The Children’s Online Privacy Protection Act (“COPPA”) governs an online operator’s collection of personal information from children, i.e., those under 13 years of age. Generally, the act requires verifiable parental consent before an online operator may collect a child’s “personal information,” a term that the rule broadly defines. Verifiable parental consent is not easy to obtain, but it has been simplified, per the FTC’s guidance, for operators collecting online information in partnerships with schools.
Verifiable Parental Consent
The general rule is that any method an operator uses to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Although the test is flexible, there are only a small number of relatively-difficult-to-implement methods for obtaining verifiable consent that are formally recognized. They are:
- Using a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan;
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent call a toll-free telephone number staffed by trained personnel
- Having a parent connect to trained personnel via video-conference;
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, where the parent’s identification is deleted by the operator from its records promptly after such verification is complete.
Consent in the Classroom
Schools, according to the FTC, are different. An online service provider that collects personal information from children through their participation in school can take the school’s word for it. The FTC has explained that “[m]any school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. In these cases, the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.” Such operators, the FTC has noted, may “presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.” The best practice is to obtain consent from the school district or the school, rather than individual teachers.
While the consent process is simplified in the classroom context, however, there are still a couple of important things for operators to keep in mind when they collect personal information from children through partnerships with schools. First, a school’s ability to consent on behalf of a parent is limited to the educational context, i.e., “where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.” An operator that does not comply with this limitation cannot rely on the school’s consent. Second, whether an operator obtains consent from the school or the parent, the operator “must still comply with other COPPA requirements.” This means that an operator must provide the school with all of the required notices, and it must allow parents to take certain measures with regard to use, disclosure, and retention of their children’s personal information.