Data Protection for Students Relying on a Virtual Learning Environment

May 20, 2020 by BBB National Programs

Amidst school closures and other education uncertainties, education technology, or “ed tech” is at the forefront of conversation. We rely on their online tools to facilitate learning in a virtual environment. As a result, schools and ed tech companies have fallen under scrutiny as they navigate data protection and privacy for students. With advanced technology like exam proctoring software that can track a user’s eye movements, it’s no small wonder that the ed tech industry has now attracted the attention of Capitol Hill.  

Concerned about the increased consumption of online media by children homebound during the pandemic, on May 8 a bipartisan group of U.S. Senators penned a letter to the FTC asking that as the FTC undertakes the COPPA Rule Review, they pay special attention to companies involved in ed tech and digital marketing to children. The senators urge the FTC to examine ed tech and digital marketing practices, such as: 

  • What data is collected from children, 

  • How it is being used or shared with third parties (such as in behavioral or targeted advertising),  

  • If and how consent is obtained, and  

  • The security practices in place to safeguard children’s data. 

 

Their recommendation is to use Section 6(b) of the FTC Act, which allows the FTC to compel entities to submit reports on their business activities.  

 

We would argue that this is not the only, and at this time also not the best, route to increased self-regulation and transparency in the ed tech and digital marketing industry.  

 

In April the FTC released guidance on how schools and ed tech companies can work together to ensure they are safeguarding students’ personal information.  

This is the route we recommend.  

The Children’s Online Privacy Protection Act, or COPPA, generally requires that when a company collects personal information online from children under age 13, they must get prior parental consent for that collection and use. While COPPA applies to schools, albeit in a more limited context, both the company and the school should pause and consider if they are taking all necessary steps to comply with COPPA.  

For example, did the school make applicable privacy notices available to parents to ensure that any ed tech services being used by their children are deleting that student’s data once it is no longer needed for the educational purpose? 

If the ed tech company does not use the information in a commercial context and solely collects and uses a child’s information for authorized educational purposes, they are complying and can provide the school with a COPPA-required notice to obtain consent from the school on behalf of the parent. However, if the information is used for a commercial purpose, such as targeted advertising, or if the company does not allow schools to review and delete the students’ personal information, then the school cannot consent on a parent’s behalf. 

The FTC recommends that schools and ed tech companies alike should make every effort to inform parents about which online services are being used to facilitate learning and what the collection and use practices are for each service. Schools should ask their attorneys and information security specialists to vet the privacy policies and security practices of ed tech services and opt for the services that prioritize student privacy. In addition to COPPA, schools can also look to FERPA and the new Department of Education Guidelines on virtual learning for best practices.  

While the FTC is the main enforcing authority for COPPA, the BBB National Programs’ Children’s Advertising Review Unit (CARU), the FTC’s first Safe Harbor Program, remains vigilant in this new landscape of virtual learning. Part of CARU’s mission is to ensure the proper collection and handling of children’s data in online environments through continuous monitoring and the enforcement of COPPA violations. In the spirit of ensuring consistency across the children’s advertising and privacy space, we hope that the FTC will incorporate the senators’ concerns into the COPPA rule review without compromising its overall timeline.  

This letter from U.S. Senators has put ed tech companies on notice and here are the questions they should be prepared to answer: 

 

  • How are you making your privacy practices known? 

  • What is your data retention policy? 

  • If your company is collecting personally identifiable information about children, are you separating that data from the data collected about adults (or persons 13 and over)? How are those databases secured and who has access? 

  • How are you monitoring what third parties do with the data they touch or collect on your behalf? 

 

Although the questions seem straightforward, it can be difficult for companies to address each issue quickly. The topics at hand are just as much about complying with privacy best practices as they are with making internal business decisions.  

For example, creating a data retention policy is not as simple as picking a length of time that sounds “safe” to users. The company must make sure they accurately state a retention period that accounts for how long they need to use the data for their service and their actual capability to delete that data once they no longer need it. It can also be difficult to implement proper parental consent measures when collecting personal information from children. However, obtaining parental consent where it is needed can save a company from costly litigation and a potentially damaged reputation in the future. 

Even though it can be costly for companies to adjust their business activities to meet the best practices set out by CARU, the FTC, and these senators, it pays off in the end. More states are considering data privacy bills across the U.S., and not proactively protecting data means losing consumer trust. 

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more