As families and schools across the country adjust to the new normal of remote learning, litigants are heading to court claiming that the very technologies that make remote learning feasible may be impermissibly collecting children’s personal data.
Allegations that remote learning tools are violating the Children’s Online Privacy Protection Act are coming from both state and private litigants. COPPA requires online providers that collect the data of children under 13 years of age to take specific measures to protect that data, including privacy policies, parental consent and reasonable data security practices.
In the remote learning context, the Federal Trade Commission has issued guidance stating that schools can consent on behalf of parents to the collection of students’ personal information, provided the information is used for a school-authorized educational purpose and is not used for any commercial purpose. For the school to consent, the remote learning provider must provide COPPA-compliant notices of its data collection, use and security practices to the school. Notably, the FTC bases this exception to parental consent on its 1999 COPPA Rule, which states that COPPA “does not preclude schools from acting as intermediaries between operators and schools in the notice and consent process, or from serving as the parents’ agent in the process,” but it has not yet expressly codified the exception. Last summer, the FTC sought additional comments on the contours of the exception should it be codified.
Whether the personal information collected by the provider is solely used for school-authorized educational purposes appears to be a basis for potential liability. In a recent lawsuit brought by New Mexico’s attorney general, the state claimed that Google’s education platform collected students’ personal information for its own commercial purposes. The complaint claims that the platform tracks and monitors students’ web-browsing activities for commercial purposes, such as its own product improvement and development. In its recent request for comments, the FTC specifically sought opinions as to whether or not operators should be able to use students’ data for product improvement.
COPPA is not the only potential player in remote learning litigation. The Illinois Biometric Information Privacy Act (BIPA) provides another trap: an individual’s biometric data — including voice or facial scans and including the biometric data of children — cannot be collected or stored by a private entity without obtaining informed consent.
Another recent lawsuit filed in California federal court claims that Google’s education platform collects the unique voiceprints and facial scans of students in violation of BIPA without informing or obtaining a release from parents. Unlike COPPA, BIPA’s restrictions are not limited to commercial activity. If biometric identifiers are collected, informed consent is required. And, unlike COPPA, there is no exception for schools to consent to collection on behalf of students.
The quick switch to remote learning may have caught some off guard — indeed, many schools across the country that initially allowed teachers to use Zoom videoconferencing for educational purposes abruptly prohibited use of the platform after Federal Bureau of Investigation warnings over its security functions. Luckily, remote learning providers can slow the spread of litigation by implementing several best practices:
Prohibit data use/collection beyond authorized educational purposes. Platforms should avoid using personal data outside of the specific, school-authorized educational purpose. Until more clarity is provided from the FTC, providers should also avoid using students’ individual data for internal product development or improvement.
Implement and provide COPPA notices. Even where schools may consent on students’ behalf, the FTC recommends that parents be provided a provider’s COPPA notice. Providers should consider requiring that schools provide these disclosures to parents as a part of the providers’ service agreements with schools.
Routinely delete old data. Schools can only consent on behalf of students if the school can review and request the deletion of personal information collected from its students. Providers should consider implementing proactive data deletion policies to ensure student data is not retained any longer than necessary, which may mean as quickly as the end of the school year.
Be thoughtful about default settings. Avoid default settings that might collect non-educational data. For example, the lawsuit filed by the New Mexico attorney general alleges that Google’s default sync function automatically uploaded student’s online browsing habits to Google’s server when students logged into their accounts. Though an option to turn off the default sync setting exists, the complaint alleges that it was buried in settings parents were not likely to see. At bottom, COPPA is designed to notify parents and give them the choice to consent. Therefore, it is not sufficient to provide a way to terminate collection — providers must obtain consent prior to collection.
Consider state privacy laws. Remote learning providers must also consider state laws regarding student data. Arizona, for example, requires that vendor contracts include express provisions prohibiting secondary uses of student data without parental consent. In the wake of COVID-19, Connecticut temporarily waived its student data privacy law requiring schools and vendors to enter written contracts ensuring student data will not be used for any purposes outside of the stated purposes of the contracts. They saw this as necessary to ensure remote learning could be quickly rolled out to Connecticut students.
As these recent lawsuits show, both states and the public expect a high level of responsibility regarding the information that is collected by remote learning platforms — no small order considering the speed with which schools have had to pivot to remote learning due to COVID-19. Regardless of the potential liability remote learning providers may face, complete and upfront disclosure of data collection by the provider is the best way to limit liability in privacy claims.