Data Protection for Students Relying on a Virtual Learning Environment

May 20, 2020, 16:32 PM by BBB National Programs

Amidst school closures and other education uncertainties, education technology, or “ed tech” is at the forefront of conversation. We rely on their online tools to facilitate learning in a virtual environment. As a result, schools and ed tech companies have fallen under scrutiny as they navigate data protection and privacy for students. With advanced technology like exam proctoring software that can track a user’s eye movements, it’s no small wonder that the ed tech industry has now attracted the attention of Capitol Hill.  


Concerned about the increased consumption of online media by children homebound during the pandemic, on May 8 a bipartisan group of U.S. Senators penned a letter to the FTC asking that as the FTC undertakes the COPPA Rule Review, they pay special attention to companies involved in ed tech and digital marketing to children. The senators urge the FTC to examine ed tech and digital marketing practices, such as: 


  • What data is collected from children,  

  • How it is being used or shared with third parties (such as in behavioral or targeted advertising),  

  • If and how consent is obtained, and  

  • The security practices in place to safeguard children’s data. 


Their recommendation is to use Section 6(b) of the FTC Act, which allows the FTC to compel entities to submit reports on their business activities.  



We would argue that this is not the only, and at this time also not the best, route to increased self-regulation and transparency in the ed tech and digital marketing industry.  


In April the FTC released guidance on how schools and ed tech companies can work together to ensure they are safeguarding students’ personal information.  


This is the route we recommend.  


The Children’s Online Privacy Protection Act, or COPPA, generally requires that when a company collects personal information online from children under age 13, they must get prior parental consent for that collection and use. While COPPA applies to schools, albeit in a more limited context, both the company and the school should pause and consider if they are taking all necessary steps to comply with COPPA.  


For example, did the school make applicable privacy notices available to parents to ensure that any ed tech services being used by their children are deleting that student’s data once it is no longer needed for the educational purpose? 


If the ed tech company does not use the information in a commercial context and solely collects and uses a child’s information for authorized educational purposes, they are complying and can provide the school with a COPPA-required notice to obtain consent from the school on behalf of the parent. However, if the information is used for a commercial purpose, such as targeted advertising, or if the company does not allow schools to review and delete the students’ personal information, then the school cannot consent on a parent’s behalf. 


The FTC recommends that schools and ed tech companies alike should make every effort to inform parents about which online services are being used to facilitate learning and what the collection and use practices are for each service. Schools should ask their attorneys and information security specialists to vet the privacy policies and security practices of ed tech services and opt for the services that prioritize student privacy. In addition to COPPA, schools can also look to FERPA and the new Department of Education Guidelines on virtual learning for best practices.  


While the FTC is the main enforcing authority for COPPA, the BBB National Programs’ Children’s Advertising Review Unit (CARU), the FTC’s first Safe Harbor Program, remains vigilant in this new landscape of virtual learning. Part of CARU’s mission is to ensure the proper collection and handling of children’s data in online environments through continuous monitoring and the enforcement of COPPA violations. In the spirit of ensuring consistency across the children’s advertising and privacy space, we hope that the FTC will incorporate the senators’ concerns into the COPPA rule review without compromising its overall timeline.  



This letter from U.S. Senators has put ed tech companies on notice and here are the questions they should be prepared to answer: 


  • How are you making your privacy practices known? 

  • What is your data retention policy? 

  • If your company is collecting personally identifiable information about children, are you separating that data from the data collected about adults (or persons 13 and over)? How are those databases secured and who has access? 

  • How are you monitoring what third parties do with the data they touch or collect on your behalf? 


Although the questions seem straightforward, it can be difficult for companies to address each issue quickly. The topics at hand are just as much about complying with privacy best practices as they are with making internal business decisions.  


For example, creating a data retention policy is not as simple as picking a length of time that sounds “safe” to users. The company must make sure they accurately state a retention period that accounts for how long they need to use the data for their service and their actual capability to delete that data once they no longer need it. It can also be difficult to implement proper parental consent measures when collecting personal information from children. However, obtaining parental consent where it is needed can save a company from costly litigation and a potentially damaged reputation in the future. 


Even though it can be costly for companies to adjust their business activities to meet the best practices set out by CARU, the FTC, and these senators, it pays off in the end. More states are considering data privacy bills across the U.S., and not proactively protecting data means losing consumer trust. 





Suggested Articles


The 2000s Introduced the Internet and Influencers to Ad Law

The 2000s was a decade of change as online advertising exploded and, as a harbinger of things to come, the online environment became fertile ground for innovative ways to both communicate with consumers or, for the unscrupulous, take advantage of unwary consumers. The low barriers to entry allowed disrupters to enter the digital space and forced traditional marketers to compete in this space or be left behind.
Read more

For Developers: Get to Know the CARU Advertising Guidelines

The CARU Advertising Guidelines are widely recognized industry standards that help ensure advertising directed to children is fair and appropriate for its intended audience across any form of child-directed media. The CARU team outlines some key revisions to the Guidelines to which mobile developers should pay heed.
Read more

Getting Certified: Cisco Demonstrates Dedication to Customer Success through APEC Privacy Compliance

Cisco is an example of how a global company must navigate a variety of legal privacy regimes, while also being dedicated to leading the way on data privacy to maintain and further enhance a trusted relationship with its customers. To thread this needle, Cisco has chosen to rely on a third-party privacy certification offered by our team at BBB National Programs.
Read more

Lemon Law 101: Understanding the Law and Your Rights

If your vehicle is under warranty, lemon laws require your vehicle manufacturer to repair your vehicle. The federal lemon law, known as the Magnusson-Moss Warranty Act (“Mag-Moss”), and state lemon laws are in place to protect consumers from getting stuck with “lemons.” It is important to understand the difference between state and federal lemon laws as well as how you and your vehicle are covered under each.
Read more