To print this article, all you need is to be registered or login on Mondaq.com.
On May 19, 2022, the Federal Trade Commission (FTC) unanimously
approved a policy statement
on education technology (EdTech) and the Children’s Online
Privacy Protection Act (COPPA). Characterized as part of a larger
effort to “crack down on companies
that illegally surveil children learning online,” the
policy statement itself merely highlights pre-existing obligations
under COPPA for companies that knowingly process children’s
data to minimize the data collected and to employ appropriate
security to protect that data.
COPPA Check-in. COPPA was enacted by
Congress in 1998, with the FTC’s COPPA Rule
promulgated in 2000. The law places a variety of obligations on
operators of online services directed to children under 13 or who
knowingly collect personal information from children under 13. The
FTC is the principal enforcement agency, with states and certain
other federal regulators also playing a role.
Commissioner Commentary. After hearing comments
from the public, the Commission turned to voting on the policy
statement. All of the commissioners expressed concern with EdTech
companies accessing student data, particularly as software has
become increasingly necessary during the COVID-19 pandemic. Chair
Lina Khan noted in her
remarks that she does not believe the well-known parental
consent is effective at limiting data collection, which is
consistent with her general skepticism of the utility of user
consents in the privacy context. The two Republican commissioners,
Christine Wilson and Noah Phillips, explained that, although they
supported the policy statement, they were frustrated that the
agency had issued this statement while it had an open rulemaking to
update the COPPA Rule. Commissioner Wilson
also indicated that she supported the policy statement
reluctantly but ultimately supported the policy statement because
it set no new requirements and was consistent with prior staff
guidance.
What’s in the Policy Statement? The policy
statement itself does not break any new ground or explain how the
agency may enforce or prioritize aspects of COPPA. But the release
highlighted four substantive COPPA provisions (beyond parental
consent) and how they might apply to EdTech:
- Minimization. Companies cannot require
collection of information that is not “reasonably needed”
to allow participation in the relevant activity. The FTC gives the
example that if a company does not need a student’s email
address to operate the program, then the company would violate the
rule by collecting email addresses. - Use Prohibitions. In an extension of the
minimization requirement, the statement explains that companies can
use children’s data only for the educational purposes that
justified its collection and not for other purposes, including
marketing. - Retention. Again, in an extension of
minimization, the statement explained that companies can only
retain data for a period that is reasonably necessary. The
statement elaborated slightly, explaining that it would be
“unreasonable” to retain children’s data “for
speculative future potential uses.” - Security. Companies must use procedures to
maintain “confidentiality, security, and integrity” in
children’s information.
What Does This Mean? EdTech
companies—including any company or entity that handles
children’s data—should take notice. Not necessarily of
the policy statement’s content, which does not break any new
ground. But this policy statement is a clear sign that the FTC
intends to focus enforcement resources on COPPA and privacy
protections for children. So companies in this industry should
carefully review their data practices because the consequences can
be severe, including civil penalties of $46,517 per violation and
injunctive relief that includes deletion of any improperly obtained
data and related work product, and even the algorithm utilized to
obtain such data.
Visit us at
mayerbrown.com
Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights
reserved.
This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.
POPULAR ARTICLES ON: Privacy from United States
Leave a Reply