Discover more from Public Interest Privacy Center
48 Hours in Student Privacy
A Tsunami of News
WELCOME TO THE SUBSTACK! As you may know, I’ve been experimenting with different newsletter platforms, and decided to go with Substack - my words and thoughts, directly to you. Thanks for subscribing, and please share if you find this useful!
Thanks for reading Public Interest Privacy Center's Substack! Subscribe for free to receive new posts and support my work.
In the past two days, the child and student privacy landscape has been overwhelmed with an influx of news and announcements. The biggest? The FTC’s new settlement with edtech company Edmodo might break school technology use in a few different ways, including shifts on which education entities edtech vendors can contract with and what rights parents have to modify or delete their children’s education data.
While that would certainly be enough to hold our attention, we also saw:
A major conservative think tank stating publicly that they believe that the pending and likely to move the Kids Online Safety Act and COPPA 2.0 will enable restrictions or bans regarding LGBTQ+ content;
The FTC also filed a brief stating that COPPA does not preempt state privacy laws that are consistent with COPPA;
The Surgeon General brought up the need for “children’s privacy” as part of its recommendations in a new Advisory on Social Media and Youth Mental Health;
The White House announced that the Department of Education “will promote and enhance the privacy of minor students’ data and address concerns about the monetization of that data by commercial entities, including by planning to commence a rulemaking under the Family Educational Rights and Privacy Act (FERPA);” and
The White House and the Department of Education announced multiple new AI efforts, including guidance for education stakeholders on AI and an AI RFI that education stakeholders may want to respond to.
Let’s dig in:
FTC settlement with edtech company Edmodo has major implications for schools
On Monday night, the FTC announced a $6 million settlement against edtech provider, Edmodo. In the settlement, the Commission alleges that the company violated the Children’s Online Privacy Protection Rule (COPPA) and “unlawfully used children’s personal information for advertising and outsourced compliance to school districts.”
The settlement has many positive implications for local education agencies (LEAs). It reaffirms that the onus for verifying parental consent for collecting personal data from children should be on edtech providers and not schools. It also pushes companies to have an adequate data retention and deletion policy.
However, LEAs also have significant reasons for concern: the settlement changes COPPA interpretation about whether students can use edtech without LEAs obtaining parental consent. While such use was previously permitted, it now appears that the FTC is changing course by limiting what types of educational institutions can consent to the use of edtech on parents’ behalf. The settlement also raises new questions, such as whether parents could access or delete their child’s information from, for example, a standardized test company, without the school’s knowledge and/or consent.
Remember: COPPA protects data from children who are under age 13 - so any data that is outside that scope is not impacted by this settlement. FTC settlements have become the primary lens through which companies interpret the law; settlements determine how companies interpret and comply with COPPA. Unfortunately, the Edmodo settlement makes this law very convoluted, and will open up major compliance and administrative problems with using edtech in schools.
However, the settlement is not final until it is signed off on by the court. If the FTC and Edmodo mutually agreed on a change to the current text before it is approved, the biggest problem for LEAs–changing the definition of “School” and “School Representative” to include all LEAs–could potentially be fixed.
The settlement likely changes how COPPA works with educational institutions in two major ways:
1. Edmodo - and, therefore, likely all other edtech companies - must obtain either Verifiable Parental Consent–in the school context, this would require parents to opt-in to each and every edtech use–or School Authorization (newly defined term) for the collection and use of student data. “School Authorization” is defined as “a School Representative authorizes an Operator to Collect Personal Information from a Child, on the condition that Personal Information is Collected only for an Educational Purpose and follows the School Representative’s receipt of Direct Notice from the Operator.” School Authorization is only allowed when data will be used exclusively for an educational purpose.
This sounds great! Except when you look at the narrow definitions of “School Representative” and “School.” School is defined as “an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined by State law.” A “School Representative” is defined as “a School employee.” Bottom line? These definitions exclude all other LEAs–like districts or education service agencies–that often contract with edtech companies. This settlement says companies must either go through VPC or get School Authorization - and, therefore, companies can probably never receive School Authorization from an LEA other than a school. Instead, companies will likely need to contract individually with each and every school their product will be used in or will be required to obtain COPPA-compliant consent from each and every parent. This is a (likely unintentional) change: the current COPPA FAQs specifically reference school districts contracting with companies. When this settlement is finalized by the court, companies are likely to assume that they can only contract with individual schools, unless additional clarifications are made.
2. To complicate matters, there are new requirements for how an edtech provider must obtain “School Authorization.” School Authorization requires a written agreement (which is good for education stakeholders if the definition of “School” was fixed) that says:
Personal information will only be used for educational purposes (this is great!);
Describes all Personal information that is collected and how it will be used and disclosed (schools should receive that information!);
Provides the School a link to its online notice of information practices and recommends the School make it available on the School’s website (again, a good thing!);
Provides that any Personal Information Collected by Defendant is under the Direct Control of the School with regard to its use and maintenance (which will help schools comply better with FERPA!); and
Requires a School Representative to acknowledge and agree that they have authority to authorize the Collection of Personal Information from Children on behalf of the School, along with their name and title at the School. (wait a second…)
That last requirement means that Schools will likely need to designate who has the “authority to authorize the Collection of Personal Information from Children on behalf of the School.” Schools should think through who can consent to the use of new edtech (and are required to do so under FERPA), but the specific requirements are a significant change to current practices and will undoubtedly create a large administrative burden. For example, requiring the School Representative’s name and title in the written contract–in addition to their affirmation that they have the “authority”–will be a shift for many schools. LEAs that provide significant leeway in deciding which edtech tools to use will also likely find these requirements particularly problematic.
There are numerous other questions raised by the settlement, including the aforementioned question of whether parents can now access and delete their child’s information from school services like assessment providers. Stay tuned for more analysis on this settlement and potential action steps.
It’s important to remember that this is happening while Congress is considering legislation that dramatically expands COPPA–increasing the age of children who are covered to 17, and covering some information about children, not just information collected from kids–and legislation with new child privacy protections (most prominently the Kids Online Safety Act).
A major conservative think tank stated publicly on Twitter this weekend that they believe that (the pending and likely to move) Kids Online Safety Act and COPPA 2.0 will enable restrictions or bans regarding LGBTQ+ content.
COPPA 2.0 along with the Kids Online Safety Act (KOSA) have generally had wide support in Congress (nearly passing as part of the omnibus in December) but KOSA in particular is becoming more contentious as think tanks, civil rights groups, and others raise concerns about how KOSA provisions could be “weaponized by Attorneys General to censor online resources and information for queer and trans youth, people seeking reproductive healthcare, and more” (as shared by 90+ organizations that signed on to a November letter opposing KOSA).
Florence Ashley, an assistant professor at University of Alberta Law , shared the following screenshot from “How Big Tech Turns Kids Trans,” an article published last fall in The American Conservative by a researcher at the Heritage Foundation:
Ashley tweeted that:
The Heritage Foundation twitter account replied (through a quote tweet):
This tweet may be interpreted to confirm the worst fears of advocacy groups–opening the question of whether this may sway Democrats who had been supporting KOSA to oppose the bill.
The FTC also filed a brief in Jones v. Google on Monday stating that COPPA does not preempt state privacy laws that are consistent with COPPA.
HHS and White House announcements make direct connections between youth mental health and the need for new or additional child privacy protections - including updated FERPA regulations
Yesterday, Surgeon General Dr. Vivek Murthy released a new Advisory on Social Media and Youth Mental Health stating that “While social media may offer some benefits, there are ample indicators that social media can also pose a risk of harm to the mental health and well-being of children and adolescents.” The Surgeon General calls for “urgent action by policymakers, technology companies, researchers, families, and young people alike to gain a better understanding of the full impact of social media use, maximize the benefits and minimize the harms of social media platforms, and create safer, healthier online environments to protect children.” This includes a call for policymakers to “better protect children’s privacy,” for technology companies to “make design and development decisions that prioritize safety and health – including protecting children’s privacy and better adhering to age minimums”
The White House announced the creation of “an interagency Task Force on Kids Online Health & Safety to advance the health, safety and privacy of minors online,” which will include senior representatives from the Department of Education. Their announcement launching the Task Force added that “The Department of Education will promote and enhance the privacy of minor students’ data and address concerns about the monetization of that data by commercial entities, including by planning to commence a rulemaking under the Family Educational Rights and Privacy Act (FERPA).”
Federal Guidance (and an RFI) on AI in Education
The Department of Education also released guidance on AI, “Artificial Intelligence and the Future of Teaching and Learning: Insights and Recommendations,” which included several mentions of privacy.
The guidance was launched as part of several White House announcements related to AI, including a formal Request for Information on National Priorities for AI (with education specifically listed as an issue the White House is seeking comments on), due by July 7th.
I was honored to testify before House of Representatives Subcommittee on Innovation, Data, and Commerce of the Committee on Energy and Commerce at their April 27 hearing, “Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information.” You can check out my written testimony here, or watch the full hearing below.
Thanks for reading Public Interest Privacy Center's Substack! Subscribe for free to receive new posts and support my work.