The onset of the COVID-19 pandemic in 2020 shuttered daycare centers, shifted schools to virtual settings, and fueled the rapid growth of children’s applications and educational technology (“ed-tech”) to facilitate the shelter-in-place childcare and remote learning paradigms. The federal Children’s Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA), as well as numerous state laws protect children’s and students’ privacy when using these platforms. In 2021, increased scrutiny of the data collection practices of these platforms has followed their rapid deployment, as new variants led to renewed restrictions on in-person education and childcare. That scrutiny is likely to continue in the new year, as the use of such platforms persists, even as the pandemic subsides. In this post, we survey the developments during 2021 and assess the future of child and student privacy in 2022.
COPPA and its implementing regulations impose requirements on operators of websites or online services directed to children under age 13, as well as on operators of websites or online services that have actual knowledge that they are collecting personal information from a child younger than 13. The Federal Trade Commission (FTC) and state attorneys general (AGs) enforce COPPA, but it does not provide a private right of action.
COPPA includes a “Safe Harbor,” under which website operators may certify compliance with FTC-approved self-regulatory guidelines. COPPA enforcement trends in 2021 signal heightened scrutiny regarding (1) the disclosure of children’s personal information to third parties, (2) companies’ reliance on COPPA’s Safe Harbor, and (3) the application of the COPPA Rule to education technology (ed-tech) settings.
FTC and State AG Enforcement
As we discussed in an earlier post, children’s privacy was a particular area of focus for the FTC in 2021. In July 2021, online coloring book app maker KuuHuub Inc., along with its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, settled FTC allegations that its app violated COPPA by allegedly failing to (1) provide notice to parents or obtain verifiable parental consent before collecting personal information from underage users of the app and (2) instruct social ad networks to refrain from using children’s persistent identifiers for behavioral advertising. Although the app characterized itself as a “coloring book for adults”, the FTC alleged that a portion of the app was directed to children under 13 and enabled the children to create social media profiles including self-images and to interact with other adult Recolor users, without providing notice to or obtaining consent from parents. Under the terms of the settlement, Recolor agreed to delete all personal information they collected from children and pay a $3 million penalty, which was suspended to $100 thousand due to the company’s limited finances.
On December 28, 2021, California-based online advertising platform OpenX Technologies, agreed to pay $2 million to settle FTC allegations that the company violated COPPA by collecting personal information in the form of persistent identifiers from children under 13 without parental consent. Additionally, the FTC alleged that the company collected geolocation information from users who specifically opted-out of tracking. OpenX allegedly provided this information to advertisers to target advertisements through apps on mobile devices.
The FTC alleged that OpenX had knowledge that apps in the ad exchange were directed towards children and collected information from children under 13 without providing notice to or obtaining consent from parents, in violation of COPPA. The FTC’s focus on the collection of persistent identifiers and geolocation data as the basis of its complaint and settlement indicates that the FTC is willing to bring enforcement actions even when the personal information at issue includes non-human readable data that identifies a device rather than an individual.
In addition to the $2 million fine, the order requires OpenX to delete all identifiable data that it collected or received for targeted advertising purposes and implement a comprehensive privacy program to ensure that the company complies with COPPA. OpenX will also be required to review apps periodically to identify child-directed apps and ban them from the company’s ad exchange.
AGs have been similarly active in enforcing COPPA. In August 2021, the New Mexico AG announced a lawsuit against Rovio Entertainment—the creators of Angry Birds—alleging that Rovio violated both COPPA and New Mexico law. In particular, the complaint alleged that Rovio knowingly collects personal information from players under 13 and sends that information to a number of third-party marketing companies that analyze, repackage, resell, and otherwise use the information to sell targeted advertising to those underaged players. The suit sought an injunction prohibiting the company’s data collection practices, civil penalties, and other relief.
Scrutiny of Safe Harbor Compliance
In August 2021, the FTC removed Aristotle International from the COPPA Safe Harbor List. Aristotle is an organization that facilitated an “Integrity Safe Harbor Compliance Program” through which member companies could certify compliance with COPPA by implementing guidelines developed by Aristotle and displaying a mark indicating compliance with COPPA under the Integrity program. In effect, Aristotle was providing a third-party service for self-certifying compliance with COPPA. Aristotle received approval for its self-regulatory guidelines in 2012 and was one of seven organizations on the COPPA Safe Harbor List. In announcing Aristotle from the Safe Harbor List, the FTC indicated that Aristotle did not sufficiently monitor its member companies’ compliance with the self-regulatory guidelines. This first removal by the FTC suggests increasing scrutiny of these self-regulatory organizations and their compliance programs.
COPPA and Ed-Tech
In a statement in February 2021, Commissioner Slaughter reiterated the FTC’s focus on clarifying how COPPA applies to ed-tech, particularly in light of the increased use of ed-tech tools for distance learning during the COVID-19 pandemic. In her statement, Commissioner Slaughter said that the Commission was studying ed-tech services provided by social media and video streaming platforms and reviewing the COPPA Rule in response to public comments asking for additional guidance on COPPA’s application to ed-tech.
FERPA and its implementing regulations generally protect the privacy of parents and students in “education records” maintained by institutions that receive federal funding from the Department of Education (ED). An education record includes information that relates to a student such as name, academic performance, and attendance. FERPA enables parents and students to file complaints with the ED concerning failures by institutions or third-party service providers to provide access to and adequately protect education records. Under FERPA, the ED can withhold federal funding from institutions that fail to comply or direct institutions to deny access to education records by non-compliant third-party service providers for up to five years. In 2019, even before the pandemic and the resulting explosion of ed-tech, the ED announced an increased focus on enforcing FERPA and dedicated investigatory resources to the high-risk FERPA complaints based, in part, on the number of students who could be affected by the issue.
In 2021 third-party advocacy organizations led initiatives to scrutinize data collection practices of ed-tech platforms and facilitated a campaign to file complaints with the ED. In 2021, the Me2B Alliance and Student Data Privacy Project (SDPP) focused on the FERPA compliance of apps used by schools. The SDPP also organized parents in over 20 states to request access to student data that was collected by third party ed-tech providers. In July 2021, as part of that effort, parents from nine states filed complaints with the ED regarding the alleged failure of school districts and ed-tech vendors to provide the student data as required by FERPA.
What to Expect in 2022
Looking forward to the next year, we expect both regulators and third party advocacy organizations to continue dissecting the data collection practices of children’s and ed-tech applications and platforms.
With respect to COPPA, we expect regulators to (1) look closely at websites that collect or use children’s personal information in any form (including non-human readable device identifiers), (2) examine all parties in the advertising and ed-tech eco-system for COPPA compliance, and (3) revisit self-regulating programs under the COPPA Safe Harbor. We could also see the FTC issue indirect guidance—in the form of enforcement actions or public statements—clarifying the definition of “actual knowledge” under COPPA, which has been an area of confusion, or applying COPPA to the ed-tech space.
With respect to FERPA, the SDPP has indicated that they will continue to file complaints with the ED alleging non-compliance by ed-tech providers and school districts. We will be watching for the ED’s response and investigation of these complaints and further developments. Although the ED historically has not exercised its authority to cut off federal funds to a non-compliant school district or ban third-party service providers from working with schools, it could very well begin to apply these penalties in response to the surge of complaints filed by advocacy groups.