In late May, the Federal Trade Commission sought an injunction in the Northern District of California against Edmodo, which has historically offered school districts a virtual classroom platform with tools for assignments, quizzes, and similar items. The FTC argues that Edmodo violated the Children's Online Privacy Protection Act by failing to obtain parental consent to certain disclosures of children's personal information.
As the FTC has long expressed in guidance, schools can and commonly do consent on behalf of parents with respect to many software and similar solutions utilized in classrooms. But that guidance has also always had important caveats, two of which animate the FTC's complaint and are important for educational technology companies to bear in mind.
First, consent made by a school or teacher must, like consent by a parent, be informed consent. The FTC alleges that Edmodo did not provide teachers sufficient information as part of the onboarding process for teachers to decipher what information Edmodo collects and why. Part of this alleged failure stemmed from the fact that the information Edmodo did provide was buried within a much longer document "about international legal agreements, intellectual property, and publishers of third-party content," contrary to COPPA's requirement that a privacy notice to parents be specific to privacy matters. The FTC alleges also that teachers were not required to click on the document containing the information related to privacy in any event.
Second, a school or teacher may not consent on behalf of a parent to collection of information for all purposes, but rather solely for educational purposes. The FTC alleges that Edmodo utilized personal information of children for the non-educational purpose of serving advertising. This would violate the FTC's longstanding guidance that if "an operator intends to use or disclose children's personal information for its own commercial purposes [...] it will need to obtain parental consent."
Neither point breaks new ground as far as COPPA is concerned, because both have long been a part of the FTC's guidance. That said, the FTC's complaint does provide more clarity on its view of the mechanics of privacy policies and the way that teachers view them (or, as applicable, do not view them). Based on the allegations in the complaint, educational technology firms should be paying close attention to whether teachers and schools - where they are standing in the role of a parent providing consent - are required to acknowledge key terms relating to the protection of personal information of children. They should likewise audit their practices to ensure that consent made by a teacher is used for no more than the essential purpose of providing educational services, and not for additional purposes such as marketing.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
