Compliance officers in the educational technology and digital advertising sectors, beware: With children learning remotely, surfing the Web, and socializing online more than ever before during the coronavirus pandemic, regulators are stepping up their oversight of children’s online privacy violations. Companies that handle the personal data of minors should reassess their privacy practices accordingly.

In the United States, the main privacy law governing the online collection, use, or disclosure of children’s personal information is the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s COPPA Rule. COPPA and the COPPA Rule require that commercial Websites, online services, and mobile apps directed to children under age 13, or with actual knowledge that a user is under 13, must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. To comply with COPPA, companies can ensure parental consent is, in fact, verifiable by requiring a small refundable credit card transaction, for example.

The amendments made to the COPPA Rule in 2013 significantly expanded the definition of children’s personal information to include—in addition to a name, address, and online contact information—“persistent identifiers, such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.” Last year, the FTC began weighing a third round of amendments to the COPPA Rule, due to “rapid changes in technology,” the agency said.

Then the pandemic hit.

To further bring the COPPA Rule in line with where we are today, a bipartisan group of six senators has urged the FTC to use its statutory authority under Section 6(b) of the FTC Act to review the data collection and processing practices of the educational technology (EdTech) and digital advertising sectors. “The FTC must have all necessary facts and a full public record as it reviews the COPPA Rule to ensure that this important privacy safeguard effectively protects kids online today,” the senators said in a May 8 letter to the agency.

The senators are urging the regulator to examine a host of issues in both these sectors, including what personal data they collect from children and teens and how they obtain consent for this collection. In the digital advertising space, the letter further urges the FTC to examine, among other privacy practices:

  • How digital advertisers employ data analytics and machine-learning techniques to determine what content children are likely to consume and to target those audiences;
  • What third parties they work with to collect and process children’s information;
  • Whether they sell or share children’s data, including to affiliated companies and data brokers;
  • Whether they use geolocation information for marketing to children, and if so, how they do so; and
  • How they have shifted their data practices in response to the coronavirus pandemic.

EdTech compliance

The senators also noted in their letter that the pandemic has made online platforms and software offerings integral to American education and that “many of these changes will remain after the Coronavirus pandemic is over, as leading technology companies continue to expand their reach into kids’ educational experiences.” For the EdTech sector, the senators urge the FTC to examine, among other issues:

  • How long they retain students’ data and what their process is for deleting it;
  • How they collect and process children’s biometric information, including facial recognition data, in educational settings;
  • Whether they use student data for any non-ed tech products or services, including whether they use children’s data for behavioral advertising; and
  • Whether they have suffered any data breaches involving information about children or teens.

Prudent compliance officers in the EdTech space will want to review new FTC guidance, issued April 9, concerning the collection of children’s personal information in response to the pandemic. In the educational context, schools can consent on behalf of parents to the collection of student personal information, “but only if such information is used for a school-authorized educational purpose and for no other commercial purpose,” the FTC said. “This is true whether the learning takes place in the classroom or at home at the direction of the school.”

“Beefing up oversight of the COPPA Safe Harbor program is just one of many actions the Commission must take to strengthen our approach to protecting children’s privacy.” 

Rohit Chopra, Commissioner, FTC

For EdTech service providers to get consent from schools, “the service must provide the school the necessary COPPA-required notice of its data collection and use practices,” the FTC said. It also provided an example of what this notice should look like under Section C of the FTC’s COPPA FAQs.

At a high level, compliance practices concerning children’s online privacy in the EdTech sector remain weak. According to the 2019 “State of EdTech Privacy Report” conducted by Common Sense Media, the EdTech sector continues to demonstrate “a widespread lack of transparency and inconsistent privacy and security practices for products intended for children and students.”

FTC Commissioner Rohit Chopra is also pressing for more oversight, specifically as it applies to the COPPA safe harbor program. Companies are deemed to be compliant with COPPA if they’re a member and adhere to the guidelines of an FTC-approved COPPA safe harbor program.

“Beefing up oversight of the COPPA Safe Harbor program is just one of many actions the Commission must take to strengthen our approach to protecting children’s privacy,” Chopra said. “The Commission should also issue orders under Section 6(b) of the FTC Act to further study how companies are collecting, sharing, and monetizing data on children, as we look to modernize our rules and enforcement strategy to root out children’s privacy violations.”

His comments were in response to a settlement Swiss-based digital game maker Miniclip reached with the FTC for lying about its participation in the FTC-approved Better Business Bureau’s Children’s Advertising Review Unit’s (CARU) safe harbor program. Miniclip joined CARU’s safe harbor program in 2009 and remained a member until 2015, when CARU terminated the company’s participation in the program without any explanation. “If the FTC does not promptly learn about or investigate terminations by COPPA Safe Harbors, the agency may be unable to obtain civil penalties, due to the five-year statute of limitations,” Chopra said.

Compliance and legal officers should also be aware that children’s advocacy groups are intensifying their legal efforts as well. Beijing-based social networking app TikTok particularly has faced a significant amount of scrutiny.

On May 14, a coalition of children’s and consumer groups filed a complaint with the FTC requesting that it investigate TikTok for COPPA violations. The complaint alleges, in part, that TikTok violated the terms of a consent decree it reached with the FTC in February 2019 by failing to destroy all the personal information it has collected from users under 13 years of age; failing to obtain verifiable parental consent for these accounts; and failing to post a prominent and clearly labeled link to an online privacy notice of its information practices with regard to children on the TikTok app homepage.

But that’s not the only trouble TikTok is facing. Outside the United States, the Dutch Data Protection Authority announced on May 8 that it’s investigating whether TikTok is adequately protecting children’s privacy. Specifically, the Dutch DPA said it’s looking into whether the app has a privacy-friendly design; whether the information TikTok provides when children install and use the app is easy to understand and adequately explains how their personal data is collected, processed, and used; and whether parental consent is required for TikTok to collect, store, and use children’s personal data.

Compliance officers in the EdTech and digital advertising sectors may want to review recent enforcement and litigation activity concerning violations of COPPA and other children’s data privacy laws to use as a compliance framework as to where policies and procedures regarding children’s online privacy may need enhancing. Companies should also review the FTC’s six-step compliance plan regarding the COPPA Rule.