IAPP-GDPR Web Banners-300x250-FINAL

In April, with little fanfare, the Federal Trade Commission (FTC) updated its guidance on COPPA and schools. In a year when privacy concerns are blamed for the collapse of multimillion dollar, multistate educational technology venture inBloom, best practices for online student privacy are particularly timely. Although the FTC’s “Complying with COPPA: Frequently Asked Questions” page represents staff opinions and seeks merely to clarify existing standards, it gives educators, tech vendors and website and app designers a valuable new tool to help them “make the grade.”

The Children’s Online Privacy Protection Act (COPPA) has provided the baseline for children’s privacy in the U.S. since 1998. The law, enforced by the FTC, imposes strict parental notice and consent requirements “on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.” Schools, acting in loco parentis, have long been able to provide such consent in educational contexts.

As PCs, tablets and smartphones permeate classrooms, bringing the web to students in school, the big question for education has become, how and when can schools provide such consent on behalf of students’ parents? While the FTC’s new guidance addresses some of these issues, like any good teacher, it raises new issues in turn and sparks broader discussions about educational privacy. A redlined comparison of the new and previous versions of the guidance prepared by Covington & Burling LLP is available here.


Although the FTC’s guidance is clear that schools have some authority to consent to the collection of student data, who precisely should be providing that consent had been an open question until now. When whole districts adopt educational social networking platforms at the same time as teachers are assigning educational apps to their students, online vendors have struggled to figure out who can consent on behalf of school children—should they look to individual teachers? School administrators? District officers?

The FTC’s updated FAQ answers this question by providing a new “best practice.” The agency’s recommendation is that “schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher.” While individual teachers are still not necessarily precluded from consenting on behalf of their students, the agency’s promotion of privacy as a high-level, institutional accountability feature clearly extends beyond the commercial setting and into the public sphere.

The FTC’s new guidance also notes that many schools have formal processes for assessing vendors’ privacy practices “so that this task does not fall on individual teachers’ shoulders.” However, Prof. Daniel Solove has recently claimed, “There is no privacy infrastructure in K-12 schools ... Any company trying to do business with K-12 schools where privacy is involved is like a company trying to build a world-class research facility in the middle of an untamed jungle.”

Because of the lack of resources and training for privacy in education, often it is in fact individual teachers who make such decisions on the ground. Schools seeking to improve their privacy practices and policies should take heed of the FTC’s guidance and vest the authority to consent to student data collection in trained, institutional staff members.


Of course, once a school has identified who should be providing consent, there remains the problem of verifying that they are the ones giving it. COPPA requires website and online service operators to obtain “verifiable parental consent,” i.e., to ensure that children are not simply impersonating their parents—or teachers—to gain access to a site or service. This raises two distinct problems: first, how to authenticate the identity of the party that appears to be manifesting consent on behalf of a student and, second, how to verify that party has appropriate authority within the school hierarchy to manifest consent.

For online operators, then, what should constitute satisfactory proof they are dealing with an authorized school official? Additions to the guidance indicate “the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example.”

This language mirrors that of the “verifiable parental consent” COPPA requires in other contexts. A traditionally onerous process, verifying parental consent has involved having signed consent forms returned by mail, fax or scans; requiring credit or debit cards in monetary transactions, or having parents call a toll-free telephone number or video-conference with trained personnel. However, as InsidePrivacy notes, “the FAQ does not explicitly state that the school’s consent must be provided through one of the limited methods outlined in the COPPA Rule or approved under the new voluntary parental consent process.” The issue remains open and will doubtlessly occupy decision-makers in the foreseeable future.

Implementing authentication methods will likely remain an obstacle until privacy infrastructures are better embedded in K-12 institutions. At the same time, this authentication burden may help drive schools to shift online consent decisions away from individual teachers and toward centralized district or school authorities.

Sources and Other Reading
Official Guidance:

Articles and Reports

Commercial Uses

Perhaps the foremost privacy concern voiced by parents, educators and legislators is the appropriation of student data for commercial use. Today’s schools are storehouses for massive amounts of highly sensitive and personal information, including demographic, family, financial, health, behavioral and aptitude data. Such focused information could prove invaluable to marketers, for instance, and as the educational technology market reaches approximately $8 billion, the number of interested parties will only increase. But it is the perceived threat that technology could turn classrooms into showrooms that has prompted state legislators into action and haunted Big Data educational ventures like inBloom.

For its part, the FTC’s position is clear in its updated FAQ: Schools’ ability to consent to the collection of children’s data “is limited to the educational context—where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.” Further, the agency added new language emphasizing that where “a students’ personal information is used in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service … the school cannot consent on behalf of the parent.” Of course, websites and online services may still use children’s data for such commercial purposes if they obtain verifiable consent directly from a parent.

Notwithstanding the FTC’s strong position against commercial use of student personal information, a recent study by the Fordham Center on Law and Information Policy indicates schools are woefully behind the curve in negotiating for privacy protections from their service providers. In its survey of 20 public schools districts’ contracts with their cloud computing vendors, 27 percent of those agreements offered services free of charge, meaning “the personal information of students is likely being commercialized in some way to support the provision of the service to the district.” More worryingly, “None of the contracts specifically prohibited the sale and marketing of children’s information.”

While the FTC’s authority to regulate privacy in schools is generally presumed to begin and end with COPPA (its remit is commercial, not public, entities), Solove and Prof. Woodrow Hartzog have also recently made an interesting argument to extend the FTC’s reach by expanding vendors’ responsibilities under Section 5 of the FTC Act. Under their theory, the FTC’s body of consent decrees establishes that “there is a standard of care when it comes to contracting” that might oblige private entities to protect students’ privacy—or that might recognize students as third-party beneficiaries entitled to privacy protections during such deals. If that were the case, then even where a school was not yet up to the task of protecting students’ data on its own, the students’ privacy welfare would still be looked after by private entities, and the FTC, further abating commercialization concerns.


Obtaining and providing proper consent under COPPA is just the first step to bringing Big Data and new online tools and technologies into classrooms. Just like in any good educational video game or adaptive learning program, once you’ve mastered one privacy skill, you will advance to more difficult tasks—like FERPA, the 800-pound gorilla of education privacy law. Indeed, schools and vendors are urged to master not only their COPPA responsibilities but also those under FERPA and the Protection of Pupil Rights Amendment, not to mention state privacy laws and a veritable avalanche of state legislative bills in the works—on last count, 82 bills pending in 32 states. For help, they can now turn to new guidance, “Protecting Student Privacy While Using Online Educational Services,” issued by the Department of Education in February.

The FTC’s COPPA in schools guidance makes it easier for schools and businesses to ensure that they are bringing online sites and technologies into classrooms in a way that properly protects students’ privacy. Even so, questions remain about what proper COPPA compliance will look like in educational contexts and how schools can improve their privacy infrastructures. Parents, educators and businesses will doubtlessly have homework of their own to do to make sure they get it right.

Written By

Kelsey Finch, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»