A Wild 48 Hours for Federal Student Privacy

May 25, 2023

This text is an excerpt from a longer blog post from the Student & Child Privacy Center and Public Interest Privacy Center. You can read the full blog post here.

In the past two days, the child and student privacy landscape has been overwhelmed with an influx of news and announcements. The biggest? The FTC’s new settlement with edtech company Edmodo might break school technology use in a few different ways, including shifts on which education entities edtech vendors can contract with and what rights parents have to modify or delete their children’s education data.
 
While that would certainly be enough to hold our attention, we also saw: 
  • The FTC also filed a brief stating that COPPA does not preempt state privacy laws that are consistent with COPPA; 
  • The Surgeon General brought up the need for “children’s privacy” as part of its recommendations in a new Advisory on Social Media and Youth Mental Health;
  • The White House announced that the Department of Education “will promote and enhance the privacy of minor students’ data and address concerns about the monetization of that data by commercial entities, including by planning to commence a rulemaking under the Family Educational Rights and Privacy Act (FERPA);” and
  • The White House and the Department of Education announced multiple new AI efforts, including guidance for education stakeholders on AI and an AI RFI that education stakeholders may want to respond to. 
LET'S DIG IN: 
 
ANNOUNCEMENT 1: FTC settlement with edtech company Edmodo has major implications for schools
On Monday night, the FTC announced a $6 million settlement against edtech provider, Edmodo. In the settlement, the Commission alleges that the company violated the Children’s Online Privacy Protection Rule (COPPA) and “unlawfully used children’s personal information for advertising and outsourced compliance to school districts.” 
 
The settlement has many positive implications for local education agencies (LEAs). It reaffirms that the onus for verifying parental consent for collecting personal data from children should be on edtech providers and not schools. It also pushes companies to have an adequate data retention and deletion policy
 
However, LEAs also have significant reasons for concern: the settlement changes COPPA interpretation about whether students can use edtech without LEAs obtaining parental consent. While such use was previously permitted, it now appears that the FTC is changing course by limiting what types of educational institutions can consent to the use of edtech on parents’ behalf. The settlement also raises new questions, such as whether parents could access or delete their child’s information from, for example, a standardized test company, without the school’s knowledge and/or consent. 
 
Remember: COPPA protects data from children who are under age 13 - so any data that is outside that scope is not impacted by this settlement. FTC settlements have become the primary lens through which companies interpret the law; settlements determine how companies interpret and comply with COPPA. Unfortunately, the Edmodo settlement makes this law very convoluted, and will open up major compliance and administrative problems with using edtech in schools. 
 
However, the settlement is not final until it is signed off on by the court. If the FTC and Edmodo mutually agreed on a change to the current text before it is approved, the biggest problem for LEAs–changing the definition of “School” and “School Representative” to include all LEAs–could potentially be fixed. 
 
The settlement likely changes how COPPA works with educational institutions in two major ways: 

1. Edmodo - and, therefore, likely all other edtech companies - must obtain either Verifiable Parental Consent–in the school context, this would require parents to opt-in to each and every edtech use–or School Authorization (newly defined term) for the collection and use of student data. “School Authorization” is defined as “a School Representative authorizes an Operator to Collect Personal Information from a Child, on the condition that Personal Information is Collected only for an Educational Purpose and follows the School Representative’s receipt of Direct Notice from the Operator.” School Authorization is only allowed when data will be used exclusively for an educational purpose.


This sounds great! Except when you look at the narrow definitions of “School Representative” and “School.” School is defined as “an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined by State law.” A “School Representative” is defined as “a School employee.” Bottom line? These definitions exclude all other LEAs–like districts or education service agencies–that often contract with edtech companies. This settlement says companies must either go through VPC or get School Authorization - and, therefore, companies can probably never receive School Authorization from an LEA other than a school. Instead, companies will likely need to contract individually with each and every school their product will be used in or will be required to obtain COPPA-compliant consent from each and every parent. This is a (likely unintentional) change: the current COPPA FAQs specifically reference school districts contracting with companies. When this settlement is finalized by the court, companies are likely to assume that they can only contract with individual schools, unless additional clarifications are made. 

 

2. To complicate matters, there are new requirements for how an edtech provider must obtain “School Authorization.” School Authorization requires a written agreement (which is good for education stakeholders if the definition of “School” was fixed) that says: 

  1. Personal information will only be used for educational purposes (this is great!);
  2. Describes all Personal information that is collected and how it will be used and disclosed (schools should receive that information!);
  3. Provides the School a link to its online notice of information practices and recommends the School make it available on the School’s website (again, a good thing!);

  4. Provides that any Personal Information Collected by Defendant is under the Direct Control of the School with regard to its use and maintenance (which will help schools comply better with FERPA!); and

  5. Requires a School Representative to acknowledge and agree that they have authority to authorize the Collection of Personal Information from Children on behalf of the School, along with their name and title at the School. (wait a second…)

That last requirement means that Schools will likely need to designate who has the “authority to authorize the Collection of Personal Information from Children on behalf of the School.” Schools should think through who can consent to the use of new edtech (and are required to do so under FERPA), but the specific requirements are a significant change to current practices and will undoubtedly create a large administrative burden. For example, requiring the School Representative’s name and title in the written contract–in addition to their affirmation that they have the “authority”–will be a shift for many schools. LEAs that provide significant leeway in deciding which edtech tools to use will also likely find these requirements particularly problematic. 
 
There are numerous other questions raised by the settlement, including the aforementioned question of whether parents can now access and delete their child’s information from school services like assessment providers. Stay tuned for more analysis on this settlement and potential action steps.  
 
It’s important to remember that this is happening while Congress is considering legislation that dramatically expands COPPA–increasing the age of children who are covered to 17, and covering some information about children, not just information collected from kids–and legislation with new child privacy protections (most prominently the Kids Online Safety Act).