In April, with little fanfare, the Federal Trade Commission (FTC) updated its guidance on COPPA and schools. In a year when privacy concerns are blamed for the collapse of multimillion dollar, multistate educational technology venture inBloom, best practices for online student privacy are particularly timely. Although the FTC’s “Complying with COPPA: Frequently Asked Questions” page represents staff opinions and seeks merely to clarify existing standards, it gives educators, tech vendors and website and app designers a valuable new tool to help them “make the grade.”

The Children’s Online Privacy Protection Act (COPPA) has provided the baseline for children’s privacy in the U.S. since 1998. The law, enforced by the FTC, imposes strict parental notice and consent requirements “on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.” Schools, acting in loco parentis, have long been able to provide such consent in educational contexts.

As PCs, tablets and smartphones permeate classrooms, bringing the web to students in school, the big question for education has become, how and when can schools provide such consent on behalf of students’ parents? While the FTC’s new guidance addresses some of these issues, like any good teacher, it raises new issues in turn and sparks broader discussions about educational privacy. A redlined comparison of the new and previous versions of the guidance prepared by Covington & Burling LLP is available here.

Authorization

Although the FTC’s guidance is clear that schools have some authority to consent to the collection of student data, who precisely should be providing that consent had been an open question until now. When whole districts adopt educational social networking platforms at the same time as teachers are assigning educational apps to their students, online vendors have struggled to figure out who can consent on behalf of school children—should they look to individual teachers? School administrators? District officers?

The FTC’s updated FAQ answers this question by providing a new “best practice.” The agency’s recommendation is that “schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher.” While individual teachers are still not necessarily precluded from consenting on behalf of their students, the agency’s promotion of privacy as a high-level, institutional accountability feature clearly extends beyond the commercial setting and into the public sphere.

The FTC’s new guidance also notes that many schools have formal processes for assessing vendors’ privacy practices “so that this task does not fall on individual teachers’ shoulders.” However, Prof. Daniel Solove has recently claimed, “There is no privacy infrastructure in K-12 schools ... Any company trying to do business with K-12 schools where privacy is involved is like a company trying to build a world-class research facility in the middle of an untamed jungle.”

Because of the lack of resources and training for privacy in education, often it is in fact individual teachers who make such decisions on the ground. Schools seeking to improve their privacy practices and policies should take heed of the FTC’s guidance and vest the authority to consent to student data collection in trained, institutional staff members.

Authentication

Of course, once a school has identified who should be providing consent, there remains the problem of verifying that they are the ones giving it. COPPA requires website and online service operators to obtain “verifiable parental consent,” i.e., to ensure that children are not simply impersonating their parents—or teachers—to gain access to a site or service. This raises two distinct problems: first, how to authenticate the identity of the party that appears to be manifesting consent on behalf of a student and, second, how to verify that party has appropriate authority within the school hierarchy to manifest consent.

For online operators, then, what should constitute satisfactory proof they are dealing with an authorized school official? Additions to the guidance indicate “the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example.”

This language mirrors that of the “verifiable parental consent” COPPA requires in other contexts. A traditionally onerous process, verifying parental consent has involved having signed consent forms returned by mail, fax or scans; requiring credit or debit cards in monetary transactions, or having parents call a toll-free telephone number or video-conference with trained personnel. However, as InsidePrivacy notes, “the FAQ does not explicitly state that the school’s consent must be provided through one of the limited methods outlined in the COPPA Rule or approved under the new voluntary parental consent process.” The issue remains open and will doubtlessly occupy decision-makers in the foreseeable future.

Implementing authentication methods will likely remain an obstacle until privacy infrastructures are better embedded in K-12 institutions. At the same time, this authentication burden may help drive schools to shift online consent decisions away from individual teachers and toward centralized district or school authorities.

Commercial Uses

Perhaps the foremost privacy concern voiced by parents, educators and legislators is the appropriation of student data for commercial use. Today’s schools are storehouses for massive amounts of highly sensitive and personal information, including demographic, family, financial, health, behavioral and aptitude data. Such focused information could prove invaluable to marketers, for instance, and as the educational technology market reaches approximately $8 billion, the number of interested parties will only increase. But it is the perceived threat that technology could turn classrooms into showrooms that has prompted state legislators into action and haunted Big Data educational ventures like inBloom.

For its part, the FTC’s position is clear in its updated FAQ: Schools’ ability to consent to the collection of children’s data “is limited to the educational context—where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.” Further, the agency added new language emphasizing that where “a students’ personal information is used in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service … the school cannot consent on behalf of the parent.” Of course, websites and online services may still use children’s data for such commercial purposes if they obtain verifiable consent directly from a parent.

Notwithstanding the FTC’s strong position against commercial use of student personal information, a recent study by the Fordham Center on Law and Information Policy indicates schools are woefully behind the curve in negotiating for privacy protections from their service providers. In its survey of 20 public schools districts’ contracts with their cloud computing vendors, 27 percent of those agreements offered services free of charge, meaning “the personal information of students is likely being commercialized in some way to support the provision of the service to the district.” More worryingly, “None of the contracts specifically prohibited the sale and marketing of children’s information.”

While the FTC’s authority to regulate privacy in schools is generally presumed to begin and end with COPPA (its remit is commercial, not public, entities), Solove and Prof. Woodrow Hartzog have also recently made an interesting argument to extend the FTC’s reach by expanding vendors’ responsibilities under Section 5 of the FTC Act. Under their theory, the FTC’s body of consent decrees establishes that “there is a standard of care when it comes to contracting” that might oblige private entities to protect students’ privacy—or that might recognize students as third-party beneficiaries entitled to privacy protections during such deals. If that were the case, then even where a school was not yet up to the task of protecting students’ data on its own, the students’ privacy welfare would still be looked after by private entities, and the FTC, further abating commercialization concerns.

Conclusion

Obtaining and providing proper consent under COPPA is just the first step to bringing Big Data and new online tools and technologies into classrooms. Just like in any good educational video game or adaptive learning program, once you’ve mastered one privacy skill, you will advance to more difficult tasks—like FERPA, the 800-pound gorilla of education privacy law. Indeed, schools and vendors are urged to master not only their COPPA responsibilities but also those under FERPA and the Protection of Pupil Rights Amendment, not to mention state privacy laws and a veritable avalanche of state legislative bills in the works—on last count, 82 bills pending in 32 states. For help, they can now turn to new guidance, “Protecting Student Privacy While Using Online Educational Services,” issued by the Department of Education in February.

The FTC’s COPPA in schools guidance makes it easier for schools and businesses to ensure that they are bringing online sites and technologies into classrooms in a way that properly protects students’ privacy. Even so, questions remain about what proper COPPA compliance will look like in educational contexts and how schools can improve their privacy infrastructures. Parents, educators and businesses will doubtlessly have homework of their own to do to make sure they get it right.