Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment. In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers. This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
The FTC’s announcement cited the increasing use of “Ed Tech” in the K-12 environment, including school-issued personal computing devices and online curriculum, as the impetus for holding the workshop. The FTC enforces the COPPA Rule, which governs the online collection, use, and disclosure of personally identifiable information from children under the age of 13. The Department of Education, on the other hand, has enforcement power over FERPA, which governs the use and disclosure of personally identifiable information in students’ education records.
The stated aim of the workshop is to “gather information to help clarify how the FTC and ED can ensure that student privacy is properly protected without interfering with the promise of Ed Tech.” The FTC and the Department of Education have thus indicated a willingness to explore updating prior guidance on COPPA and FERPA to account for the increasing prominence of Ed Tech as well as the compliance experience of schools and providers
The announcement states that the FTC and Department of Education staff are seeking comment on the following questions:
Are the joint requirements of FERPA and COPPA sufficiently understood when Ed Tech providers collect personal information from students? Are providers and schools adhering to the requirements in practice?
What practical challenges do stakeholders face in simultaneously complying with both COPPA and FERPA?
Under what circumstances is it appropriate for a school to provide COPPA consent, and what process should the Ed Tech provider use to obtain consent? Who has the authority to provide and revoke consent and how?
COPPA and FERPA both limit the use of personal information collected from students by Ed Tech vendors. What are the appropriate limits on the use of this data?
How should requirements concerning notice, deletion, and retention of records be handled and by whom and when?
Schools often use the “School Official Exception” to FERPA’s written consent requirement when disclosing personally identifiable information from education records to Ed Tech providers. In your experience, what are some of the ways in which schools maintain “direct control” over Ed Tech providers under FERPA’s “School Official Exception?” Should there be alignment between the “School Official Exception” and schools’ ability to provide consent for purposes of COPPA?
The FTC will accept comments in response to these topics through November 17, 2017. The workshop is scheduled for December 1, 2017, and the FTC and Department of Education will publish an agenda and list of speakers for the workshop at a later date.