With physical schools closed indefinitely, classrooms have moved online, either introducing or significantly expanding children’s use of virtual education technology and highlighting certain privacy concerns. Responding to this evolving environment, on April 9 the Federal Trade Commission (FTC) issued COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus to address some common compliance issues relevant to entities that process children’s personal information.
The FTC’s guidance covers a number of key issues, including the applicability of Children’s Online Privacy Protection Act (COPPA) requirements to ed tech vendors and that schools can consent on behalf of parents to the collection of student personal information. It also reiterates that ed tech vendors should have plain-language privacy notices that students, parents and educators can understand, and it sets forth a checklist of considerations for schools looking to engage ed tech vendors.
Online service operators in this space should assess the potential risks associated with collecting more children’s data and evaluate their current compliance posture. In addition to reviewing the FTC’s guidance, organizations should consider the implications of the following issues with respect to their data practices:
- New and different types of data collection. The use of interactive software and online classrooms can significantly increase the types and volume of data obtained about students. For example, a program may tally the number of questions a student asks through the application or make micro observations about the student’s engagement, data points that are collected only informally in a live-learning setting. To the extent such information is added to a student’s record, it may be subject to state and federal student privacy laws.
- Uptick in children’s privacy enforcement actions. Even before the disruption caused by COVID-19, the FTC signaled that COPPA enforcement would be one of its priorities in 2020. The Commission demonstrated this in 2019, bringing several enforcement actions under COPPA. Among other noteworthy developments, the FTC employed a broader interpretation of COPPA’s scope to investigate “general audience” online services that do not specifically target children under 13. The FTC highlighted that age gates on general audience online services may be problematic if the mechanism is insufficient to prevent a child’s attempt to circumvent it.
- Cross-border data collection. The current health crisis is affecting households with children worldwide, increasing the chances that a child in another jurisdiction will stumble upon a particular website or online service. Operators of online services that are accessible globally should consider whether an increase in traffic to their online service may implicate additional privacy laws; it may be useful to reassess the reach of online platforms by reviewing data analytics on the ages and locations of users.
- The EU’s General Data Protection Regulation (GDPR) applies to organizations that are established in the EU, offer goods or services in the EU, or track the behavior of data subjects located in the EU. This may include websites that are deemed directed to data subjects in the EU. Under the GDPR, children’s personal data is subject to heightened protection requirements; verifiable parental consent is required for the processing of personal data of children under 16, and the age of consent may vary by Member State.
- Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD), which also has broad jurisdictional reach and will be enforceable beginning Jan. 1, 2021, includes provisions specific to children’s privacy, including requirements to limit the collection of children’s personal information to only that which is necessary to provide the service to children.
- Video games, social games and streaming services. Online services that bring children together are seeing heavy use. These include multiplayer video games, games with social features, virtual life games and streaming services that allow distance board game play. Operators should consider whether the seemingly aggregate or anonymous data collected through games, over-the-top (OTT) applications, smart TVs or other social/streaming services may create more risk than usual when the audience is known to include significant numbers of children. This is particularly relevant if the operator exchanges data obtained through the service for any kind of consideration, as certain state data broker laws and laws restricting sales of personal information may apply.