With schools across the nation closing their physical locations and moving to an online learning environment, it is important for school officials to understand their obligations under the Children’s Online Privacy Protection Act (COPPA). COPPA regulates the collection of personal information from children, who are defined as individuals under the age of 13. Generally speaking, the law prohibits operators of commercial websites or online services from collecting personal information from children without first obtaining verifiable parental consent. A more detailed description of the law’s requirement is located here.
When it comes to online learning, there are a few things to keep in mind. First, COPPA applies to operators of commercial websites and online services. It does not apply to non-profit organizations or educational institutions directly. It, however, does apply to third-party technology companies through which many schools deliver on-line learning. Importantly, when an operator provides a website or online service solely for the educational purpose of the school, and not for a commercial purpose, the school can provide the verifiable consent that is normally required from parents. In this scenario, the school essentially stands in the shoes of parents for purposes of consent.
That being said, the school can provide this consent only if certain conditions are met. The school must retain all rights that normally would be held by parents under the law. For example, the operator must provide the school with any notices required under COPPA. It must provide the school with the ability to review, delete, or limit the use of any personal information collected. Finally, the school can only consent to the extent that the operator provides the website or online service in the educational context. If the operator collects personal information from children in the educational context, but then uses that personal information for its own commercial gain, the school cannot provide the necessary consent.
In light of this arrangement, there are some best practices that schools can follow to ensure compliance with the law:
- Consider using online learning tools that do not collect personal information from children, for example, tools that do not require registration or log in credentials.
- If practical, give parents the option of registering their children directly for online learning tools that require registration or account creation. COPPA does not regulate personal information about children, it regulates the collection of personal information from children. Allowing parents to provide this information about their children directly to the third-party operator, takes the school out of the transaction.
- Reserve the authority to approve online learning tools at the school or school district level. While individual teachers may have varying preferences for the technologies they use, centralizing decision making will simplify administration and help to ensure that parents are properly informed. Also, centralized decision making will foster accountability and give administrators the opportunity to scrutinize the privacy practices of website operators before approving use of their technologies.
- Check state laws. While COPPA generally involves students at the primary education level, some states have enacted laws that extend COPPA-like protections to teenagers as well.
- Check your agreements. Now is a great time to take a second look at any agreements schools or school districts have with online learning providers to ensure that the schools retain the necessary rights under COPPA so that the school can provide consent.
Schools are likely very familiar with the requirements of the Family Educational Rights and Privacy Act (FERPA), which is the primary law regarding the privacy of educational records. As schools increasingly look to utilize technology and online resources to find creative ways to educate students remotely, compliance with COPPA rules must be at the forefront of the minds of school administrators as well.