Webinar on New COPPA Rule and PIPC's Initial Thoughts
Join our rapid-response webinar next Tuesday!
Yesterday, the Federal Trade Commission (FTC) published the much-anticipated update to the Children’s Online Privacy Protection Rule (COPPA Rule). It's a game-changer for anyone working with children's data, but extremely disappointing for education stakeholders (see why below).
Join our webinar next Tuesday at 1pm ET, where an expert panel will discuss the major changes to COPPA that privacy professionals, child safety advocates, and education stakeholders need to know and the practical impacts for child privacy protections moving forward.
Want some free IN-PERSON child and student privacy content in your life? Of course you do! Don’t forget to register for our conference on February 7th, “Student Privacy & Parental Consent: Legal Innovations and Global Insights,” and the February 6th pre-conference workshop, “Child Privacy Online,” at George Washington University in Washington, DC. We have over 20 incredible experts joining us, and we would love many of our subscribers to join too!
In the meantime, see our initial thoughts on the FTC cutting the education portions in the Final Rule below. Stay tuned for updates on other important takeaways as we continue to analyze the final rule!
The 2025 COPPA Rule & Education
The new COPPA Rule is not what the education community was hoping for.
As you may recall, the FTC released a notice of proposed rulemaking (NPRM) to update the COPPA Rule in December 2023, which included rules clarifying when schools can consent to technology use instead of parents and imposing strong contractual requirements on edtech vendors. However, the final rule was very different: the FTC cut the sections clarifying how and when schools can consent for children to use edtech services in the classroom.
We are incredibly disappointed in the FTC’s failure to codify their longstanding guidance that allowed schools to consent to edtech use for children under 13. As AASA, the School Superintendents Association cautioned in their comment to the COPPA NPRM, the push by some stakeholders to prohibit school consent and require parental opt-in or opt-out of edtech use would burden schools and may lead teachers to forgo using edtech with their students. Additionally, moving away from school consent would place a larger burden on parents to evaluate the complicated risks associated with collecting student data. Despite acknowledging these concerns, the FTC ultimately chose not to codify the school authorization exception in the new COPPA Rule. This leaves schools and parents with continued uncertainty and potentially exposes children to greater privacy risks.
The FTC’s stated reasoning for not codifying the school authorization exception – “To avoid making amendments to the COPPA Rule that may conflict with potential amendments to DOE’s FERPA regulations” – is a flimsy excuse. The mere possibility of future FERPA rulemaking should not prevent the FTC from fulfilling its immediate obligation to protect children online. It's unacceptable to leave this critical protection in limbo while waiting for the Department of Education to act, especially when schools have consistently requested clear guidelines. This inaction undermines the FTC's duty to safeguard children's privacy, particularly in educational settings where technology is increasingly prevalent.
The FTC, not USED, regulates companies like edtech vendors. The FTC’s decision not to codify the school authorization language or include the more substantial protections required by the Edmodo settlement undermines schools' ability to hold vendors to clearly stated standards that would have increased privacy for all students.
While we remain frustrated with the FTC’s decision not to codify critical provisions ensuring that K-12 schools retain the ability to consent to technology uses, we take heart that existing guidance–the COPPA FAQs and the Statement of Basis and Purpose to the 1999 COPPA Rule–remain intact. We would much prefer schools’ authority to consent to technology uses be codified in statute (such as what was proposed in Senator Markey’s COPPA 2.0) or FTC regulation. Still, at least these guidance documents clearly establish schools’ authority to consent to data collection and use on behalf of parents in educational contexts when the technology services are solely for the use and benefit of the school and for no other commercial purpose.
We also appreciate that the new COPPA rule includes new valuable protections for kids, including increased transparency regarding data use, sharing, and retention. The rule also strengthened the security measures operators must implement to protect children’s information, including by requiring risk assessments and information security programs.
We wish we were writing to tell you that the FTC has made it easier for schools to use privacy-protective technology. The FTC's decision to forgo codifying school consent in the COPPA Rule is a disheartening setback for student data protection. It's perplexing that such a weak justification was used to dismiss a long-standing practice with widespread support. This missed opportunity underscores the urgent need for clear guidance and robust protections for student privacy in the digital age to ensure that technology can continue to enhance learning without jeopardizing children's well-being.