FTC’s Newly Proposed Privacy Rules Could Bring “Substantial Changes” to Ed-Tech Industry
The Federal Trade Commission rolled out proposed changes to the Children’s Online Privacy Protection Act this week that seek to impose stronger regulations on the collection and use of student data and bring major changes to how ed-tech companies build and market their products.
The law, commonly known as COPPA, applies to any organization that collects the personal data of children under the age of 13, making it a major consideration for education providers.
The consumer protection agency’s proposal is aimed at clarifying a variety of questions in the 25-year-old law, including who is allowed to grant permission to share children’s personal data, how organizations can use that data, and how their products are allowed to interact with children online.
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” said FTC Chair Lina M. Khan said in a statement accompanying the proposed rules.
The top FTC official, who has taken a noticeably tough tone in describing the responsibility of ed-tech providers to do more to protect student privacy, added that the changes are “much-needed, especially in an era where online tools are essential for navigating daily life — and where firms are deploying increasingly sophisticated digital tools to surveil children.”
The rules, Khan said, would forbid ed-tech companies from “outsourcing their responsibilities to parents.”
Education companies could be significantly affected by many of the proposed rules, said Amelia Vance, president of the Public Interest Privacy Center and former vice president of youth and education privacy at the Future of Privacy Forum.
“This is very likely groundbreaking to the vast majority of ed-tech companies, and will force substantial changes,” Vance said.
Custodians of Data
One of the most prominent changes in the proposed rules would clarify that schools are able to stand in as parents and grant third parties the ability to access students’ data — under certain circumstances.
Schools being able to grant permission for the data is a practice that’s generally been allowed under FTC’s existing guidance, but has caused some confusion, especially as organizations must also adhere to the sometimes contradictory guidelines of the Federal Educational Rights and Privacy Act, or FERPA, said Linnette Attai, president of PlayWell, LLC, which offers data privacy compliance consulting services to organizations serving children.
Under the proposed rules, the FTC says that schools can grant those permissions to a third-party organization if the data will only be used for educational, and not commercial purposes. Third-party organizations under contract with a school must also now specify a data custodian — the individual at the district or school who is granting the access to the data and affirm they have the authority to do so.
The agency is saying. “‘Let’s clear that up and codify that, but also make sure we have the right guardrails around it,’” she said.
Since the proposed rule changes echo similar laws seen in at least two dozen states, as well as in some foreign countries, they won’t come as much of a surprise to many education companies. Attai said most of the difficulty will be in working with districts that are new to the requirements and don’t already have a point person designated to grant access to student data.
Since schools don’t fall under the regulatory authority of the FTC, the proposed rules also wouldn’t require action on the district’s part, meaning it would be entirely up to companies working in school districts to ensure that information is included in a contract.
Vance, from the Public Interest Privacy Center, said the rule could mean that teachers are restricted from trying out ed-tech products individually in their classrooms if using that product requires accessing students’ personal data, and the district doesn’t provide them with a data custodian or set process for data sharing.
“You may practically end up with far fewer ad hoc sign-ups for ed-tech products,” she said.
Restricting Data Use Across Products
The FTC’s proposed changes to COPPA would also restrict how education companies are able to use students’ personal data in developing and improving other products and services, as well as in marketing and commercial uses.
Under the new rules, that means an education company likely wouldn’t be able to use student data gathered from a geometry-focused app to develop an algebra app, Vance said.
The FTC’s purpose behind the rule is to prevent companies from using student data for a reason other than its intended purpose, she said. For example, advocates for these protections are concerned that a company that makes student monitoring software could use information about students’ activity online, such as what they read and write, to build an unrelated product, such as a personalized learning platform.
“We’ve seen a lot of concern that companies are taking information they’ve collected in one context and are trying to use that information in a totally different context,” she said.
While the rules apply specifically to personal data, meaning de-identified data is allowed, Vance said companies are often unaware that much of their de-identified data can include details that can unintentionally be used to identify specific students. Additionally, many software programs that rely on artificial intelligence tools are still able to identify students since the personalized data was originally fed into the algorithms used to create AI tools, and remains there.
“AI has re-revealed the personal information that’s been fed into it from its training set,” Vance said, which means education companies then need to think about limiting the type of AI integration that is widely used in the industry.
While the proposal would bring safeguards to children’s data privacy, the restrictions on using student data to improve or build other products could have the unintended effect of limiting companies’ ability to innovate and create products that improve student achievement, Vance said.
The worry is that “this may undermine some of the important ed-tech development that would otherwise help students,” she said.
Another proposed update to COPPA would also require education companies to disclose that they’re using students’ information to “nudge” them to use a product, such as sending them push notifications to complete a task.
FTC Accepting Comment on Proposed Rules
Both Attai and Vance said it’s important to remember that the FTC’s proposed changed to COPPA are just that — a proposal — and are not permanent yet. The commission is now entering a 60-day public comment period. That said, Vance said she doesn’t expect the agency to make significant change to the final rules.
That’s because the FTC in recent years has sought to exercise greater control over tech companies, said Vance, noting the proposed changes don’t go as far as some advocates would have hoped, such as through steps such as blocking schools from being able to grant access to student data at all, and instead requiring individual parental consent for each child in order to share their data with vendors.
To Attai, the changes are largely positive, since they remove some of the uncertainty that has existed in the market surrounding student data, and provide organizations with greater clarity to make plans and product development ideas moving forward.
“I’m a little bit encouraged by the thoughtfulness that I think the FTC tried to approach some of these very complicated issues with,” she said. “They’re not going to make everyone happy, which probably means they did a pretty good job.”
Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.
Photo of FTC Chair Lina Khan during a 2021 appearance before a U.S. Senate committee. (Graeme Jennings/Washington Examiner via AP, Pool, File)
See also: