- Cybersecurity Disclosures Required by the SEC’s Recently Proposed Rules
- The Future is Now: Data Subject Requests in 2023
- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
The FTC issued a policy statement yesterday notifying education technology companies that the agency is committed to ensuring that ed tech tools comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA requires that websites or services covered under COPPA obtain a parent’s – or in some cases, a school’s – consent before collecting personal information from children under 13. COPPA also limits how long companies may keep children’s personal information and requires that companies properly safeguard information. The policy statement signals that the FTC will be scrutinizing COPPA compliance by providers of ed tech and other covered online services.
The FTC’s statement notes that the agency particularly will be focusing on:
- Mandatory Collection: COPPA-covered companies, including ed tech providers, should not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity. For example, if an ed tech provider does not reasonably need to be able to email students, it should not condition the student’s access to schoolwork on students providing their email addresses.
- Use Prohibitions: COPPA-covered companies, including ed tech providers, are limited in how they can use the personal information they collect from children. For example, operators of ed tech that collect personal information pursuant to school authorization may use such information only to provide the requested online education service. In this context, ed tech companies cannot use such information for any commercial purpose, including marketing or advertising unrelated to the provision of the school-requested online service.
- Retention Prohibitions: COPPA-covered companies, including ed tech providers, should not retain personal information collected from a child longer than reasonably necessary to fulfill the purpose for which it was collected. It may be unreasonable, for example, for an ed tech provider to retain children’s data for speculative future potential uses.
- Security Requirements: COPPA-covered companies, including ed tech providers, must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. For example, even absent a breach, COPPA-covered ed tech providers could violate COPPA if they lack reasonable security.