The digital education market is exploding. While controversial for-profit colleges garner much of the attention, a vast market exists for companies providing K-12 school districts with digital solutions. The question is what COPPA obligations does a company face when contracting with school districts?
COPPA Parental Consent
The purpose of COPPA is to provide parents with control over the collection and use of personal information online from their children under 13. Businesses meet this goal by obtaining verified parental consent from parents through a number of approved compliance approaches. The consent process is relatively straightforward when the subject is a single child, but less so when a provider is dealing with a school with 1,000 different students.
The FTC has taken a very reasonable position on this issue. Instead of requiring a provider to contact and obtain consent from the parents of each student, the school district can stand in for parents and provide the necessary consent for all students in one fell swoop. The digital provider must still comply with the disclosure requirements under COPPA, but can provide one set of disclosures directly to the school district instead of hundreds of sets to the various parents.
Commentators often suggest the right of a school district to provide consent on behalf of parents is absolute. This assumption is incorrect. A school district many only stand in for a parent on the consent issue when the provider does not use the information for a commercial purpose. If the student information is commercialized, the school district loses its authority to provide consent. The digital provider must then seek compliance on a student-by-student basis.
A standard issue service providers face is determining who can provide consent on behalf of a school or school district. Can a teacher provide consent for his or her class or must the provider get official authorization from the school board? The best practice is to obtain consent from the school board. Most school districts are taking advantage of digital tools these days, and have a procedure in place for approving or rejecting vendors. A provider should contact the school district directly to inquire on the subject.
COPPA vs. FERPA
When working with educational institutions, digital providers must also be intimately familiar with the Family Educational Rights and Privacy Act (FERPA). The law applies to students of any age that attend a school receiving funds from the Department of Education. FERPA sets forth the collection, storage, and disclosure policies an educational institution must follow with the personal information of students. When FERPA was drafted, the Internet as we know it did not exist. Given this, the regulations consist of a rather mangled attempt to classify digital providers as bound by FERPA under Section 99 – 33.1 of the Code of Federal Regulations. No company should seek to provide services to a qualified educational facility without consulting with legal counsel first.
As if matters are not complicated enough at the federal level, a number of states have also enacted laws addressing student privacy. California’s Student Online Personal Information Protection Act is perhaps the best known and most burdensome of these offerings. The law went into effect on January 1, 2016. A discussion of the details is beyond the scope of this article. However, the new California law defines and restricts how information collected from individuals in K-12 grade can be used by vendors. A prohibition against creating marketing profiles and online behavioral advertising campaigns is a common component of the various state laws.
No Pain, No Gain
Digital providers often find the educational market a lucrative one. Unfortunately, navigating COPPA, FERPA, and state law is a complex undertaking. With the market valued in the billions of dollars, most companies are willing to take on the aggravation.
Richard A. Chapo, Esq.