biometric identifiers. This would include protecting students’ biometric information collected by edtech companies, such as thumbprints, facial recognition patterns, retinal scans, etc.
These proposals all have major implications for districts and providers. For example, codifying edtech guidance is very vague, and how this rule is interpreted and applied could change how schools operate in very big ways.
These proposed rules are nowhere near finished. In fact, the FTC published the Notice of Proposed Rulemaking, which incorporates much of the feedback from the initial review process.
If you are interested in commenting on the proposed rules, file it at https://www.regulations.gov by following the instructions on the web-based form. Write “COPPA Rule Review, Project No. P195404” on any comment. Public comment on the proposed changes must be received by March 11, 2024.
Why is the FTC Leading Proposed Changes?
It is interesting to see the updates to COPPA coming through an agency rather than legislatively. Although not uncommon, it certainly shows a doubt in legislation making it through both Congressional chambers and receiving the President’s signature. Rulemaking is one way to try and update what can be agreed upon while sorting out the more controversial challenges.
Upon the announcement of FTC changes, Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) released a joint statement that applauded the FTC’s proposed updates but also stated that this effort should not be considered a replacement for congressional action.
The Senators also noted that they wish to quickly pass the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) “to prioritize the well-being of our children,” adding, “Inaction is not an option.”
The Senate has expressed more interest in student privacy bills, yet none have passed the full Senate or been introduced in the House. The FTC taking this step will likely lead to at least some modernization of privacy rules before Congress can act.