Post on 19-Jul-2020
Student Privacy Boot Camp for EdTech Companies
COPPA and FERPA
March3,2016
EmilyS.Tabatabai
NOTHINGINTHISPRESENTATIONISINTENDEDTOCONSTITUTEALEGALOPINION
2
COPPA Children’s Online Privacy Protection Act
3
Children’s Online Privacy Protection Act
• WhatisCOPPA?
• Children’sOnlinePrivacyProtecLonAct-Federallawenactedin1998
• LawdirectedtheFederalTradeCommission(FTC)tocreateandenforcerulesrelaLngtotheonlineprivacyofchildren’sinformaLon.TheFTC’sChildren’sOnlinePrivacyProtecLonRulewaseffecLvein2000andamendedin2012.
• EnforcementandpenalLes
• ViolaLonscancarrypenalLesupto$16,000perviolaLon.
• PenalLesalsoincludedatadestrucLon,20yearreporLngrequirements
• FTCenforcesaggressively(25publicconsentdecreessince1999)
• PenalLesrangefrom$35,000-$3,000,000
• StateA]orneysGeneralmayalsoenforcetheRule
4
Who is Covered?
TheRuleappliestooperatorsofcommercialwebsitesandonlineservices(includingmobileapps)thatcollect,useordisclosepersonalinformaLonfromchildrenunder13inthefollowinginstances:
1. Thewebsiteoronlineservicesisdirectedtochildrenunder13,or
2. ThegeneralaudiencewebsiteorservicehasactualknowledgethatitiscollecLnginformaLonfromchildrenunder13.
“Directed To” “General Audience Site”
Subject matter Visual content Use of animated characters Child-oriented activities Music or audio content Age of models Child celebrities Language Advertising directed to kids Intended audience
Collect birth date Notified by child or parent also , Knowledge that operator is collecting info from kids on a site that is directed to kids (i.e. plug-ins, ad networks)
5
What is Personal Data?
“PersonalInformaLon”ofchildrenunder13isdefinedverybroadlytoinclude:
• Firstandlastname
• homeaddressincludingstreetnameandnameofcity
• onlinecontactinformaLon(emailaddress,username,screenname)
• telephonenumber
• socialsecuritynumber
• persistentidenLfier(ex.cookie)thatcanbeusedtorecognizetheuseroverLme
• photograph,videooraudiofilethatcontainsthechild’simageorvoice
• geolocaLoninformaLonsufficienttoidenLfystreetnameandnameofcity
• informaLoncollectedbythirdpartywhosecontentorpluginiscollecLnginformaLonontheOperator’ssite
• anyotherinformaLonaboutthechildorthechild’sparentsthattheoperatorcombineswiththeidenLfiersdescribedabove
6
What is Required?
• Postaclearandcomprehensiveonlineprivacypolicy
• Providedirectno3cetoparentsandobtainverifiableparentalconsentbeforecollecLngPIonlinefromchildren
• GiveparentsthechoiceofconsenLngtotheoperator’scollecLonanduseofachild’sPI,butprohibiLngtheoperatorfromdisclosingthatPItothirdparLes(unlessdisclosureisintegraltothesiteorservice,inwhichcase,thismustbemadecleartoparents)
• Provideparentsaccesstotheirchild'sPItoreviewand/orhavetheinformaLondeleted
• Giveparentstheopportunitytodenyorrescindconsenttousechild’sPI
• Maintaintheconfiden3ality,security,andintegrityofinforma3ontheycollectfromchildren,and
• RetainPIcollectedonlinefromachildforonlyaslongasisnecessarytofulfillthepurposeforwhichitwascollectedanddeletetheinformaLonusingreasonablemeasurestoprotectagainstitsunauthorizedaccessoruse.
7
What Can I Collect Without Parental Consent?
• Mustobtainparentalconsentbeforecollec3ngpersonalinforma3onfromthechild,unlessthecollec3onfitsintooneofthelimitedexcep3onstopriorparentalconsent
• Excep3onstopriorparentalconsent
• Forpurposeofobtainingconsent-WhensolepurposeofcollecLonistoprovidenoLcetoparentandobtainparentalconsent.Maycollectname,emailaddressandemailaddressofparent.Ifconsentisnotobtained,mustdeletetheinformaLon.
• OneLmecontact-WhenoperatorcollectsonlinecontactinformaLonandnootherinformaLon,forthesolepurposeofrespondingoneLmetothechild;PIisnotusedforanyotherpurposeortore-contactthechild;PIisdeletedaierone-Lmecontact
• InternalOperaLons-WhenoperatorcollectsapersistentidenLfierandnootherinformaLonanditisusedsolelytoprovidesupportforinternaloperaLonsofthewebsite
8
How Can I Get Parental Consent?
Email Plus If operator uses information only for internal purposes and will not share the information with third parties, you may use “Email Plus”
1. Send email notice to parent that provides information on the collection and use of child’s information (Rule sets forth what must be included in notice)
2. Receive parental consent (usually via reply email)
3. Follow up with confirmation email, fax, or telephone call to parent. Include parental notice information again, along with instructions on how to opt-out.
Verifiable Parental Consent If operator uses information to share with third parties or to share publicly (or facilitate a means by which the child can share publicly), you must obtain verifiable parental consent. Methods:
§ consent form to be signed by parent and returned by mail, fax, or electronic scan
§ credit or online payment transaction ($$)
§ taking phone calls through toll-free telephone number or engaging in video conference
§ checking form of government-issued ID
§ knowledge-based identification
§ consent mechanism provided by Safe Harbor provider
Operator must obtain parental consent through a means “reasonably calculated,” in light of available technology, to ensure that the person providing consent is the child’s parent.
9
How Can I Avoid The Hassle and Expense?
Mostcompaniesgotogreatlengthstoavoidcollec3nginforma3onfromchildrenthatwouldtriggerCOPPAparentalconsentrequirements.
• DonotcollectpersonalinformaLon
• CollectonlypersistentidenLfiersthatwillbeusedsolelytosupportinternaloperaLons
• ImplementanAgeScreentoscreenoutkidsunder13.Ifyouhaveageneralaudiencesite(i.e.,thesiteisnotdirectedtokidsunder13),youcanblockkidsunder13fromprovidingpersonalinformaLonbyimplemenLnganAgeScreen
Neutral Age Screen
Age screen mechanism must be age-neutral and not encourage falsification
Mechanism should request user to enter age accurately (i.e., require user to freely enter day, month, and year)
Do not warn the kid that users under 13 will not be permitted to participate
Use non-specific language when user is blocked (“Sorry, you are not permitted to register at this time)
Use cookie to prevent back-buttoning to try again
10
COPPA and Schools
Ifanoperatorisofferinganonlineprogramsolelyforthebenefitofstudentsandtheschool,theschoolcanactastheparent’sagentandcanconsenttothecollec3onofkids’informa3onontheparent’sbehalf
• SchoolcanconsenttothecollecLonofchildren’sinformaLonsolelyforeducaLonalpurposes,andnoothercommercialpurpose
— i.e.,operatorcannotusechildren’sdataforotherpurpose,likemarkeLng,adverLsing,sharingwithotherparLesunrelatedtotheeducaLonalcontext.IfOperatorwantstousestudentdataforothercommercialpurpose,mustgetparentalconsent
• OperatormustprovideschoolwithCOPPAnoLces,andprovide(onrequest)adescripLonofPIcollected,anopportunitytoreview/deletethechild’sPI,andopt-outoffurthercollecLon
• Preferconsenttocomefromtheschoolordistrict,ratherthanteacher.SchoolshouldhavecontractwithOperator
• Mustdeletechildren’sPIonceinformaLonisnolongerneededforeducaLonalpurpose
• BestpracLce:SchoolshouldprovideparentswithnoLceofoperatorswhocollectandusechildren’sinformaLon(AcceptableUsePoliciesforInternetUse)
• ExamplesofOperatorswhomaypresumeconsentfromSchools:homeworkhelplines,educaLonmodules,researchtools,web-basedtesLngservices
11
COPPA Safe Harbor Programs
• Rule created “Safe Harbor” program whereby an Operator is deemed to be in compliance with COPPA if it adheres to a set of self-regulatory guidelines approved by the FTC. To be approved by the FTC, the guidelines must be at least as restrictive as COPPA.
• Most are merely self-regulatory compliance programs, which are overseen and audited by the organization. PRIVO, Imperium (ChildGuard Online), and Aristotle (Integrity System) have parental consent tools as well.
• TRUSTe consent decree (November 2014) found that TRUSTe did not adequately maintain its oversight function and misled consumers as to the strength of its program.
Approved Safe Harbor Programs (as of 12/2015)
• CARU
• ESRB
• Privo
• TRUSTe
• Aristotle International, Inc. (“Integrity”)
• kidSafe
• Imperium (“ChildGuard Online”)
• iKeepSafe
12
Resources
• ReadtheRuleh]p://www.ecfr.gov/cgi-bin/text-idx?SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16:1.0.1.3.36&rgn=div5
• ReadtheFAQs(lastrevisedMarch20,2015)h]p://www.business.ic.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-QuesLons#GeneralQuesLons
• FTC6-StepCompliancePlanforYourBusinessh]p://www.business.ic.gov/documents/bus84-childrens-online-privacy-protecLon-rule-six-step-compliance-plan-your-business
• BrowsetheFTCwebsitesecLononchildren'sprivacy
13
FERPA Family Educational Rights and Privacy Act
14
Family Educational Rights and Privacy Act
WhatisFERPA?
• FederallawthatappliestoeducaLonalinsLtuLonsthatacceptpublicfunds
• Prohibitsaschoolfromdisclosingpersonallyiden3fiableinforma3onfromastudent’seduca3onalrecordtoathirdpartywithoutconsentfromtheparent.ThereareseveralexcepLons,however.
• ProvidesparentstherighttoinspectandcorrecttheinformaLoncontainedinthestudentrecord
• Rightstransfertothestudentwhenthestudentturns18orentersHigherEdatanyage.
Enforcement
• FERPAisenforcedbytheDepartmentofEducaLon.Schoolisresponsiblefor(andliablefor)complianceofitsvendorsandserviceproviders.
• Issueacomplaint,ceaseanddesistorder,withholdfurtherfundingfromDept.
• SeeksvoluntarycompliancebeforeimposingsancLons
15
What Type of Data Does FERPA Protect?
“Educa3onalRecords”–RecordsthataredirectlyrelatedtoastudentandaremaintainedbyaneducaLonalagencyorinsLtuLonorbyapartyacLngfortheeducaLonalagencyorinsLtuLon
“PersonalInforma3on”–directiden3fiers(suchasastudent’sorfamilymember’sname)andindirectiden3fiers(suchasdateofbirth,mother’smaidenname)
• ExcepLons:
• De-idenLfiedData–De-idenLfieddataisdatawhichhasbeenstrippedofalldirectidenLfiersaswellasindirectidenLfiersthatmayincombinaLonidenLfyaparLcularindividual,maybesharedwiththirdparLeswithoutconsent
• Metadata–MetadataiscontextualortransacLonaldata(ex.dataabouthowlongastudenttookforaparLcularacLvity,whentheacLvitywascompleted,etc.)thathasbeenstrippedofalldirectandindirectidenLfiersisnotcoveredbyFERPA
• (ThesedatapointscouldsLllbePersonalInformaLonifareasonablepersoninthecommunitycouldidenLfytheindividualstudentwiththisdataincombinaLonwithreadilyavailablepublicinformaLon).
16
When is consent not required for disclosure?
AneducaLonalagencyorinsLtuLonmaydisclosepersonallyidenLfiableinformaLonfromtheeducaLonalrecordwithoutconsentinlimitedcircumstances,including:
• ToaSchoolOfficialwithalegiLmateeducaLonalinterest
• TofederalorstateeducaLonalauthorityinconnecLonwithauditandevaluaLonoffederallysupportededucaLonprogram
• ToarepresentaLveoftheA]orneyGeneralforlawenforcementpurposes
• InconnecLonwithastudent’sapplicaLonforfinancialaid
• Persondesignatedinafederalgrandjurysubpoenaorothersubpoena
• AccrediLngorganizaLonscarryingoutaccrediLngfuncLons
• OrganizaLonsconducLngstudiesforpurposesofdeveloping,validaLng,administeringpredicLvetests,administeringstudentaidprograms,improvinginstrucLon
• DirectoryinformaLonnotsubjecttothesedisclosurelimitaLons,aslongasstudentcanopt-out
17
Directory Information
• “DirectoryInformaLon”–informaLoncontainedintheeducaLonalrecordthatwouldnotgenerallybeharmfulifdisclosed,includingstudentnameandaddress.
• Usually,directoryinformaLonincludesname,telephonenumber,dateandplaceofbirth,honorsandawards,clubsandsports,datesofa]endance
• Schoolshouldestablishwhichelementsareconsidered“directoryinformaLon”andnoLfyparentsthatthisinformaLonmaybesharedpublicly.Parentsusuallyhavetherighttoopt-outofthesharingofdirectoryinformaLon
àBecauseparentshavetheabilitytoopt-outofDirectoryInformaLondisclosures,thismakesitdifficultforEdTechproviderstorelyonDirectoryInformaLontosupplynecessarystudentdata
18
To Be a “School Official”
Schoolsusuallysharedatawithavendor/providerunderthe“SchoolOfficial”excep3ontoFERPA.Underthisexcep3on,SchoolsmaysharePIIfromtheeduca3onalrecordwithoutparentconsentaslongastheprovider:
• PerformsaserviceorfuncLonforwhichtheschoolwouldotherwiseuseitsownemployees(i.e.,actsasaoutsourcedserviceprovider)
• IsunderthedirectcontroloftheschoolwithregardtothecollecLonanduseofdata
• Usesdataonlyforauthorizedpurposesanddoesnotre-disclosePIIfromeducaLonalrecordtootherparLesunlesswithconsentofSchoolorpermi]edbyFERPA
• TIP:TheserestricLons(i.e.,DirectControl;authorizeduse;andprohibiLonagainstre-disclosure)shouldbeestablishedinthecontractbetweentheschoolandtheprovider.SomeLmes,thesecanbeestablishedintheonlineTermsofService(TOS)
• Seeslideon“Tip:ElementstoIncludeinaContract”atendofpresentaLon
19
Obligations of EdTech vendors
• Remember,whenPersonalInformaLonisdisclosedtotheEdTechvendor,FERPAsLllgovernsitsuse!AndtheSchoolisincontrolof,andresponsiblefor,itsprotecLon.
• EdTechvendormust:
• RequestonlythepersonalinformaLonrequiredforaparLculartask
• NotusepersonalinformaLonforpurposesotherthanthosedisclosedinthecontractwiththeschool
• NotdisclosestudentdatatoathirdpartywithoutdirecLonfromandconsentofschool
• Maintainappropriatephysical,technicalandadministraLvesafeguardstoprotectstudentpersonalinformaLon
• CreateandmaintaincomprehensivesecurityincidentresponsepolicyandplantonoLfyintheeventofabreach
• DestroypersonalinformaLonattheendofthecontractterm
20
FERPA Resources
FERPARegula3ons,hWps://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf
FinalRegula3ons,withcomments,publishedbyDepartmentofEduca3on,hWp://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf
PrivacyTechnicalAssistanceCenter:
• Protec3ngStudentPrivacyWhileUsingOnlineEduca3onalServices:RequirementsandBestPrac3ces,hWps://tech.ed.gov/wp-content/uploads/2014/09/Student-Privacy-and-Online-Educa3onal-Services-February-2014.pdf
• Responsibili3esofThirdPartyServiceProvidersUnderFERPA,hWp://ptac.ed.gov/sites/default/files/Vendor%20FAQ.pdf
• ModelTermsofService,hWp://ptac.ed.gov/sites/default/files/TOS_Guidance_Jan%202015_0.pdf
21
Other Rules that May Apply
• Protec3onofPupilRightsAmendment(PPRA)–(amongotherthings)requiresschooltoprovidenoLceandopt-outrightstoparentsifstudentsaregoingtoparLcipateinanacLvityinvolvingthecollecLon,disclosure,oruseofPIcollectedfromstudentsandthatwillbeusedformarkeLngpurposes(appliesonlytoK-12insLtuLons)
• EuropeanDataProtec3onDirec3ve–Generally,thesameEUdataprotecLonlawappliestostudentdataaswell,andmaybemorerestricLve
• BreakingNews:US-EUSafeHarbordeemedinvalidonOct6,2015
• AwaiLngdetailsonUS-EUPrivacyShield
22
TIP: Elements to Include in Contract
Toqualifytoreceivestudentrecordsunderthe“SchoolOfficial”excep3on,theserviceprovidershouldagreetocertaincontractualprovisions.ProvisionsalsorequiredunderStateLaws.
• EstablishthattheSchool“owns”thedataandvendorwilluseitonlyaccordingtotermsofthecontractandforthepurposetobenefittheSchool
• WhatdataelementswillbecollectedorreceivedfromtheSchool
• Howdatawillbeusedbythevendor(explicituse)
• RestricLonsagainstabilitytoshare/re-disclosedatatothirdparLes,unlessspecificallyconsentedtointheagreement
• RestricLonsagainstusingdataformarkeLng,includingbehavioraltargeLng,orprofile-building
• Caveatthatvendormayusede-idenLfieddata,metadataordatathatissharedunder“directoryinformaLon”excepLonforitsownpurposes,includingtosharewiththirdparLes
• DataretenLonanddestrucLonpolicy
• Datasecurityprovisions,includingeachparty’sresponsibiliLesintheeventofadatabreach
TIP:ManySchoolsareunder-staffedandlacklegalcounsel,andSchoolrepresenta3veslooktotheServiceProvidertoconfirmcompliancewithFERPA,COPPAandstatelaws
23
Emily S. Tabatabai Emily S. Tabatabai is a founding member of Orrick’s Cybersecurity and Data Privacy team, which is nationally ranked by the Legal 500 US. As a Certified Information Privacy Professional in both European and US law (CIPP/EU, CIPP/US), she counsels companies on all matters of data privacy and consumer protection law, with a special focus on retail products, EdTech, online dating and social media, mobile and online gaming, and all manner of entrepreneurial start-up endeavors. Emily works with clients to evaluate compliance with multi-national laws, regulations, and best practices, and represents companies subject to regulatory investigations or litigation involving a spectrum of federal and state laws.
etabatabai@orrick.com
blogs.orrick.com/TrustAnchor
@EmilyTabatabai
Orrick, Herrington & Sutcliffe LLP | October 2015