Articles

Client Alert: Guidance Issued for Ed Tech Companies and Schools during the COVID-19 Crisis

FTC Guidance on COPPA

The Children’s Online Privacy Protection Act (“COPPA”) generally requires that operators of commercial websites and online services take certain steps to protect online privacy and safety of children under the age of 13.  Those steps include COPPA’s requirement that companies covered by COPPA provide notice of their data collection and use practices and obtain verifiable parental consent before collecting certain data and that they maintain reasonable data security safeguards. 

Guidance recently issued by the Federal Trade Commission (“FTC”) reminds that, in the educational context, schools can consent on behalf of parents to the collection of students' personal information, but only if the information is used for a school-authorized educational purpose and for no other commercial purpose.  This is true whether the learning takes place in the classroom or remotely at home at the direction of the school.  For companies who provide online services to schools (“Ed Tech companies”) to obtain valid consent from a school instead of from a parent, the company must provide the school with notice of its data collection and use practices.  The FTC recommends that, as a best practice, Ed Tech companies should also make the COPPA notice available to parents and, where feasible, let parents review the personal information collected.  In addition, Ed Tech companies should use plain language that students, parents, and educators can easily understand.

The FTC also recommends that, even for students who are 13 or older and, therefore, not covered by COPPA, Ed Tech companies should not use less care or engage in different practices simply because a student is engaged in remote learning rather than using an ed tech service in the classroom.

Although COPPA applies only to operators of commercial websites and online services directed to children under 13, or which know they are dealing with children under 13, and not specifically to schools, the FTC nonetheless recommends that schools consult with their attorneys and information security specialists to review the privacy and security policies of the Ed Tech companies with whom they work and that schools or school districts should decide whether a particular site’s or service’s privacy and information practices are appropriate, rather than delegating that decision to the teacher.  Also, the school or school district should provide parents with a notice specifying the websites and online services whose collection they have consented to on behalf of the parent.  In deciding which online technologies to use with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students.

DOE Guidance on FERPA

The Federal Education Rights and Privacy Act (“FERPA”) applies to all educational agencies and institutions that receive funds under any program administered by the U.S. Secretary of Education.  The term “educational agencies and institutions” under FERPA generally includes school districts and public schools at the elementary and secondary levels, as well as private and public institutions of postsecondary education.   FERPA gives parents certain rights with respect to their children’s education records at educational agencies and institutions to which FERPA applies. These rights transfer to the student when he or she reaches the age of 18 or attends an institution of postsecondary education at any age.  Under FERPA, a parent or eligible student must provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information (“PII”), such as student health records and information, from education records unless an exception to this general consent requirement applies.

The U.S. Department of Education’s (“DOE”) Student Privacy Policy Office recently issued a set of FAQs to assist school officials in managing public health issues related to COVID-19.  The document explains the applicability of FERPA’s “health or safety emergency” exception to the general requirement that consent be obtained before an educational institution may disclose information about a student’s health to a public health agency and officials, medical personnel, and other students and parents.

Two other FERPA exceptions that often apply to vendors may also be applicable in the current circumstances: (i) the directory information exception; and (ii) the school official exception.
               
Under certain circumstances, a school may provide an Ed Tech company with directory information without the parent or eligible student’s consent.  “Directory information” is information contained in a student’s education records that would not generally be considered harmful or an invasion of privacy if disclosed. This information may include a student’s name, address, email address, and telephone number.  Information such as a student’s social security number or ID number is not directory information.  In order to fall under this exception, the educational institution must provide a notice with the specific list of information that the educational institution considers to be directory information along with an opt-out right allowing the parent or eligible student to prevent the educational institution from sharing the directory information.
               
The school official exception gives educational institutions the ability to disclose PII without consent as long as: (i) the Ed Tech company is performing a service that the school would otherwise use its own employees to perform, (ii) the school has determined that the Ed Tech company has a legitimate interest in the education records; (iii) the Ed Tech company is under the control of the educational institution; and (iv) the education records are only used for authorized purposes and not re-disclosed to other parties.

If you have any questions regarding privacy or cybersecurity, we are here to help.