December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.

The FTC’s announcement cited the increasing use of “Ed Tech” in the K-12 environment, including school-issued personal computing devices and online curriculum, as the impetus for holding the workshop.  The FTC enforces the COPPA Rule, which governs the online collection, use, and disclosure of personally identifiable information from children under the age of 13.  The Department of Education, on the other hand, has enforcement power over FERPA, which governs the use and disclosure of personally identifiable information in students’ education records.

The stated aim of the workshop is to “gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.” The FTC and the Department of Education have thus indicated a willingness to explore updating prior guidance on COPPA and FERPA to account for the increasing prominence of Ed Tech as well as the compliance experience of schools and providers

The announcement states that the FTC and Department of Education staff are seeking comment on the following questions:

  • Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students?  Are providers and schools adhering to the requirements in practice?

  • What practical challenges do stakeholders face in simultaneously complying with both COPPA and FERPA?

  • Under what circumstances is it appropriate for a school to provide COPPA consent, and what process should the Ed Tech provider use to obtain consent?  Who has the authority to provide and revoke consent and how?

  • COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors.  What are the appropriate limits on the use of this data?

  • How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?

  • Schools often use the “School Official Exception” to FERPA’s written consent requirement when disclosing personally identifiable information from education records to Ed Tech providers.  In your experience, what are some of the ways in which schools maintain “direct control” over Ed Tech providers under FERPA’s “School Official Exception?”  Should there be alignment between the “School Official Exception” and schools’ ability to provide consent for purposes of COPPA?

The FTC will accept comments in response to these topics through November 17, 2017.  The workshop is scheduled for December 1, 2017, and the FTC and Department of Education will publish an agenda and list of speakers for the workshop at a later date.

© 2022 Covington & Burling LLPNational Law Review, Volume VII, Number 282

About this Author

Lindsey Tonsager, Covington, regulatory and public policy lawyer

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws. She co-chairs the firm’s Artificial Intelligence Initiative.

In addition to assisting clients engage strategically with the Federal Trade Commission, Federal Communications Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement...

415 591 7061
Caleb Skeath, data and cybersecurity lawyer, Covington

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation.

Mr. Skeath specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and...