Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Cybersecurity & Privacy newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 9, 2020, 9:46 PM EDT) -- Schools rather than parents can consent under the Children's Online Privacy Protection Act to the collection of young students' personal data for educational reasons, U.S. regulators said Thursday in guidance for education technology firms enabling remote learning during the COVID-19 pandemic.
The federal children's privacy law generally requires private companies to get verifiable parental consent before collecting personal information online from children under 13 years old. But "in the educational context, however, schools can consent on behalf of parents to the collection of students' personal information — but only if such information is used for a school-authorized educational purpose and for no other commercial purpose," Federal Trade Commission attorney Lisa Weintraub Schifferle wrote in a blog post.
COPPA does not apply to schools themselves. But the law does apply to many of the educational technology companies whose services schools across the country are relying on to allow students to learn from home, the attorney in the agency's Division of Consumer and Business Education said.
EdTech companies do not need to rely on a parent of each individual student under 13 to consent to the students' personal information being collected. But such firms do need to provide the schools with COPPA notices of their data collection and use practices, written in "plain language that students, parents, and educators can easily understand," Weintraub Schifferle wrote.
Companies should make those notices available to parents as a best practice and if feasible let parents review the personal data collected, the blog post says.
Schools also need to take a proactive role in reviewing a particular service's privacy and data protection policies, and should be asking companies whether they are illegally using data collected from children under 13 to build user profiles for targeted advertising, according to the post.
EdTech firms should also be able to delete personal information collected from students on request, and to describe the measures they take to protect the security, confidentiality and integrity of the data that they collect, Weintraub Schifferle wrote.
Thursday's guidance comes as federal privacy regulators are increasingly explaining how U.S. privacy laws will be enforced as more and more services are by necessity conducted remotely during the coronavirus response.
Last month, the U.S. Department of Health and Human Services, for example, announced steps aimed at making it easier for health care providers to communicate with patients remotely without facing penalties for running afoul of strict privacy rules under the Health Insurance Portability and Accountability Act.
--Editing by Breda Lund.
For a reprint of this article, please contact reprints@law360.com.
