Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

FTC Scrutinizes Children’s Privacy Issues Involving Education Technology

The FTC issued a policy statement yesterday notifying education technology companies that the agency is committed to ensuring that ed tech tools comply with the Children’s Online Privacy Protection Act (“COPPA”).  COPPA requires that websites or services covered under COPPA obtain a parent’s – or in some cases, a school’s – consent before collecting personal information from children under 13.  COPPA also limits how long companies may keep children’s personal information and requires that companies properly safeguard information.  The policy statement signals that the FTC will be scrutinizing COPPA compliance by providers of ed tech and other covered online services. 

The FTC’s statement notes that the agency particularly will be focusing on:

  • Mandatory Collection: COPPA-covered companies, including ed tech providers, should not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity. For example, if an ed tech provider does not reasonably need to be able to email students, it should not condition the student’s access to schoolwork on students providing their email addresses.
  • Use Prohibitions: COPPA-covered companies, including ed tech providers, are limited in how they can use the personal information they collect from children. For example, operators of ed tech that collect personal information pursuant to school authorization may use such information only to provide the requested online education service. In this context, ed tech companies cannot use such information for any commercial purpose, including marketing or advertising unrelated to the provision of the school-requested online service.
  • Retention Prohibitions: COPPA-covered companies, including ed tech providers, should not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected. It may be unreasonable, for example, for an ed tech provider to retain children’s data for speculative future potential uses.
  • Security Requirements: COPPA-covered companies, including ed tech providers, must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. For example, even absent a breach, COPPA-covered ed tech providers could violate COPPA if they lack reasonable security.
Topics: COPPA, Education
  • Steven M. Wernikoff

    Steve Wernikoff is a litigation and transactional partner who co-leads two of the firm's technology-based practice areas–the Data, Privacy, and Cybersecurity group and the Autonomous Vehicle group. As a previous officer and ...

Jump to Page

By using this site, you agree to our Privacy Policy and our Disclaimer.