Guest Blog Post: New COPPA Update: A Setback for Schools and Student Privacy?

Yesterday, the Federal Trade Commission (FTC) published a much-anticipated update to the Children’s Online Privacy Protection Rule (COPPA Rule)–and it is not what the education community was hoping for.

As you may recall, the FTC released a notice of proposed rulemaking (NPRM) to update the COPPA Rule in December 2023, which included rules clarifying when schools can consent to technology use instead of parents and imposing strong contractual requirements on edtech vendors. However, the final rule was very different: the FTC cut the sections clarifying how and when schools can consent for children to use edtech services in the classroom.  

We are incredibly disappointed in the FTC’s failure to codify their longstanding guidance that allowed schools to consent to edtech use for children under 13. As AASA, the School Superintendents Association cautioned in their comment to the COPPA NPRM, the push by some stakeholders to prohibit school consent and require parental opt-in or opt-out of edtech use would burden schools and may lead teachers to forgo using edtech with their students. Additionally, moving away from school consent would place a larger burden on parents to evaluate the complicated risks associated with collecting student data. The FTC, despite acknowledging these concerns, ultimately chose not to codify the school authorization exception in the new COPPA Rule. This leaves schools and parents with continued uncertainty and potentially exposes children to greater privacy risks.

The FTC’s stated reasoning for not codifying the school authorization exception – “To avoid making amendments to the COPPA Rule that may conflict with potential amendments to DOE’s FERPA regulations” – is a flimsy excuse. The mere possibility of future FERPA rulemaking should not prevent the FTC from fulfilling its immediate obligation to protect children online. It's unacceptable to leave this critical protection in limbo while waiting for the Department of Education to act, especially when schools have consistently requested clear guidelines on this issue. This inaction undermines the FTC's duty to safeguard children's privacy, particularly in educational settings where technology use is increasingly prevalent.

The FTC, not USED, regulates companies like edtech vendors. The FTC’s decision not to codify the school authorization language or include the more substantial protections required by the Edmodo settlement undermines schools' ability to hold vendors to clearly stated standards that would have increased privacy for all students. 

While we remain frustrated with the FTC’s decision not to codify critical provisions ensuring that K-12 schools retain the ability to consent to technology uses, we take heart that existing guidance–the COPPA FAQs and the Statement of Basis and Purpose to the 1999 COPPA Rule–remain intact. We would much prefer schools’ authority to consent to technology uses be codified in statute (such as what was proposed in Senator Markey’s COPPA 2.0) or FTC regulation, but at least these guidance documents clearly establish schools’ authority to consent to data collection and use on behalf of parents in educational contexts when the technology services are solely for the use and benefit of the school and for no other commercial purpose. 

We also appreciate that the new COPPA rule includes new valuable protections for kids, including increased transparency provisions around data use, sharing, and retention. The rule also strengthened the security measures operators must implement to protect children’s information, including by requiring risk assessments and information security programs. 

We wish we were writing to tell you that the FTC has made it easier for schools to use privacy-protective technology. The FTC's decision to forgo codifying school consent in the COPPA Rule is a disheartening setback for student data protection. It's perplexing that such a weak justification was used to dismiss a long-standing practice with widespread support. This missed opportunity underscores the urgent need for clear guidance and robust protections for student privacy in the digital age to ensure that technology can continue to enhance learning without jeopardizing children's well-being.