FTC Issues Proposed Rule on COPPA
December 20, 2023
Author
This blog post is cross posted from the team at the 91制片 Student and Child Privacy Center/PIPC.
While we might have thought child and student privacy work for the year was winding down, the FTC had other ideas. This week the FTC released a notice of proposed rulemaking (NPRM) for the Children鈥檚 Online Privacy Protection Rule (COPPA Rule) that would mean big changes for companies and schools, codifying some of the changes stakeholders have been advocating for.
We鈥檒l be going through the NPRM in detail over the next few days. So far, we鈥檙e happy to see that some of the changes in the NPRM coincide with the issues we discussed in our about the challenges of parental consent and . In the meantime, we wanted to share the on the notice of proposed rulemaking, along with some key points.
- For the first time, the FTC is seeking to formally codify 鈥渓ongstanding Commission guidance by which operators rely on school authorization to collect personal information in limited circumstances rather than on parental consent.鈥
- The NPRM recognizes the , stating that 鈥渙btaining consent from the parents of every student in a class often will be challenging, in many cases for reasons unrelated to privacy concerns鈥 and that 鈥渋t may ultimately be more privacy-protective than requiring ed tech providers to obtain consent from parents.鈥
- The NPRM codifies key points of the , including requiring a written agreement in order to take advantage of this COPPA exception (the FTC notes that this can be achieved through the use of a mostly standardized contract) which must include privacy protective safeguards (such as 鈥渋dentify[ing] the name and title of the person providing consent and specify[ing] that the school has authorized the person to provide such consent).
- The NPRM explicitly defines schools to include LEAs and SEAs, in addition to individual schools (which is amazing, as this was an issue we flagged in our of the Edmodo settlement).
- The NPRM explicitly states that an operator may not use the information it collected from one educational service to develop or improve a different service (something vendors have assumed they've been able to do under current law).
- The NPRM adds a definition for 鈥渟chool-authorized education purpose鈥 (which notably does not include marketing) and notes that while 鈥減ersonalization would be a permissible part of providing the service, personalization could not include the marketing of services even if those services were educational in nature."
- The NPRM requires 鈥渁n operator that collects personal information from a child under the school authorization exception to include an additional notice on its website or online service noting that: (1) the operator has obtained authorization from a school to collect a child鈥檚 personal information; (2) that the operator will use and disclose the information for a school-authorized education purpose and no other purpose; and (3) that the school may review information collected from a child and request deletion of such information.鈥
Other points of interest:
- The FTC also declined to change or broaden COPPA鈥檚 鈥渁ctual knowledge鈥 standard to a 鈥渃onstructive knowledge鈥 standard, largely because Congress rejected a constructive knowledge standard when COPPA was originally passed. In our expert opinion, we see this as the FTC telling Congress the ball is in their court if they want this to change the knowledge standard (such as changes proposed in ).
You can read the FTC鈥檚 press release and the full NPRM text . Comments on the NPRM are due 60 days after it is posted in the Federal Register, but it hasn鈥檛 been formally posted yet, so we do not know when comments on the NPRM will be due. We鈥檒l keep you updated on our analysis as it develops.
Happy holidays and looking forward to seeing the rulemaking process play out in 2024!
Subscribe to 91制片's Blogs
Subscribe via RSS feed below. Learn more about RSS feeds here.
