On March 20, 2015, the Federal Trade Commission (“FTC”) updated and clarified guidelines regarding the Children’s Online Privacy Protection Act (“COPPA”) and its application to school districts and local educational agencies (“LEAs”). Issues addressed by the updated guidance include consent to collection of data, provision of information by website operators, parental right to opt out of data collection, and FTC-recommended best practices and inquiries.
The new FTC guidelines update previous COPPA guidance released by the agency in 2014. Issues covered include:
Consent to Collection of Student Data is Presumed: A school district may act as a parent’s agent and can consent to the collection of children’s information on the parent’s behalf, as long as the consent is limited to the educational context. Technically, in order for a commercial website operator that collects, uses, or discloses personal information from children under 13 to get consent from the school, the operator must provide the school with all the notices required under COPPA. However, as long as the operator limits use of the child’s information to the educational context authorized by the school district, the operator can presume that the school district’s authorization is based on the school district having obtained the parent’s consent.
Website Operators Must Provide School District and LEA with Information Upon Request: Upon request from the school district, website operators must provide: a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information.
FTC-Recommended Best Practices:
FTC-Recommended Inquiries: According to the FTC, in deciding whether to use online technology with students, a school district should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school district should ask potential operators are:
Policy and Notice of Right to Opt-Out of Data Collection for Marketing: School districts and LEAs must adopt policies and provide direct notification to parents at least annually regarding the rights of parents to opt their children out of participation in activities involving the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for such purpose).
California school districts and LEAs should be aware that COPPA is a federal law that applies in addition to state laws governing student data privacy. As discussed in our October 2014 Newsflash (Governor Signs Three Bills Protecting Student Data Online), California passed three student data privacy laws on September 30, 2014. Fortunately, many of the new COPPA guidelines are consistent with the requirements under existing California law.
If you have any questions regarding federal and state student data privacy requirements, including but not limited to parental notification and consent, please call one of our six offices.
F3 NewsFlash prepared by Gretchen M. Shipley and John W. Norlin.
Gretchen is a Partner in the F3 San Diego office.
John is Special Counsel in the F3 San Diego office.
This F3 NewsFlash is a summary only and not legal advice. We recommend that you consult with legal counsel to determine how this legal development may apply to your specific facts and circumstances. Information on a free NewsFlash subscription can be found at www.f3law.com.
Keep up to the minute on the latest updates, NewsFlashes, and legal news by following F3 on Twitter:@F3Law.
Legislative Counsel Bureau Confirms: K-12 Schools Must Have Warrant to Search Student's Personal Device
Court of Appeal Upholds Search of Student’s Cell Phone
New Law Restricts Government Entity’s Ability to Search or Access Electronic Devices