On May 19, 2022, the Federal Trade Commission (FTC) adopted the “Policy Statement on Education Technology and the Children’s Online Privacy Protection Act” (COPPA), which calls for increased scrutiny for violations of COPPA by education technology companies. The FTC said in its statement:

The [FTC] is committed to ensuring that education technology (“ed tech”) tools and their attendant benefits do not become an excuse to ignore critical privacy protections for children. The [FTC]’s COPPA authority demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure. The [FTC] intends to fully enforce these requirements—including in school and learning settings where parents may feel they lack alternatives.

COPPA became effective in 2000, and was amended in 2013. However, since that amendment, technology has surpassed expectations and online data collection and monetization of data have skyrocketed. Now, during and post-pandemic, schools are using education tools for all levels and activities, and, in most cases, without any choice. Parents often question the education technology (ed tech) and online learning services, wondering how (and what) personal information is being collected, who it is being shared with, and how it is being used.

The FTC seeks to focus on ed tech providers’ compliance with COPPA related to:

  • Prohibitions against mandatory collection;
  • Use prohibitions;
  • Retention prohibitions;
  • Security requirements.

The FTC’s statement emphasizes that the burden for COPPA compliance is on the business,  not on schools or parents. Importantly, the FTC notes that any agreements between schools and these ed tech companies must appropriately reflect that point.

The FTC said:

Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools. Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy. To see the full statement, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.