We often get questions about how the Children’s Online Privacy Protection Act applies in the school setting. The COPPA Rule gives parents control over what information “an operator of a Web site or online service” – yes, that includes apps – can collect from their kids under 13. Among other things, COPPA requires entities covered by the law to notify parents and get their approval before they collect, use, or disclose personal information from children. So how does COPPA apply to schools? Here’s the short answer: Schools – which are usually part of the local government – don’t fall within the legal definition of who’s covered by COPPA because they aren’t commercial “operators.” That said, schools sometimes allow, or even require, students to use sites and services that are covered by COPPA and which must provide notice and get verifiable parental consent.
This question isn’t new. When the FTC issued the original COPPA Rule in 1999, it addressed how schools may serve as an intermediary between operators and parents in the notice and consent process or as the parent’s agent, acting on the parent’s behalf. Here’s what we said about the subject back then in the Statement of Basis and Purpose for COPPA:
“Numerous commenters raised concerns about how the Rule would apply to the use of the Internet in schools. Some commenters expressed concern that requiring parental consent for online information collection would interfere with classroom activities, especially if parental consent were not received for only one or two children. In response, the Commission notes that the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process. For example, many schools already seek parental consent for in-school Internet access at the beginning of the school year. Thus, where an operator is authorized by a school to collect personal information from children, after providing notice to the school of the operator’s collection, use, and disclosure practices, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.”
(Need the citation for that? It’s 64 Fed. Reg. 59888, 59903.)
However, the school’s ability to consent on a parent’s behalf is limited to the educational context – in other words, it applies only when an operator collects personal information from students just for an educational purpose, and for no other commercial purpose. Thus, in addition to the central role schools play in creating an engaging learning environment, they also have a part to play in protecting student privacy.
Recently, FTC staff received questions about whether COPPA covers providers of online tests – in particular, tests that two consortia of state educational agencies are developing. The Partnership for Assessment of Readiness for College and Careers (PARCC) is a nonprofit that describes itself as “an alliance of states working together to develop common assessments serving nearly 24 million students.” The Smarter Balanced Assessment Consortium is made up of member states and other government agencies. The idea is that the tests will be given online to school kids across the country. While we encourage all types of entities to respect children’s privacy, the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits. So these specific consortia, and the development and administration of their tests, are not covered by COPPA. It’s important to keep in mind that schools administer tests for many reasons – to evaluate students’ and schools’ performance, for example – but also, in many cases, schools must comply with legal mandates to test students under federal, state, and local laws.
More broadly, however, the goal of COPPA is to protect children’s privacy with respect to the online collection of personal information by commercial entities. Many parents care deeply about their children’s privacy, and rightly expect their schools to protect it. But COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission. That holds true even when that information is collected online.
Of course, under the Family Educational Rights and Privacy Act (FERPA), educational agencies and institutions have specific obligations to protect student privacy, including protecting personal information from children’s education records from further disclosure or uses without the written consent of the parent, unless permitted to do so under FERPA.
In sum, COPPA provides important protections for children’s personal information in the commercial space, and also recognizes the special role that schools may play in providing consent for the online collection of information from kids exclusively for educational services – for example, online testing.