FTC Announces “Crack Down” on COPPA Violations by Ed Tech Companies
Amidst the rising focus on privacy issues affecting children and teens (which we’ve highlighted here, here, here, and here), the FTC just released a new Policy Statement on COPPA, its signature rule protecting the privacy of kids under 13. The Policy Statement, which the FTC unveiled at its May 19 Open Meeting, focuses in particular on COPPA’s application to education technologies used in and by schools to support learning (including remote learning during the pandemic). All five Commissioners voted for the Statement, including newly sworn-in Commissioner Bedoya, and four issued their own written statements. After the meeting, a bipartisan group of Senators, as well as President Biden, released statements praising the FTC’s actions.
While the FTC’s Republican Commissioners questioned whether there was anything really new in the Policy Statement (which was based on longstanding COPPA provisions, as well as FAQs posted on the FTC’s website), all seemed to agree that it elevates the issues highlighted and shows that COPPA is a top FTC priority.
And of course it is! Protecting kids and their data is one privacy issue that most people, regardless of professional or political affiliation, support. Further, under COPPA, the FTC can seek monetary relief (even post-AMG) and conduct rulemaking under the Administrative Procedures Act, as opposed to under the more cumbersome Mag-Moss process. So it’s not surprising that this issue would be high on the FTC’s agenda during this dynamic and volatile time for privacy.
What does the Policy Statement Say?
The Policy Statement emphasizes that COPPA includes substantive limits on the collection and use of children’s data (not just notice and consent requirements), and says that the FTC intends to fully enforce these provisions, including in school and learning settings where “parents may feel they lack alternatives.”
The Statement focuses in particular on the use of ed tech tools and devices, which have become integral to a range of school activities (especially during the pandemic) but which, per the Statement, raise concerns about data collection, use, and sharing beyond what’s necessary for these activities.
The statement describes COPPA’s substantive limits as follows:
- Prohibitions Against Mandatory Collection: Covered entities can’t condition participation in an activity on collecting more information from a child than is necessary for that activity. (This prohibition comes right out of the COPPA statute and is echoed in the rule.)
- Use Prohibitions: Covered entities, including ed tech providers, are “strictly limited” in how they can use data collected from children; for example, ed tech providers that collect kids’ data pursuant to a school’s authorization may use it only for the authorized educational purpose. (This isn’t in the COPPA statute or rule but builds on COPPA guidance and FERPA.)
- Retention Prohibitions: Covered entities can’t retain personal information from a child longer than reasonably necessary to fulfill the purpose for which it was collected. (This isn’t in the COPPA statute, but was added to the rule as part of the 2013 amendments.)
- Security Requirements: Covered entities must have reasonable procedures to maintain the confidentiality, security, and integrity of kids’ data. (This comes from the COPPA statute, and the FTC expanded these duties in the 2013 amendments. See Section 312.8)
What are some key takeaways?
- Kids’ privacy (and advertising) will be a major focus in the coming year. Yeah, this one is obvious, especially since the FTC released the Policy Statement alongside (1) a press release announcing an October 19 workshop on “stealth advertising” directed to children, and (2) proposed updates to the Endorsement Guides, with a new section addressing child-directed endorsements. (The May 23 announcement for Privacy Con also calls for research on privacy risks for kids and teens.) However, it’s worth noting that while the FTC has significant authority to address these issues (under COPPA and the FTC Act), that authority isn’t limitless. By law, COPPA is confined to children under 13, so the FTC can’t use it to address teens – currently a big concern. Further, Congress barred the FTC (long ago) from using its unfairness authority to regulate kids’ advertising. See FTC Act Section 18(h).
- The provisions highlighted in the Policy Statement aren’t limited to ed tech (for the most part). I say “for the most part” because one of the limits discussed (use limitations) is narrower than the Statement suggests. In particular, the Statement implies that COPPA contains “strict” use limitations that extend to all covered entities. In fact, the COPPA law and rule don’t contain broad use limitations (other than the limits created by notice and consent) – ed tech is a special case, woven together from COPPA guidance and FERPA.
- Ed tech and other covered entities should assess their compliance now. The FTC is unlikely to be sympathetic to any company caught violating the highlighted provisions. All five Commissioners voted for the Policy Statement; it reiterates longstanding COPPA requirements (mostly – see above); and it has bipartisan support in Congress. Although we may not see the big “crack down” promised in the FTC’s press release (indeed, the FTC has announced a lot of “crack downs” and it has a lot on its plate), the FTC is likely to conduct investigations and bring some cases here.
- The status of the COPPA regulatory review remains a mystery. A formal review of the COPPA rule has been pending since 2019, and Commissioners Wilson and Philips (among others) queried why the FTC would issue a policy statement instead of completing that review. Where’s the rule? Neither the Policy Statement nor discussions at the Open Meeting answered that question.
- The announcement provides clues about the FTC’s future plans. Clearly, the FTC is moving forward to impose more substantive limits on business conduct, as Khan has said it would. That’s evident here, as well as in FTC cases requiring, for example, deletion of data and algorithms as a remedy. Khan and her colleagues have also stated that they want to use unfairness more aggressively (for example, to stop “surveillance” and discrimination) – a strategy that could apply to cases and rulemakings across the FTC’s many program areas. In the coming months, we should expect to see stricter conduct limits imposed (or proposed) in multiple contexts, including in the FTC’s anticipated “surveillance” rulemaking.
- The Commissioners are worried about staff morale. In the face of crushing reports about the steep drop in staff morale at the agency, all of the Commissioners (in their oral and written remarks) thanked staff profusely for their work in developing the Policy Statement and related announcements. (As well they should.)
We’ll keep the news coming on kids and privacy!