More COPPA Enforcement is Coming For the Ed Tech Industry

In a new policy statement, the FTC makes clear that “going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”

Importantly, the FTC also stated that responsibility for COPPA compliance is on the ed tech businesses – not schools or parents, and that contractual agreements with schools and districts must reflect that reality.

Some key takeaways from the stated focus of enforcement:

• • Prohibiting mandatory collection: COPPA-covered companies, including ed tech providers, must not condition participation in any activity on a child disclosing more information than is reasonably necessary for the child to participate in that activity.
  • Prohibitions on use: Ed tech companies are prohibited from using personal information of children for any commercial purpose unrelated to the provision of the school-requested online service.
  • Prohibitions on retention: Ed tech providers must not retain personal information of children longer than reasonably necessary to fulfill the purpose for which collected.
  • Security requirements: Ed tech providers must have procedures to maintain the confidentiality, security, and integrity of children's personal information. COPPA-covered ed tech companies may violate COPPA even absent a breach if they fail to implement reasonable security measures.