FTC Issues Proposed Rule on COPPA
December 20, 2023
This blog post is cross posted from the team at the AASA Student and Child Privacy Center/PIPC.
While we might have thought child and student privacy work for the year was winding down, the FTC had other ideas. This week the FTC released a notice of proposed rulemaking (NPRM) for the Children’s Online Privacy Protection Rule (COPPA Rule) that would mean big changes for companies and schools, codifying some of the changes stakeholders have been advocating for.
We’ll be going through the NPRM in detail over the next few days. So far, we’re happy to see that some of the changes in the NPRM coincide with the issues we discussed in our COPPA resource about the challenges of parental consent and our analysis of the Edmodo settlement. In the meantime, we wanted to share the FTC’s press release on the notice of proposed rulemaking, along with some key points.
- For the first time, the FTC is seeking to formally codify “longstanding Commission guidance by which operators rely on school authorization to collect personal information in limited circumstances rather than on parental consent.”
- The NPRM recognizes the limitations of relying on parental consent in the educational context, stating that “obtaining consent from the parents of every student in a class often will be challenging, in many cases for reasons unrelated to privacy concerns” and that “it may ultimately be more privacy-protective than requiring ed tech providers to obtain consent from parents.”
- The NPRM codifies key points of the Edmodo settlement, including requiring a written agreement in order to take advantage of this COPPA exception (the FTC notes that this can be achieved through the use of a mostly standardized contract) which must include privacy protective safeguards (such as “identify[ing] the name and title of the person providing consent and specify[ing] that the school has authorized the person to provide such consent).
- The NPRM explicitly defines schools to include LEAs and SEAs, in addition to individual schools (which is amazing, as this was an issue we flagged in our initial analysis of the Edmodo settlement).
- The NPRM explicitly states that an operator may not use the information it collected from one educational service to develop or improve a different service (something vendors have assumed they've been able to do under current law).
- The NPRM adds a definition for “school-authorized education purpose” (which notably does not include marketing) and notes that while “personalization would be a permissible part of providing the service, personalization could not include the marketing of services even if those services were educational in nature."
- The NPRM requires “an operator that collects personal information from a child under the school authorization exception to include an additional notice on its website or online service noting that: (1) the operator has obtained authorization from a school to collect a child’s personal information; (2) that the operator will use and disclose the information for a school-authorized education purpose and no other purpose; and (3) that the school may review information collected from a child and request deletion of such information.”
Other points of interest:
- The FTC also declined to change or broaden COPPA’s “actual knowledge” standard to a “constructive knowledge” standard, largely because Congress rejected a constructive knowledge standard when COPPA was originally passed. In our expert opinion, we see this as the FTC telling Congress the ball is in their court if they want this to change the knowledge standard (such as changes proposed in COPPA 2.0).
You can read the FTC’s press release here and the full NPRM text here. Comments on the NPRM are due 60 days after it is posted in the Federal Register, but it hasn’t been formally posted yet, so we do not know when comments on the NPRM will be due. We’ll keep you updated on our analysis as it develops.
Happy holidays and looking forward to seeing the rulemaking process play out in 2024!
Author