Privacy Tips for Ed Tech Companies and Schools Conducting Remote Learning
As schools increasingly are adjusting to remote learning and utilizing education technology (“ed tech”) services, both schools and their ed tech service providers need to consider the appropriate collection and usage of student personal information. Here are some tips for protecting students’ privacy and safeguarding personal data:
When does COPPA apply to ed tech services used for remote learning? COPPA generally requires companies that collect personal information online from children under age 13 to provide notice of their data collection and use practices and obtain verifiable parental consent. In the educational context, however, the Federal Trade Commission (“FTC”), which enforces COPPA, has indicated that schools can consent on behalf of parents to the collection of student personal information if such information is used for a school-authorized educational purpose and for no other commercial purpose. This is true whether the learning takes place in the classroom or at home at the direction of the school.
For the ed tech service to obtain valid consent from the school instead of from the parent, the service must provide the school with the necessary COPPA-required notice of its data collection and use practices. As a best practice, the FTC recommends that ed tech services make the COPPA notice available to parents, and, where feasible, let parents review the personal information collected. In addition, ed tech services should use plain language that students, parents, and educators can easily understand.
What should schools using ed tech services be doing? While COPPA generally does not impose obligations directly on schools, the FTC recommends that they consult with attorneys and information security specialists to review the privacy and security policies of the ed tech services they use for remote learning. The school or school district should give parents a notice of the websites and online services whose collection they have consented to on behalf of the parent. In deciding which online technologies to use with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are:
- What types of personal information is collected from students?
- How is the personal information used?
- Is the information used or shared for commercial purposes not related to the provision of the online education services requested by the school?
- What administrative, technical, and physical measures are taken to protect the security, confidentiality, and integrity of the personal information that is collected?
- What are the data retention and deletion policies for children’s personal information?
- Do existing privacy policies reflect the current data handling practices? Are the privacy policies clear and accessible to students, parents, and educators?
If you would like to learn more about these issues, please connect with a Honigman attorney in the Data Security and Privacy Litigation group.