What’s New with COPPA?

Recent news of data breaches and child privacy infringement has become a recurring theme in federal and state legislative discussions. This has prompted increased scrutiny by officials and resulted in a few revisions to the existing regulations.

Against this backdrop, companies handling children’s data must remain vigilant to ensure compliance with COPPA requirements and adapt to any upcoming changes.

 

What is COPPA?

COPPA stands for the Children’s Online Privacy Protection Act, a United States law enacted in 1998 to protect the online privacy of children under the age of 13.

 

Who does COPPA apply to?

If you’re collecting data from children under 13 on your edtech platform, website, or app, COPPA applies to you. This includes things like names, email addresses, location data, learning progress, and even in-app purchases. Remember, “children” refers to anyone under 13, according to COPPA, regardless of how mature they might seem online.

 

What are the latest changes to COPPA?

Here are the 7 most notable changes you can expect to see:

1. To Collect Children’s Personal Information, You Need Distinct Parental Consent

Under the current COPPA guidelines, an operator must have parental consent prior to collecting, using, or disclosing children’s personal information. But now, the FTC is proposing to mandate parental consent. This will specifically affect disclosures, especially those intended for targeted advertising. The change will give parents greater control over how an edtech company utilizes their children’s data. It will also curb an operator’s capacity to use this information for advertising.

2. Schools Will Have The Authority To Authorize The Collection Of Personal Information

Schools, state educational agencies, and local educational agencies can authorize the collection of personal information from students under 13. This authorization works only when the data is solely used for educational purposes (it needs to be sanctioned by the school) and not for any commercial endeavor. The proposed change removes legal ambiguity for EdTech companies, allowing them to obtain COPPA consent from school districts rather than individually from each student’s parents. Also, schools must maintain a written agreement with EdTech providers outlining their requirements, ensuring clarity and compliance for all parties involved.

3. Maintain Reasonable Procedures To Safeguard Pi.

Operators are instructed to release children’s PI only to service providers and third parties capable of upholding its confidentiality, security, and integrity. The terms “reasonable procedures” and “reasonable steps” will be clarified further once the changes are formalized.

4. Detail Your Security Programs In Writing

Operators need to build and execute a comprehensive written security program to protect children’s information. This means you need to detail how long you will retain student information and procedures for deletion.

5. Ban on Push Notifications without Consent

Apps can no longer use children’s contact information to invite engagement. Methods like push notifications (“nudging”) are prohibited without parental consent, addressing concerns about excessive online service use.

6. Expanding Personal Information Scope

Biometric information is now included within the definition of protected personal data, reflecting the FTC’s focus on safeguarding this sensitive data type.

7. Transparency through Clearer Notices

Operators must clearly disclose the specific third parties receiving children’s data and the purposes for such sharing, both in direct parental notices and online notices. If used for internal operations, operators must explain the specific purpose and methods used to prevent the unauthorized use of persistent identifiers (e.g., cookies).

 

With great power comes great responsibility, especially when it comes to protecting children’s privacy. With COPPA undergoing significant changes, one needs to stay informed and adapt.

Whether you’re a seasoned player or just starting out, navigating COPPA can be daunting. Our team of experts understands the complexities of data privacy and security. Talk to us about our suite of services designed to help you embed data privacy features into products and comply with the security standards for edtech.