FTC Puts Edtech Companies on Notice of COPPA Compliance Investigations

Students, parents and educators all have received a crash course on using educational technology—or “edtech”—to facilitate remote schooling, courtesy of the COVID-19 pandemic. But the surge in the use of online learning tools provided through edtech, such as videoconferencing platforms, websites and mobile apps, has sparked regulators’ concerns that the learning tools could be used to collect, use, retain and sell children’s personal data. 

The Federal Trade Commission (FTC) is now taking steps to ensure that data collection practices of edtech companies comply with the Children’s Online Privacy Protection Act (COPPA) and properly protect the personal information of children under 13. The FTC issued a policy statement on May 19 announcing its intent to “closely scrutinize” edtech providers and take action if providers fail to meet their legal obligations under COPPA. In particular, the FTC noted that COPPA bars edtech companies from requiring schools and parents to agree to the collection of children’s personal data as a condition of using the companies’ learning tools. The policy statement also emphasized that protecting children’s privacy is strictly the responsibility of the edtech companies. 

Key Takeaways

• The FTC’s policy statement does not change COPPA’s rules or requirements or its applicability to edtech companies, but rather it indicates that the FTC will be focusing its efforts on enforcing requirements that already exist in the law.
• In light of reports of edtech products violating COPPA during the pandemic, the FTC intends to vigorously enforce COPPA restrictions, with a particular focus on digital companies that operate in schools. In particular, the FTC appears to be focused on edtech companies that potentially share children’s data with advertising technology companies in violation of COPPA. 
• The policy statement serves as a reminder to all companies, including edtech companies, that their compliance obligations go beyond COPPA’s notice and verifiable parental consent requirements. All online operators that collect personal information from children under the age of 13 also must adhere to security requirements and collection, use and retention limitations under COPPA. 
• At the beginning of May, the FTC announced at the Better Business Bureau’s Children’s Advertising Review Unit (CARU) annual meeting that it intended to conduct a “comprehensive” review of COPPA that will explore “basically everything” in the COPPA rules. Coupled with the announcement two weeks later that the FTC will host a virtual workshop on Oct. 19 called “Protecting Kids from Stealth Advertising in Digital Media” to look at how to best protect children’s data privacy, it appears that the FTC may amend the COPPA rules in the near future. 

Focus of FTC Investigation

The FTC noted in its policy statement that parent groups and others have expressed concern that the in-home use of online learning services and school-issued personal computing devices make students a “captive audience” for data collection. 

The responsibility for COPPA compliance is on businesses, not schools or parents, and edtech companies covered by COPPA bear a significant responsibility to implement strong data privacy protections. Accordingly, the agency said its investigation of edtech providers’ compliance with COPPA will focus on the following four areas. 

Prohibition against mandatory data collection. Companies, including edtech providers, covered by COPPA are not allowed to stop students under 13 from participating in an edtech-based activity if the children refuse to provide information that is not “reasonably necessary” for the student to participate in that activity. For example, if an edtech provider does not need to email students, it cannot require students to provide email addresses in order to access their schoolwork.

Prohibitions on data use. COPPA strictly limits edtech providers in how they can use the personal information they collect from children. For example, edtech providers that collect children’s personal information with their school’s authorization may use the information only to provide the requested online education service. Edtech companies are therefore prohibited from using the information for any commercial purpose, including marketing and advertising, that is unrelated to the provision of the online service requested by the school.

Limitations on data retention. Under COPPA, edtech providers must not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which the data was collected. It would be unreasonable, for example, for an edtech provider to retain children’s data for speculative future uses. 

Security requirements. Edtech providers must have procedures in place to maintain the confidentiality, security and integrity of children’s personal information. Even in the absence of a data breach, edtech providers that lack reasonable security are in violation of COPPA.

Further, the FTC stated that edtech companies should not seek to pass off to or share COPPA compliance responsibilities with school administrators, parents or others through contract provisions or terms of service. The responsibility to comply with the law rests fully on edtech providers.

Although the FTC did not provide details on how an investigation of potential COPPA violations would be initiated and conducted, the agency said in its policy statement that the investigations would enforce the existing COPPA rules. 

COPPA’s Impact

President Joe Biden applauded the FTC’s statement in a May 19 statement of his own.

Biden, who called for a ban on targeted advertising to children in his State of the Union address earlier this year, said he commended the FTC “for unanimously taking a big step in that direction today.” FTC members voted 5-0 at an open meeting to adopt the policy statement.

COPPA has an impact on children outside the United States as well because companies that are headquartered in the United States must comply with COPPA even if they are collecting information only from children outside the United States. Many of the biggest and most influential tech companies that provide services globally are headquartered in the U.S., noted the organization Human Rights Watch in its report on children’s data privacy around the world, issued on May 25. The report investigated 164 edtech products endorsed by 49 governments, including that of the U.S., for children’s education during the pandemic. Of the 164 edtech products reviewed, 146 (89%) “appeared to engage in data practices that put children’s rights at risk, contributed to undermining them, or actively infringed on these rights.” The report—“How Dare They Peep into My Private Life?: Children’s Rights Violations by Governments That Endorsed Online Learning During the Covid-19 Pandemic”—further states that many of these online learning platforms sent or granted access to children’s data to third-party companies, usually advertising technology companies. 

Virtual Workshop

In addition to issuing its policy statement, the FTC announced that on Oct. 19, it will host a virtual workshop called “Protecting Kids from Stealth Advertising in Digital Media” to look at how to best protect the children’s data privacy. The event, which is open to the public and will be a webcast on the FTC’s website, will identify advertising techniques aimed at children and measures that could be implemented to protect their personal data. 

Researchers, child development and legal experts, consumer advocates, and others will examine the techniques and practices used to create an online environment that makes it difficult or impossible for children to distinguish between an advertisement and entertainment.

Topics to be addressed include:

• Children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content.
• Harm to children resulting from their inability to recognize advertising.
• Potential measures that should be taken to protect children from blurred content in digital marketing.
• The need for and the efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording and frequency of such disclosures.

Information, including the workshop’s speakers and agenda, will be posted on the workshop’s webpage in advance of the event.