Data Protection for Students Relying on a Virtual Learning Environment

May 20, 2020, 16:32 PM by BBB National Programs

Amidst school closures and other education uncertainties, education technology, or “ed tech” is at the forefront of conversation. We rely on their online tools to facilitate learning in a virtual environment. As a result, schools and ed tech companies have fallen under scrutiny as they navigate data protection and privacy for students. With advanced technology like exam proctoring software that can track a user’s eye movements, it’s no small wonder that the ed tech industry has now attracted the attention of Capitol Hill.  


Concerned about the increased consumption of online media by children homebound during the pandemic, on May 8 a bipartisan group of U.S. Senators penned a letter to the FTC asking that as the FTC undertakes the COPPA Rule Review, they pay special attention to companies involved in ed tech and digital marketing to children. The senators urge the FTC to examine ed tech and digital marketing practices, such as: 


  • What data is collected from children,  

  • How it is being used or shared with third parties (such as in behavioral or targeted advertising),  

  • If and how consent is obtained, and  

  • The security practices in place to safeguard children’s data. 


Their recommendation is to use Section 6(b) of the FTC Act, which allows the FTC to compel entities to submit reports on their business activities.  



We would argue that this is not the only, and at this time also not the best, route to increased self-regulation and transparency in the ed tech and digital marketing industry.  


In April the FTC released guidance on how schools and ed tech companies can work together to ensure they are safeguarding students’ personal information.  


This is the route we recommend.  


The Children’s Online Privacy Protection Act, or COPPA, generally requires that when a company collects personal information online from children under age 13, they must get prior parental consent for that collection and use. While COPPA applies to schools, albeit in a more limited context, both the company and the school should pause and consider if they are taking all necessary steps to comply with COPPA.  


For example, did the school make applicable privacy notices available to parents to ensure that any ed tech services being used by their children are deleting that student’s data once it is no longer needed for the educational purpose? 


If the ed tech company does not use the information in a commercial context and solely collects and uses a child’s information for authorized educational purposes, they are complying and can provide the school with a COPPA-required notice to obtain consent from the school on behalf of the parent. However, if the information is used for a commercial purpose, such as targeted advertising, or if the company does not allow schools to review and delete the students’ personal information, then the school cannot consent on a parent’s behalf. 


The FTC recommends that schools and ed tech companies alike should make every effort to inform parents about which online services are being used to facilitate learning and what the collection and use practices are for each service. Schools should ask their attorneys and information security specialists to vet the privacy policies and security practices of ed tech services and opt for the services that prioritize student privacy. In addition to COPPA, schools can also look to FERPA and the new Department of Education Guidelines on virtual learning for best practices.  


While the FTC is the main enforcing authority for COPPA, the BBB National Programs’ Children’s Advertising Review Unit (CARU), the FTC’s first Safe Harbor Program, remains vigilant in this new landscape of virtual learning. Part of CARU’s mission is to ensure the proper collection and handling of children’s data in online environments through continuous monitoring and the enforcement of COPPA violations. In the spirit of ensuring consistency across the children’s advertising and privacy space, we hope that the FTC will incorporate the senators’ concerns into the COPPA rule review without compromising its overall timeline.  



This letter from U.S. Senators has put ed tech companies on notice and here are the questions they should be prepared to answer: 


  • How are you making your privacy practices known? 

  • What is your data retention policy? 

  • If your company is collecting personally identifiable information about children, are you separating that data from the data collected about adults (or persons 13 and over)? How are those databases secured and who has access? 

  • How are you monitoring what third parties do with the data they touch or collect on your behalf? 


Although the questions seem straightforward, it can be difficult for companies to address each issue quickly. The topics at hand are just as much about complying with privacy best practices as they are with making internal business decisions.  


For example, creating a data retention policy is not as simple as picking a length of time that sounds “safe” to users. The company must make sure they accurately state a retention period that accounts for how long they need to use the data for their service and their actual capability to delete that data once they no longer need it. It can also be difficult to implement proper parental consent measures when collecting personal information from children. However, obtaining parental consent where it is needed can save a company from costly litigation and a potentially damaged reputation in the future. 


Even though it can be costly for companies to adjust their business activities to meet the best practices set out by CARU, the FTC, and these senators, it pays off in the end. More states are considering data privacy bills across the U.S., and not proactively protecting data means losing consumer trust. 





Other Blog Articles


Harmful Stereotyping in Advertising Must Not Be a “Forever Problem”

Though the annual celebration of Black History Month is drawing to a close, the plethora of issues raised by the study of Black history must always remain top of mind. For those of us who work in truth in advertising at BBB National Programs’ National Advertising Division (NAD), we are paying very close attention to the issues of diversity and stereotyping, as presented in various forms of advertising. Developing a mechanism to addressing representation in advertisements would not be simple, but the time is now to start the conversation. Harmful stereotypes in advertising must not be a forever problem.
Read more

5 Tips for Truthful and Transparent Influencer Marketing and Product Reviews

BBB National Programs’ National Advertising Division is dedicated to truth-in-advertising. To help you ensure that influencer marketing and the use of product reviews in your advertising is both transparent and truthful, we offer the following five tips.
Read more

In 2021, Consumer And Stakeholder Privacy Is About Defining Trust

As business and nonprofit leaders navigate the Fourth Industrial Revolution, consumer and stakeholder privacy has become a matter of defining trust. As new digital services and connected devices fueled by personal data flourish, consumers’ reasonable expectation of privacy shifts. If expectations do not match reality, it can lead to gaps in trust and new paths for litigation and regulatory enforcement. In this piece I outline a few 2021 privacy developments business and nonprofit leaders should note.
Read more

Broadening the Definition of Express and Implicit Representation in Children’s Advertising

One way to gauge exactly how far we have come in implementing diversity and inclusion is by analyzing what we see on our screens, particularly in advertising. The Children’s Advertising Review Unit (CARU) recognizes the special vulnerabilities of children with their limited knowledge, experience, sophistication, and maturity and often places itself in children’s shoes to gain insight when assessing the role advertisement has in shaping their perception.
Read more