The Federal Trade Commission has released guidance urging ed-tech companies to pay attention to the requirements of the Children’s Online Privacy Protection Act during COVID-19, while also saying shouldn’t prevent “robust” distance-learning opportunities.

COPPA generally requires companies that collect personal information online from children under age 13 to provide notice of their data collection and use practices and obtain verifiable parental consent.

The FTC noted that in both school and home environments, schools can consent on behalf of parents to the collection of student personal information. That’s only allowed if such information is used for a school-authorized educational purpose and for no other commercial purpose.

The FAQs released by the agency highlight several sets of guidelines, including model terms of service drafted by the U.S. Department of Education’s Student Privacy Policy Office designed to help school districts as they negotiate agreements with vendors.

Among other things, the model terms of service advises districts to beware of language in contracts with ed-tech companies that narrowly defines both protected student information and de-identification of sensitive data.

Moreover, the model terms of service recommend that language should clearly state that data and/or metadata may not be used to advertise or market to students or parents. It also says that those terms should state that vendors will obtain consent from districts before changing the conditions laid out in the contract.

The new guidance says that schools should ask operators of commercial websites and services several questions, including the types of personal information they will collect from students, how they use the personal information, and whether they let schools review and delete the personal information collected.

If companies don’t allow the deletion of specified personal information of students, schools shouldn’t consent on behalf of parents to allow companies to collect that information, the FTC said.

As schools and districts move to remote learning, they should review the privacy and security policies of the ed-tech services they use with their attorneys and information security specialists, the agency said.

Everyone’s Going ‘So Fast’

A little bit of homework will go a long way in protecting schools and companies, especially startups and firms new to the education space that might not be as well-versed in children’s privacy regulations as more seasoned businesses, said Doug Lynch, a professor at the University of Southern California’s school of education.

“Everybody is trying so hard to help schools so fast, because everybody’s at home with their kids going crazy,” Lynch said.

Amid this hectic period, it’s possible that startups will speed up their product rollouts and communications with school districts while sacrificing proper analysis of the K-12 market’s complicated regulatory environment, he said.

Lynch explained that startups and other companies shouldn’t let the complex regulatory landscape scare them away from working to provide innovative solutions during the COVID-19 crisis.

“A little bit of due diligence and counsel,” he said, “would be a prudent thing.”

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.

---

See also:

• Tough N.Y. Data-Privacy Regs Taking Effect, and Ed-Tech Vendors Take Notice
• ‘Landmark’ Student-Data Privacy Law Enacted in California
• Most Ed-Tech Products Don’t Meet Minimum Criteria in Their Privacy Policies, Report Finds
• Learning From the ‘Accidental Consequences’ of Student-Data Privacy Laws
• Student-Data Privacy: How Parents’ Views Can Shape K-12 Companies’ Work