FTC Updates Federal Guidelines for Student Data Privacy

April 2015

On March 20, 2015, the Federal Trade Commission (“FTC”) updated and clarified guidelines regarding the Children’s Online Privacy Protection Act (“COPPA”) and its application to school districts and local educational agencies (“LEAs”).  Issues addressed by the updated guidance include consent to collection of data, provision of information by website operators, parental right to opt out of data collection, and FTC-recommended best practices and inquiries.

The new FTC guidelines update previous COPPA guidance released by the agency in 2014.  Issues covered include:

Consent to Collection of Student Data is Presumed: A school district may act as a parent’s agent and can consent to the collection of children’s information on the parent’s behalf, as long as the consent is limited to the educational context. Technically, in order for a commercial website operator that collects, uses, or discloses personal information from children under 13 to get consent from the school, the operator must provide the school with all the notices required under COPPA. However, as long as the operator limits use of the child’s information to the educational context authorized by the school district, the operator can presume that the school district’s authorization is based on the school district having obtained the parent’s consent.

Website Operators Must Provide School District and LEA with Information Upon Request: Upon request from the school district, website operators must provide: a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information.

FTC-Recommended Best Practices:

  • Allow parents to review the personal information collected.
  • Ensure operators delete children’s personal information once the information is no longer needed for its educational purpose.
  • School districts and LEAs should make available to parents notice of the websites and online services to which it has provided consent on behalf of the parent concerning student data collection, as well as the operators’ direct notices.  This information or a link to this information can be maintained on a district website.

FTC-Recommended Inquiries: According to the FTC, in deciding whether to use online technology with students, a school district should be careful to understand how an operator will collect, use, and disclose personal information from its students.  Among the questions that a school district should ask potential operators are:

  • What types of personal information will the operator collect from students?
  • How does the operator use this personal information?
  • Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? 
  • Does the operator enable the school to review and have deleted the personal information collected from their students?  If not, the school cannot consent on behalf of the parent.
  • What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
  • What are the operator’s data retention and deletion policies for children’s personal information?

Policy and Notice of Right to Opt-Out of Data Collection for Marketing: School districts and LEAs must adopt policies and provide direct notification to parents at least annually regarding the rights of parents to opt their children out of participation in activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for such purpose). 

California school districts and LEAs should be aware that COPPA is a federal law that applies in addition to state laws governing student data privacy.  As discussed in our October 2014 Newsflash (Governor Signs Three Bills Protecting Student Data Online), California passed three student data privacy laws on September 30, 2014. Fortunately, many of the new COPPA guidelines are consistent with the requirements under existing California law.

If you have any questions regarding federal and state student data privacy requirements, including but not limited to parental notification and consent, please call one of our six offices.

F3 NewsFlash prepared by Gretchen M. Shipley and John W. Norlin.
Gretchen is a Partner in the F3 San Diego office.
John is Special Counsel in the F3 San Diego office.

 Keep up to the minute on the latest updates, NewsFlashes, and legal news by following F3 on Twitter:@F3Law.



© 2015 Fagen Friedman & Fulfrost, LLP

All rights reserved, except that the Managing Partner of Fagen Friedman & Fulfrost, LLP hereby grants permission to any client of Fagen Friedman & Fulfrost, LLP to use, reproduce and distribute this NewsFlash intact and solely for the internal, noncommercial purposes of such client.

Back to Top