In December 2023, the Federal Trade Commission announced a proposed change to the rule for the Children’s Online Privacy Protection Act (COPPA) and requested public feedback.
COPPA is one of a few key federal laws that protect student privacy. There has not been a change to the rule implementing COPPA for more than a decade, and the new one will have major implications for data collection for children under age 13 in schools and elsewhere.
The Parent Coalition for Student Privacy will be submitting comments, and we’re encouraging parents and other student privacy advocates to weigh in as well. We are concerned that this change in language will further weaken privacy and security protections for children. See below for some suggested language to use. The deadline to submit comments on the proposed changes to the rule closes on Monday March 11th at 11:59pmET.
Why is the rule change important?
COPPA only applies to data collected from children under 13, and it only applies to data collection by for-profit companies. But it is enforced by the FTC, and that agency recently has been willing to hold tech companies accountable, especially with respect to children and social media.
Previously, COPPA gave strong rights to parents, requiring parental consent before companies could collect any data directly from children under 13, and giving parents the right to consent to this data collection, review what was collected, and the right to have data deleted.
Then in guidance in 2019, COPPA said schools could consent to data collection in the place of a parent, but that parents’ rights to control that data were retained even if it was the school that originally consented.
But that was only guidance, which doesn’t have the legal weight of a rule.
What’s the upside of the proposed changes?
The new rule makes it official that schools can authorize collection of data from children—and that collection can only be for an educational purpose, so data can’t be used for advertising, sale, marketing or other commercial purposes. And now schools will need to have written agreement with a company before data can be shared. (That’s a requirement in place in some states, but far from all.)
Those are both good things, especially with the weight of the FTC’s enforcement power behind them.
What’s not good about the proposed changes?
Though it bars the use of personal student data for “commercial purposes” it doesn’t clearly define what that means and would allow it be used to develop new products and services.
There are many other aspects of the new rule that are worrisome and might even weaken existing parent rights under FERPA – the other major federal student privacy law, which is already too weak. Namely, it omits the right for parents to access the data that is held for their children and to challenge it if it is inaccurate. It is also far too weak regarding data security, data minimization and deletion, and parent notification for data collection and in case of breaches.
There are also no additional protections or parental controls when it comes to the collection by companies of highly sensitive data, including student behavioral, physical, and mental health data, as well as biometric and geolocation data, and no additional controls on surveillance.
Please take the time to submit a comment on this proposed rule change via this interface. In the past, we’ve found that parent voices sometimes matter to federal regulators, and we are hoping that the FTC will hear our concerns and those of other parents who are wary of the rapid proliferation of invasive ed tech in our schools, as well as the widespread and harmful breaches that have followed.
Here’s some suggested language you can use or adapt, but please feel free to alter the language in any way you like. thanks! Leonie and Cassie
Re: COPPA Proposed Rule, 16 CFR part 312, Document 89 FR 2034
I am submitting this comment as a {parent, teacher, privacy advocate}. I support the goal of clarifying and strengthening the protection of children’s privacy in a school context, and agree that schools should only allow data to be collected from children by companies that have a written agreement with the school. I also agree that data collected from children in school should only be used for educational purposes.
However, I am concerned that the definition of school-authorized educational purpose could allow companies to make use of children’s data for developing and improving products. That’s not acceptable. Moreover, if schools can now authorize companies to collect data from children, parents must still have at least as much control over their child’s data as they do under FERPA,including the right to inspect, challenge and amend their children’s information if it is inaccurate.
There must be strong data security safeguards as well, at minimum including independent security audits and encryption in motion and at rest, given the frequent and widespread occurrence of hacking and data breaches in our schools. Without effective data security there can be no data privacy.
Finally, in all cases, schools should be required to notify parents directly about what companies are collecting what type of data from their children, how that data is being used and that it will be deleted after it is no longer needed for educational purposes. And in the case of the collection of biometric and geolocation data, and the use of invasive surveillance programs in schools, parents need and deserve the right of prior notification and consent as well.
[Include, if you can, an anecdote about what’s happening in your school or district—do parents know what software is being used, are they asked for consent, and how out of control this data collection has become collected data from your child, etc.]
Yours sincerely, name and address.