The flipside of the scaremongering about teens and tweens playing games online is the fact that they provide excellent learning opportunities. Studies show that using online games, for example, teaches social skills, problem-solving, leadership, team building and self-confidence – all essential life skills. This is reassuring news for educators, parents and, most importantly, students themselves.
Nearly all online games and apps require the collection of personal information, but as a school or online service provider, are you aware of the law on the collection of children’s personal data?
To help educators in the US, the FTC has updated the FAQs supporting the Children’s Online Privacy Protection Act (COPPA), clarifying how parents, teachers and digital providers can protect children’s personal information.
This clarification will help promote the effective use of social media, online learning communities and even video games as educational tools.
The rules are very detailed, so we have outlined the most recent updates to COPPA’s frequently asked questions (FAQs), which set out how schools can support online learning and still protect minors’ personally identifiable information.
COPPA updates for social media and digital operators
As a provider of an online service, you may be approached by education professionals wanting to use your product in the classroom.
Service providers have legal responsibilities around collection of student information that need to be considered before jumping in.
Consent for data collection
Q: Under what circumstances can you – the site operator – rely on an educational institution to provide consent to collect students’ personal information?
A: If a school has contracted with you to use your site for educational purposes within the school institution ONLY, and the personal information collected from students is NOT used for any other commercial purpose, then you are not required as site administrator to obtain consent direct from parents.
You can presume that the school’s authorisation for the collection of students’ personal information is based on the school having obtained parents’ consent.
However, it is good practice to be able to show parents that you are not sharing the information when asked. It is also advisable to give the school full notice of your collection, use, and disclosure practices, so it can make an informed decision about using your services.
What the school will need to know
Q: What information about the collection, use and sharing of student personal information should I present to a school before entering in to an agreement with them?
Below is a list of potential questions an education professional will expect you to be able to answer.
- What types of personal information will you – the company – collect from students?
- How your site will use this personal information.
- Does the service provider use or share the information for commercial purposes not related to the online services requested by our school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the agreement we have with the online service?
If the answer to any of the above is yes, the school cannot give consent to share personal information on behalf of the parent.
- Do you allow parents to review, edit and/or delete personal information collected from their children? If not, the school cannot consent on behalf of the parent.
- What measures do you as the site operator take to protect the security, confidentiality, and integrity of the personal information you collect?
- What are your data retention and deletion policies for children’s personal information?
COPPA updates for teachers, school administrators and principals
If you are planning to use an online product, game or service as part of your educational programmes, these questions and answers will help you get up and running.
Assessing suitability of an app or site
Q: Who should provide consent for use – an individual teacher, the school administration, or the school district?
Best practice dictates that schools or school districts decide whether a particular site’s or service’s information practices are appropriate. Many schools have a process for assessing sites’ and services’ practices so this task does not fall to teachers.
Consent for disclosure of students’ personal information
Q: Can we – the school – consent to a service providers’ collection, use or disclosure of personal information from students?
In short – yes. Many school districts are already contracted with third-party website operators to offer online programmes solely for the benefit of their students and the school system. These include homework helplines and web-based testing services.
In these cases, the schools can act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.
However, schools are not permitted to act on a parent’s behalf if the online service plans to use children’s personal information for purposes outside of the agreed learning experience.
Whether the operator gets consent from the school or the parent, the operator must still comply with other COPPA requirements. For example, the site must provide parents with details of the types of personal information it collects, the ability to review what details have already been collected, and the ability to delete or edit any personal information.
Q: When the school gives consent, what are our obligations regarding notifying the parent?
It is best practice for the school to provide parents with a notice of the online services it will be using. Schools should also let parents know what personal information about students they have provided to service providers on their behalf.
In addition, you may want to share the websites’ individual practices on sharing and collecting personal information with parents. This allows the parent to assess the site’s or service’s practices and to exercise their rights under COPPA
Many school systems have implemented Acceptable Use Policies for Internet Use (AUPs) to educate parents and students about internet use in schools.
What schools need to ask
Q: What information does our school need to obtain from an online service provider, before agreeing to share student personal information so we can use their product?
We tackled these questions above, in the section titled: “What the school will need to know”. for a list of questions you as the educational institution will want to ask the online service provider.
Using publicly available social networks
Q: I want students in my school to share information for class projects using a publicly available online social network (such as twitter, google plus, or linked in). The network permits children to participate with prior parental consent. Can I register students in lieu of having their parents register them?
Assuming that your school hasn’t entered into an arrangement with the social network for the provision of school-related activities, the FTC recognises the school’s ability to act on behalf of the parents to provide in-school internet access.
However, where the activities and the associated collection or disclosure of children’s personal information will extend beyond school-related activities, the school should notify parents of its intent to allow children to participate in such online activities before giving consent on parents’ behalf.
We hope you’ve found our summary useful and that the FTC’s continued work to support the protection of children’s online privacy will lead to the increased use of online services and games in education.
The following resources are useful in explaining schools’ responsibilities when collecting personal data from students.
- The Family Educational Rights and Privacy Act (FERPA) sets out parents’ rights with respect to their children’s education records.
- Schools also must comply with the Protection of Pupil Rights Amendment which is also administered by the Department of Education