Data Protection for Students Relying on a Virtual Learning Environment

May 20, 2020 by BBB National Programs

Amidst school closures and other education uncertainties, education technology, or “ed tech” is at the forefront of conversation. We rely on their online tools to facilitate learning in a virtual environment. As a result, schools and ed tech companies have fallen under scrutiny as they navigate data protection and privacy for students. With advanced technology like exam proctoring software that can track a user’s eye movements, it’s no small wonder that the ed tech industry has now attracted the attention of Capitol Hill.  


Concerned about the increased consumption of online media by children homebound during the pandemic, on May 8 a bipartisan group of U.S. Senators penned a letter to the FTC asking that as the FTC undertakes the COPPA Rule Review, they pay special attention to companies involved in ed tech and digital marketing to children. The senators urge the FTC to examine ed tech and digital marketing practices, such as: 


  • What data is collected from children,  

  • How it is being used or shared with third parties (such as in behavioral or targeted advertising),  

  • If and how consent is obtained, and  

  • The security practices in place to safeguard children’s data. 


Their recommendation is to use Section 6(b) of the FTC Act, which allows the FTC to compel entities to submit reports on their business activities.  



We would argue that this is not the only, and at this time also not the best, route to increased self-regulation and transparency in the ed tech and digital marketing industry.  


In April the FTC released guidance on how schools and ed tech companies can work together to ensure they are safeguarding students’ personal information.  


This is the route we recommend.  


The Children’s Online Privacy Protection Act, or COPPA, generally requires that when a company collects personal information online from children under age 13, they must get prior parental consent for that collection and use. While COPPA applies to schools, albeit in a more limited context, both the company and the school should pause and consider if they are taking all necessary steps to comply with COPPA.  


For example, did the school make applicable privacy notices available to parents to ensure that any ed tech services being used by their children are deleting that student’s data once it is no longer needed for the educational purpose? 


If the ed tech company does not use the information in a commercial context and solely collects and uses a child’s information for authorized educational purposes, they are complying and can provide the school with a COPPA-required notice to obtain consent from the school on behalf of the parent. However, if the information is used for a commercial purpose, such as targeted advertising, or if the company does not allow schools to review and delete the students’ personal information, then the school cannot consent on a parent’s behalf. 


The FTC recommends that schools and ed tech companies alike should make every effort to inform parents about which online services are being used to facilitate learning and what the collection and use practices are for each service. Schools should ask their attorneys and information security specialists to vet the privacy policies and security practices of ed tech services and opt for the services that prioritize student privacy. In addition to COPPA, schools can also look to FERPA and the new Department of Education Guidelines on virtual learning for best practices.  


While the FTC is the main enforcing authority for COPPA, the BBB National Programs’ Children’s Advertising Review Unit (CARU), the FTC’s first Safe Harbor Program, remains vigilant in this new landscape of virtual learning. Part of CARU’s mission is to ensure the proper collection and handling of children’s data in online environments through continuous monitoring and the enforcement of COPPA violations. In the spirit of ensuring consistency across the children’s advertising and privacy space, we hope that the FTC will incorporate the senators’ concerns into the COPPA rule review without compromising its overall timeline.  



This letter from U.S. Senators has put ed tech companies on notice and here are the questions they should be prepared to answer: 


  • How are you making your privacy practices known? 

  • What is your data retention policy? 

  • If your company is collecting personally identifiable information about children, are you separating that data from the data collected about adults (or persons 13 and over)? How are those databases secured and who has access? 

  • How are you monitoring what third parties do with the data they touch or collect on your behalf? 


Although the questions seem straightforward, it can be difficult for companies to address each issue quickly. The topics at hand are just as much about complying with privacy best practices as they are with making internal business decisions.  


For example, creating a data retention policy is not as simple as picking a length of time that sounds “safe” to users. The company must make sure they accurately state a retention period that accounts for how long they need to use the data for their service and their actual capability to delete that data once they no longer need it. It can also be difficult to implement proper parental consent measures when collecting personal information from children. However, obtaining parental consent where it is needed can save a company from costly litigation and a potentially damaged reputation in the future. 


Even though it can be costly for companies to adjust their business activities to meet the best practices set out by CARU, the FTC, and these senators, it pays off in the end. More states are considering data privacy bills across the U.S., and not proactively protecting data means losing consumer trust. 





To read our full statement on the letter to the FTC, visit  BBB National Programs’ Children’s Advertising Review Unit Urges FTC to “Follow Up Now” on U.S. Senators’ Call for Inquiry into the State of Children’s Privacy. 
For more information about complying with COPPA, schools and educators can visit Section M. of the COPPA FAQs.  
To read helpful FAQs, visit COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus



Suggested Articles


Are used cars covered under lemon laws?

Do your homework to make sure the used car you plan to buy is not a lemon, and if it is, does the lemon law cover it? The answer may depend on where you purchased the vehicle or where you live.
Read more

Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more