Originally enacted in 1998, COPPA was most recently updated in 2013 to account for new ways of tracking personal information, including persistent identifiers such as cookies and geolocation data. The FTC is currently holding a public comment period to determine whether to strengthen COPPA’s privacy protections, and it just concluded a public workshop on Oct. 7 to explore potential changes—particularly with regards to education technology and data security.
Meanwhile, individual states are actively pursuing COPPA violations, enforcing existing state privacy laws and adding new laws to protect children’s data online. According to the Parent Coalition for Student Privacy, nearly 100 new state privacy laws have been passed between 2014 and 2018. New York passed one in 2014, and the state attorney general launched “Operation Child Tracker” shortly afterwards to investigate COPPA violations. The state subsequently joined the YouTube action, receiving $36 million of the $170 million settlement.
Are a majority of children’s apps in violation of COPPA?
Against this legal landscape, a recent study of nearly 6,000 of the most popular children’s apps on Android found that “a majority are potentially in violation of COPPA.” The list of potentially non-compliant companies includes a number of household names, major education companies, and other large content providers.
Privacy advocates have long been urging the FTC to pursue the findings and send a message to the education technology industry. Even more seriously, the FBI has issued a public service announcement regarding the risks of kids’ personal data being improperly or insecurely stored by edtech companies.
In its recent public workshop, the FTC surfaced these two issues through Commissioner Christine Wilson’s opening remarks, which specifically addressed the agency’s interest in revisiting how COPPA needs to be updated to reflect the reality and needs of the education technology sector and general data privacy practices today.
Let’s start by understanding the YouTube settlement.
When we think of “collecting personal information online,” some of us may envision a digital form that gathers names, email addresses, birthdays and related information. Indeed, as FTC Commissioner Noah Phillips observed in his public workshop remarks, this was exactly the kind of data collection that Congress envisioned when it enacted the original iteration of COPPA in 1998. While that type of information is still subject to the law, YouTube did something a bit more subtle but equally common in today’s technological landscape.
As the FTC explained, YouTube violated COPPA “by collecting personal information—in the form of persistent identifiers that are used to track users across the Internet—from viewers of child-directed channels, without first notifying parents and getting their consent. YouTube earned millions of dollars by using the identifiers, commonly known as cookies, to deliver targeted ads to viewers of these channels.”
The FTC has given advance warning that it plans to review child-directed YouTube channels to ensure they are compliant. In other words, if YouTube channel owners run and monetize child-directed channels, they must follow COPPA rules. As Commissioner Wilson explained in the workshop, “This settlement puts content creators on notice that if their content is directed to children and they therefore couldn’t engage in behavioral advertising on their own website or app without getting parental consent, they can’t do it on a third party platform either.”
You are likely subject to COPPA if your website collects personal information from children.
COPPA applies to owners of websites, apps, and online services that are “directed to” children under 13 and collect personal information. It also applies to owners of websites who have “actual knowledge” that they collect personal information from children under 13, even if the websites are directed to a general audience.
“Personal information” includes the obvious, such as names, addresses, emails, phone numbers, and photos. Perhaps less obviously, it also includes persistent identifiers, such as cookies, IP addresses, and geolocation data, which allow websites to track users over time, serve targeted ads, and make decisions based on user behavior.
Under COPPA, website operators need to take a number of specific steps to comply with its requirements, including:
- giving parents direct notice and obtain verifiable consent before collecting information from kids under 13;
- allowing parents to review the information, request that it be deleted, and opt out of future collection; and
- keeping the information secure and delete the information once it’s no longer necessary.
Remarketing is effectively banned on child-directed websites.
We’ve all had the experience of visiting a website and then seeing ads for that website follow us around the internet. Countless website owners hire digital marketing firms to create elaborate remarketing campaigns, which are based on using persistent identifiers to facilitate behavior-based ads.
Persistent identifiers fall squarely within COPPA’s definition of “personal information,” which means that collecting persistent identifiers from children under 13 requires parental consent. The challenge is that persistent identifiers don’t come packaged with contact details, so how can websites obtain consent? In many cases, they can’t.
Websites directed to kids can’t collect cookies, IP addresses, and other persistent identifiers unless they have a sophisticated system to collect parent contact information, tie that information to the persistent identifiers, and then use the information to obtain verifiable consent—all of which is more burdensome than valuable for many child-directed sites.
Websites intended for a general audience should also be careful about having “actual knowledge” of gathering personal information from children, which would require them to comply with COPPA. But how does the FTC determine whether the actual knowledge standard has been met?
In YouTube’s own marketing efforts, it repeatedly mentioned its popularity with children. YouTube also labeled various videos as being suitable for them. These types of factors were sufficient to establish actual knowledge. Perhaps the FTC will provide further clarity on the actual knowledge requirement after the comment period.
What about edtech companies contracted by schools?
Schools frequently rely on third parties that operate websites and online programs. Common examples include online research sites, homework help forums and testing platforms. Under COPPA, schools can currently consent as the parents’ agent when websites collect information solely for the benefit of the students or the school and not for a commercial purpose. If student information is used for a commercial purpose, then parents need to consent too.
One challenge is identifying when an education company uses data solely for an educational purpose, rather than for a commercial purpose. If a company uses data to improve its own services, for example, what educational purpose does that serve? This is another area that awaits further clarity from the FTC.
Companies should also be conscious that public schools have obligations under the Family Educational Rights and Privacy Act (FERPA), and various states have their own student privacy laws, which may impose an additional layer of requirements.
Where do we go from here?
Based on the public workshop, the FTC is specifically revisiting how COPPA applies to persistent identifiers and behavior-based advertising. As Commissioner Phillips observed in his remarks: “The ability of a strange person to contact a child is not the same as an advertisement appearing when the child is watching a show. . . . [T]here’s great value in entertainment—and the advertising that pays for it.”
He also cautioned that “focusing entirely on the possibility of harm and discounting completely the potential promise of technologies seems the wrong course to me.” His example: “E-learning platforms can use data to support teachers, students, and parents by creating customized lesson plans or dynamically focusing on areas an individual student finds challenging. However, to do that, they may need to use personal data.” Experts believe the FTC plans to revisit whether schools can continue consenting on behalf of parents.
In her discussion of recent enforcement actions, Commissioner Wilson also specifically mentioned the importance of data security, another FTC focus area as it revisits the future of COPPA.
Time will tell more about the interplay between the commissioner’s words of caution and the signal the FTC sent through the YouTube settlement. The edtech industry ought to be watching closely as the requirements for COPPA compliance may well change.