The Matrix

The FTC’s statement notes that the agency particularly will be focusing on:

• Mandatory Collection: COPPA-covered companies, including ed tech providers, should not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity. For example, if an ed tech provider does not reasonably need to be able to email students, it should not condition the student’s access to schoolwork on students providing their email addresses.
• Use Prohibitions: COPPA-covered companies, including ed tech providers, are limited in how they can use the personal information they collect from children. For example, operators of ed tech that collect personal information pursuant to school authorization may use such information only to provide the requested online education service. In this context, ed tech companies cannot use such information for any commercial purpose, including marketing or advertising unrelated to the provision of the school-requested online service.
• Retention Prohibitions: COPPA-covered companies, including ed tech providers, should not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected. It may be unreasonable, for example, for an ed tech provider to retain children’s data for speculative future potential uses.
• Security Requirements: COPPA-covered companies, including ed tech providers, must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. For example, even absent a breach, COPPA-covered ed tech providers could violate COPPA if they lack reasonable security.