COPPA and Schools Did You Know??? Laurie Lynch Flick Pillsbury Winthrop Shaw Pittman LLP February 18, 2014
What is COPPA? Children s Online Privacy Protection Act Federal statute passed by Congress in 1998 Enforced by the Federal Trade Commission Originally adopted the implementing COPPA Rule in April 2000 Reviewed and retained without change in March 2006 Significantly revised and broadened Rule became effective July 1, 2013 Intended to give parents control of information collected online from kids under 13 and how it is used without unnecessarily burdening online businesses Requires notice to and verifiable consent from a parent Before a collection, use, disclosure of personally identifiable information 2 Preparing for Changes to COPPA
COPPA and the Promise/Peril of Digital Learning American Recovery and Reinvestment Act of 2009 Established the Broadband Technology Opportunities Program (BTOP) National Telecommunications Information Administration administers $4.7B for broadband expansion in schools, healthcare, etc. Directed the FCC to Create the National Broadband Plan Released March 2010 Established goals for broadband use in Education, Healthcare, Energy & the Environment, Government Performance, Civic Engagement, Public Safety Modernized the E-rate program to focus funding on higher speed Internet connections for schools and libraries Directed the Department of Education to Create the National Education Technology Plan Released November 2010 Established goals in the areas of Learning, Assessment, Teaching, Infrastructure, Productivity, Research & Development National Digital Learning Registry created July 2010 3 Preparing for Changes to COPPA
COPPA and the Promise/Peril of Digital Learning Digital Textbook Playbook Initiative of FCC and DOE announced February 2012 Bipartisan Leading Education by Advancing Digital (LEAD) Commission created by FCC and DOE in March 2012 Released a Blueprint recommending a national initiative to expand digital learning in K-12 Education in June 2013 ConnectEd Initiative Announced by the White House and FCC in February 2014 Doubles E-rate funding for next generation connectivity Provides teacher training Encourages private sector innovation in digital learning 4 Preparing for Changes to COPPA
What s the Goal? A student attending a rural school that does not offer an Advanced Placement (AP) calculus course can receive instruction online from a teacher in a different part of the state or even the country. That teacher, who is online because of her passion for the subject and because of her demonstrated ability to teach it, might not only provide lectures but may also use instant messaging and e-mail to communicate with the student. The teacher also might steer the student toward interactive tools that let students practice on their own. And the teacher might even pique the student s curiosity by using video showing how calculus applies to realworld examples such as a major league baseball player hitting a home run or how Isaac Newton developed calculus to understand gravity and the motion of the planets. -National Broadband Plan 2010
The Privacy Impact October 2013: Senator Markey letter to DOE re: collection and use of student educational data online December 2013: Fordham Law School, Center on Law and Information Policy releases a study on K-12 schools use of technology and privacy practices concluding: Many schools use cloud-based services Many schools do not understand the services Many schools do not understand the contracts with the services, as a result: Many schools surrender control of student data when using such services Many schools do not inform parents of technology use Many service providers place the responsibility for parental notice and consent on the schools January 2014: DOE response to Senator Markey Legislation introduced to prohibit commercial use of student data in VA, MD, WV, KY
How Does COPPA Fit In? COPPA makes it an unfair/deceptive practice for an operator of an online service directed to children, or that has actual knowledge that it is collecting from a child, to collect or maintain personal information from a child under 13 without: giving notice to the parent; obtaining verifiable consent from the parent prior to collecting information; providing a reasonable means for the parent to review the information collected and refuse to permit its further use or maintenance; and establishing and maintaining reasonable procedures to protect confidentiality, security, integrity of information. Operators cannot condition a child s participation in a game, the offering of a prize, or another activity on the child releasing more personal information than necessary for the activity.
What Services Are Covered? Online Services : Services Available Over or that Connect to the Internet or a Wide-Area Network Includes mobile applications that permit kids to play network-connected games, engage in social media, interact with other content or services; Includes Internet-enabled gaming platforms, VOIP services, Internet-enabled location based services; Device neutral Commercial Sites/Services that are Directed to Children Sites/services that target children based on the totality of the circumstances including: subject matter, visual content, child-oriented activities and incentives, animation, child celebrities, language, music Mixed Audience Sites/Services that Attract, but Do Not Target, Children Can ask an age-gate question to determine which users are under 13 Must follow COPPA for those who indicate that they are under 13 General Audience Sites that Gain Actual Knowledge That User Is Under 13
Who Is Responsible for Complying? The Operator of the Site or Service: Any person who operates the site or service and collects personal information directly Any person on whose behalf the information is collected, including any person offering products or services through the site/service Addresses the Prevalent Use of Ad Networks, Social Media Plug Ins Operators of child-directed sites are strictly liable when they permit other online services to collect personal information Operators of child-directed sites cannot avoid COPPA responsibilities by outsourcing functions Parents cannot be expected to determine which entities might be collecting their child s information, the first-party operator is in the best position to know and disclose Third party operators, such as ad networks, analytics providers, are liable when they are collecting information from users of a known child-directed site
When is Personally Identifiable Information Collected? An Operator Collects PII from a Child: When it requests, prompts or encourages children to submit PII; When it enables children to make PII publicly available, i.e. chatrooms, message boards, unless the operator takes reasonable measures by employing technologies reasonably designed to capture all or virtually all PII; Whenever there is passive tracking of a child online; Collection must be from the child, online.
What Constitutes Personally Identifiable Information? First & Last Name Home/Physical Address Include geolocation data equivalent to street and city name Online Contact Information Email address or similar that permits direct contact with person online Includes instant messaging, VOIP, video chat identifiers Screen Name or User ID When used for functions other than support of internal operations Telephone Number Social Security Number Persistent Identifier Customer number held in a cookie, IP address, processor or device serial number, UDI, when used for functions other than support of internal operations Identifier Linking Child Activities Across Websites or Services Photos, Videos, Audio Containing Child s Image or Voice Non-PII - Combined with Any of the Above
Are there any Exceptions? Where the parent s online contact information is collected for the purpose of getting parental consent and notice is given; Where the parent s online contact information is collected to notify and update the parent about the child s participation in an online service that DOES NOT collect, use or disclose child PII and notice is given; Where the child s online contact information is collected to respond directly to a one-time request, it is not used to re-contact the child or disclosed, and is deleted; Where the child s online contact information is collected to respond directly multiple times to a child s request, but the information is not used for any other purpose, disclosed, or combined with any other information, and notice is given; To protect the safety of the child and not any other purposes and notice is given; To protect site security/integrity, legally respond to law enforcement/judicial process, take precautions against liability; Where only a persistent identifier is collected and only used for support of internal operations ; Where a mixed audience site/service collects a persistent identifier from a user than interacts with the operator and previously indicated that the user is not a child
How Do Operators Get Consent? Collect parent s online contact information from child Typically email address; cannot be cell phone number Contact parent Provide Just in Time direct notice to parent Description of the PII operator has collected, what else will be collected Purpose of the notification What action parent must take, if any Use operator will make of information Link to privacy policy online Must contain certain additional disclosures Must include names of all operators collecting PII through the site/service Take reasonable steps to verify parent Rule provides a sliding scale of methods, depending on risk associated with the activity in which the child wants to engage
What are Reasonable Steps? Providing a consent form to be signed by the parent, returned by mail, facsimile or electronic scan; Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or another online payment system that provides notice of each discrete transaction; Having parent call a toll-free telephone number staffed by, or connect by video conference to, trained personnel; Checking government issued identification against databases (must be deleted immediately upon completion of verification); Where operator does not disclose PII, an email coupled with a confirmatory email, letter via US Post Office, or telephone call Known as Email Plus; Must notify parent that it can revoke consent given in first email
When Does the Operator Disclose PII? Whenever PII is released in identifiable form for any purpose, except support for internal operations; Support for Internal Operations includes: maintaining of analyzing the functioning of the online service performing network communications authenticating users of, or personalizing the content on, the online service contextual advertising and frequency capping protecting the security or integrity of the user, website or online service, ensuring legal or regulatory compliance fulfilling a request of the child where the information will not be used to contact the child again or disclosed and is deleted Whenever PII is made publicly available in identifiable form by any means, including, public posting through the Internet, on a personal home page or screen, a pen pal service, electronic mail service, message board or chat room.
What Else Must Operators Do? Safeguard PII Operators must take reasonable measures to ensure that service providers and third parties they use have reasonable procedures in place to protect confidentiality, security and integrity of PII Operators must not retain PII longer than reasonably necessary for purpose for which it was collected Operators must take reasonable measures to avoid loss or exposure of PII when deleting it from their records Provide for Parental Access Right to review, request deletion of, and withdraw consent for collection of PII from child
Implications of COPPA for Schools According to the Fordham study, many service providers contractually shift the obligation to comply with COPPA to the school The FTC states that an operator can rely on the school s authorization and not get parental consent themselves where: The school contracts with the operator to collect PII from students; PII collected is for the use and benefit of the school, and for no other commercial purpose; The operator provides the school with full notice of its collection, use, and disclosure practices. The Fordham study recommends that schools assure there is a mechanism to gather parental consent where required by FERPA and that schools assist third party cloud service providers with parental notice and consent when required under COPPA.
Additional Considerations for Schools Online services may be used in the classroom without a contract If a teacher uses a commercial photo-sharing or blogging site to allow students to work collaboratively, s/he may have simply accepted the site s standard Terms of Service The school may not know of the use of this service Parents likely are not informed of the use of the service or of its information use policies In general, schools may not want to take on the on-going responsibilities of standing in the parent s stead: Monitoring changes to sites /services privacy policies Reviewing the information collected from the child and requesting that it be deleted Receiving any notifications that information is being disclosed to law enforcement or a child is as risk
What is PRIVO? Privacy Vaults Online, Inc. Woman-owned, small business FTC-Approved Safe Harbor Regulatory Compliance Program Since 2004 PRIVO assesses and certifies Members COPPA compliance Certification reduces risk of penalties by FTC Compliance Seal alerts public to operator s child privacy practices Propriety API Tools for Securing Required Parental Consent Easy for Parents and Operators of online services Allows operators to unblock U13 children Higher conversion rates reducing drop off Online Marketplace (June 2014) Effective source of information for parents/children about online services/products available to them
Questions? Laurie Lynch Flick 202.663.8166 lauren.lynch.flick@pillsburylaw.com Denise Tayloe 571.297.1798 dtayloe@privo.com