The Federal Trade Commission recently announced that it is updating COPPA (Children's Online Privacy Protection Act). Many of the proposed changes aim to better protect student data by requiring technology providers to take a larger role in that effort, as well as limiting the ability to monetize student information.
Data privacy regulations are often outdated. COPPA became law in 2000 and has not been updated since. When enacted, COPPA made it illegal for websites and online services to collect personal information from children under 13 without verifiable parental consent.
This is not to say that student data privacy laws have not existed since then. In 2016, California passed the Student Online Personal Information Protection Act (SOPIPA), kicking off an avalanche of student data privacy legislation across the country. Just one year after it went into effect, 22 states had fully or partially adopted the law.
All of this to say that student data privacy has played out on a national scale like a big game of chicken. The federal government has not acted, wondering what the states will do, and the states are looking to the feds for guidance. A very interesting landscape has been created for this topic, especially as technology in schools (especially emerging ones like AR, VR and ai) has grown in classrooms.
Whether state or federal, all laws are outdated for the current educational technology landscape in which students and educators operate. This also means that an update is long overdue.
Key Proposed COPPA Updates
After the FTC announced it was considering revising COPPA, it received more than 175,000 comments in response. Stakeholders included parents, educators, industry members, researchers and others.
According to the FTC, here is a summary of the keys proposed changes and what each one means:
- Require separate opt-in consent for third-party disclosures. This means that the default settings for edtech platforms and products would automatically be set to “do not share” for students, and parents would have to specifically opt-in to share or allow data to be shared with third-party advertisers.
- Limit the “support to internal operations” exception. Currently, educational technology companies can collect information if it is for internal business operations. The FTC wants to limit this in the future, as well as require companies to publish detailed disclosures about how the data collected is used or shared with advertisers.
- Limit companies' push for kids to stay online. This is pretty straightforward: Companies would not be allowed to use certain COPPA exceptions to send push notifications to encourage children to continue using educational technology products or platforms. This would also include obtaining parental consent to even send push notifications.
- Limit data retention. The FTC proposal would limit the time that edtech companies could retain student data to essentially as long as the student is actively using the product or platform, and would do nothing with the data afterward. Additionally, data retention policies should be clearly disclosed and publicly available.
- Codification of educational technology guidance. Since the edtech industry has grown exponentially since COPPA was first enacted, this would formalize the FTC's guidance and safeguards, such as where schools and districts allow edtech companies collect student data for school-authorized purposes and do not resell it to advertisers.
- Increased accountability for Safe Harbor programs. This would increase the transparency and accountability of COPPA Safe Harbor programs, including public disclosure of membership lists.
- Strengthening data security requirements. This would focus on generally creating stricter rules and safeguards that edtech companies must follow when handling student data.
- A change in the definition of “personal information” to include biometric identifiers. This would include protecting student biometric information collected by educational technology companies, such as fingerprints, facial recognition patterns, retina scans, etc.
All of these proposals have important implications for districts and providers. For example, codifying guidance on educational technology is very vague, and how this rule is interpreted and applied could greatly change how schools operate.
These proposed rules are far from finalized. In fact, the FTC published the Notice of Proposed Rulemakingwhich incorporates much of the feedback from the initial review process.
If you are interested in commenting on the proposed rules, please send it to https://www.regulations.gov following the instructions on the web form. Write “COPPA Rule Review, Project No. P195404” in any comment. Public comments on the proposed changes must be received by March 11, 2024.
Why is the FTC leading the proposed changes?
It is interesting to see COPPA updates being done through an agency and not legislatively. While not uncommon, it certainly shows hesitation in legislation that passes both houses of Congress and receives the President's signature. Rulemaking is a way of trying to update what can be agreed upon while resolving the most controversial challenges.
Following the announcement of the FTC changes, Senators Bill Cassidy (R-LA) and Edward Markey (D-MA) released a joint declaration which applauded the FTC's proposed updates but also stated that this effort should not be considered a replacement for congressional action.
The senators also noted that they want to quickly pass the Children and Teens Online Privacy Protection Act (COPPA 2.0) “to prioritize the well-being of our children,” adding, “Inaction is not an option.”
The Senate has expressed more interest in student privacy bills, but none have passed the full Senate or been introduced in the House. The FTC's adoption of this measure will likely lead to at least some modernization of privacy rules before Congress can act.
