March 18, 2018

March 16, 2018

Subscribe to Latest Legal News and Analysis

March 15, 2018

Subscribe to Latest Legal News and Analysis

FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.

The FTC’s announcement cited the increasing use of “Ed Tech” in the K-12 environment, including school-issued personal computing devices and online curriculum, as the impetus for holding the workshop.  The FTC enforces the COPPA Rule, which governs the online collection, use, and disclosure of personally identifiable information from children under the age of 13.  The Department of Education, on the other hand, has enforcement power over FERPA, which governs the use and disclosure of personally identifiable information in students’ education records.

The stated aim of the workshop is to “gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.” The FTC and the Department of Education have thus indicated a willingness to explore updating prior guidance on COPPA and FERPA to account for the increasing prominence of Ed Tech as well as the compliance experience of schools and providers

The announcement states that the FTC and Department of Education staff are seeking comment on the following questions:

  • Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students?  Are providers and schools adhering to the requirements in practice?

  • What practical challenges do stakeholders face in simultaneously complying with both COPPA and FERPA?

  • Under what circumstances is it appropriate for a school to provide COPPA consent, and what process should the Ed Tech provider use to obtain consent?  Who has the authority to provide and revoke consent and how?

  • COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors.  What are the appropriate limits on the use of this data?

  • How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?

  • Schools often use the “School Official Exception” to FERPA’s written consent requirement when disclosing personally identifiable information from education records to Ed Tech providers.  In your experience, what are some of the ways in which schools maintain “direct control” over Ed Tech providers under FERPA’s “School Official Exception?”  Should there be alignment between the “School Official Exception” and schools’ ability to provide consent for purposes of COPPA?

The FTC will accept comments in response to these topics through November 17, 2017.  The workshop is scheduled for December 1, 2017, and the FTC and Department of Education will publish an agenda and list of speakers for the workshop at a later date.

© 2018 Covington & Burling LLP


About this Author

Lindsey Tonsager, Governmental Attorney, Covington Law Firm

Lindsey Tonsager represents clients in policy and adjudicatory proceedings before the U.S. Congress, Federal Trade Commission, Federal Communications Commission, and Copyright Royalty Board.  In addition to assisting clients engage strategically with regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions. 


Caleb Skeath is an associate in the firm's Washington, DC office.  He is a member of the Privacy & Data Security, Litigation, and White Collar Defense & Investigations practice groups. Mr. Skeath is a member of the Virginia Bar.  He is currently not admitted in the District of Columbia, but is supervised by principals of the firm.