Google’s Workspace for Education will require school administrators to independently approve all integrated third-party applications their students use. Users under 18 cannot use their Google accounts to access third-party applications without consent first being configured in user settings. Organizations were required to either approve each application or lose access to it entirely, which terminations occurred automatically on October 1, 2023.

Google Workspace for Education’s Terms of Service does not cover third-party applications that may collect user information according to their privacy policies. Enabling third-party applications is as easy as having the account admin click “Confirm.” However, the legal requirements may not be as simple; childcare organizations and schools are responsible for independently reviewing and approving each third-party application. Schools with students K-12 and any extracurricular, daycare, and other childcare organizations may need parental consent before allowing their children to access these services. Organizations that use third-party applications in connection with children’s data will need to audit the third-party applications that their users might access. Often, organizations add these applications on an as-needed basis without going through a regular review process.

While handy in the moment, this ad-hoc approach may allow apps with substandard privacy practices to creep in and allow access to minor personal information that runs afoul of legal requirements.

Regulatory Risk

Privacy laws, including the Children’s Online Privacy Protection Act (COPPA), California’s Online Privacy Protection Act (CalOPPA), and the Family Educational Rights and Privacy Act (FERPA) restrict how organizations collect, process, and sell children’s data without parental consent. Additionally, third-party applications have historically been risky in terms of privacy practices. For instance, the Federal Trade Commission (FTC) famously fined a coloring book application for mining children’s data in violation of COPPA, and the Mozilla Foundation routinely calls out applications with substandard privacy practices in their “Privacy Not Included” series.

What Organizations Should Audit

Organizations that use Google Workspace for Education will need to review the privacy policy of each third-party application connected to the service.

Services that Prohibit Collection of Minors’ Data

Many third-party services include a blanket prohibition on minors using their services to avoid triggering COPPA. Other services include a statement that they do not knowingly collect minors’ personal information. These services may process or monetize data in a manner prohibited by COPPA. Organizations that approve these applications for use with children’s data may violate the service’s Terms of Use.

Services that Use Data for Targeted Advertising and Profiling

COPPA and CalOPPA laws restrict how an organization may process minors’ personal information without parental consent. Other state level privacy laws such as the California Consumer Privacy Act and the Connecticut Personal Data Privacy and Online Monitoring Act (which went into effect July 1, 2023) treat minors’ personal information as a protected class of “sensitive personal information” subject to increased regulation and prohibition on processing. Organizations that approve the use of a service that monetizes minors’ personal information may be subject to legal exposure under one or more of these regulatory schemes.

Services with Publicly Reported Privacy Violations

Services with publicly disclosed privacy violations, including those that are under a consent decree with the FTC (and particularly those in violation of a consent decree) present an added risk to organizations if the service goes on to engage in future privacy violations.

Readers might want to consider whether this change could impact your organization (including children and students) and how your organization uses technology for learning. With children’s data – and hefty fines – at stake, institutions may take the time to be proactive rather than reactive. There are different strategies for handling third party applications’ data collection and parental consent. Each organization and institution are different and there is no “one size fits all” model. Next steps will be based on the number of third-party applications utilized by children and students, the practicality of obtaining parental consent for each one, and the ability to monitor usage of certain applications and the type of data input by the users. Now is the time to audit these third-party applications and set some parameters to protect privacy while also engaging children and students with educational tools offered by technology.