With at least 70% of American schools shutting down, and others, if not all, to follow, school and millions of parents are faced with unprecedented challenges managing the children’s education from children’s homes through online schooling. Online schooling or “distance learning” presents not only operational and technical challenges of its own, but also presents concerns and challenges to properly protecting the privacy and security of student information. Even in view of a pandemic and emergency conditions, schools and online education providers are still required to meet legal obligations under various laws and implement best practices to not only meet the laws’ requirements but also to foster a secure environment for students to learn. The following provides a summary of the applicable federal and state laws impacting online learning, followed by general best practices.

Children’s Online Privacy Protection Act (COPPA). When it comes to the collection of personal information from children under 13, COPPA places parents in control. The Federal Trade Commission, (FTC) enforces the COPPA Rule, which details what operators of websites and online services must do to protect children’s online privacy. (16 C.F.R. §§ 312.1-312.13). Pursuant to COPPA, online educational providers need to include certain information in their posted privacy policies and get parental consent before collecting certain types of information from minors under the age of 13. The COPPA Rule sets out limited circumstances where operators are not required to get verifiable parental consent before collecting personal information online from children. (16 C.F.R. § 312.5(c)).

Under COPPA, an entity is collecting information if it:

  1. requests, prompts, or encourages the submission of information, even if it is optional;
  2. lets information be made publicly available (for example, with an open chat or posting function) unless it takes reasonable measures to delete all, or virtually all personal information before postings are public and delete all information from its records; or
  3. passively tracks a child online.

With limited exceptions for certain regulated entities, COPPA Rule violations are treated as unfair or deceptive acts or practices under Section 18(a)(1)(B) of the Federal Trade Commission Act and subject to FTC enforcement actions. (16 C.F.R. § 312.9; 15 U.S.C. § 6505). Penalties for violations may include: (1) injunctive relief; (2) civil penalties, and (3) consumer redress.

Family Educational Rights and Privacy Act (FERPA). FERPA protects the privacy of students’ education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education (“ED”). FERPA gives parents certain rights with respect to their children’s education records, which transfer to the student when he or she reaches the age of 18, or attends a school beyond the high school level. (20 U.S.C. § 1232g(d); 34 C.F.R. § 99.5(a)(1)). Pursuant to FERPA, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. (34 C.F.R. § 99.30(a)).

There are certain exceptions that allow schools to disclose those records, without consent, to certain parties (such as to other schools, to which a student is transferring) or under certain conditions (such as to comply with a court order). All the exceptions to the general consent requirement are set forth in 20 U.S.C. §§ 1232g(b)(1), (b)(2), (b)(3), (b)(5), (b)(6), (h), (i), and (j) and 34 C.F.R. § 99.31. The term “education records” is defined, with certain exceptions, as those records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution, or by a party acting for the agency or institution. 20 U.S.C. § 1232g(a)(4); 34 C.F.R. § 99.3.

The Department of Education has also issued a FAQ on managing compliance with FERPA in the face of COVID-19 and explaining the application of the health and safety emergency exception to the general consent requirement. 20 U.S.C. §§ 1232g (b) (1) (I), 34 C.F.R. § 99.31(a) (10), 99.36. If schools determine that a health and safety emergency exists due to COVID-19, FERPA permits nonconsensual disclosure of students’ health records only to appropriate parties—such as health officials. In addition, if schools learn that a student is out sick due to COVID-19, schools can generally disclose the information to other students and their parents, without having obtained prior written parental consent, but only if that information is in non-personally identifiable form, such that a reasonable person in the community would not be able to identify the student(s) who are absent due to COVID-19 with reasonable certainty.

State Law. In addition to federal student privacy laws, at least 40 states have passed student privacy laws in the recent years, and educational online institutions should also be aware and comply with these state law provisions as well.

Just as a sample of the approaches at the state level, the Illinois legislature passed the Student Online Personal Protection Act (SOPPA), 105 ILCS 85/1 et seq., which protects the privacy and security of student data when collected by companies operating websites, online services, or online/mobile applications primarily used for K-12 school purposes. SOPPA prohibits the use of student data for targeted advertising, the sale of student information gathered during the students’ use of the educational technology, and the use of data collected to amass a profile about a student. 105 ILCS 85/10. Effective July 1, 2021, Illinois school districts will be required (among other things) to post a list of operators with which the district has written agreements, copies of those written agreements, and other information about such operators on the school’s website, as well as to notify students and parents of any breach of student data by an operator of the school. 105 ILCS 85/27.

Best Practices. The following are best practices for online education providers and schools to enhance their compliance and reduce their risk of violation of both privacy federal and state laws, in light of the increased use of online service by students:

  • Draft and post a policy that complies with the provisions of COPPA, FERPA and state laws. The policy must clearly and comprehensively describe how personal information collected online from children is handled. Notably, in light of the current situation when online education is, or might become a necessity, the policy should also state that the same protections used in a classroom setting apply when online services are used outside of the classroom setting. The privacy policy link should be posted on the homepage and anywhere where the online entity collects personal information from children. The online entity should consider using a different font or color type for the link—a fine print on the bottom of the site will not suffice. The policy must necessarily include:
    • A list of all operators collecting personal information;
    • A detailed description of the types of information collected and how it is used;
    • A description of parental rights—including but not limited to: informing the parents that the children need not disclose more information than necessary to participate in activity, and that parents can review their child’s personal information, refuse to allow any further collection or use of the child’s information, or ask that the information be deleted.
  • Notify parents directly about the information practices before collecting any personal information from their children. This is a best practice for all personal information, not just for the information of minors. COPPA requires entities to give parents “direct notice” of the information practices before collecting information from children. Similarly, if there are subsequent material changes to the practices, the educational entity needs to send an updated privacy notice clearly identifying the changes made. These notices should be written in plain language so that they are easily understood by students, parents and educators.
  • Obtain parents’ verifiable consent before collecting personal information from their children. COPPA leaves open the method of obtaining consent; however, it should be reasonably designed in light of available technology to ensure that the person giving consent is the minor’s parent. Acceptable methods include but are not limited to the following: (1) sing a consent form and send it back via fax, email, or electronic scan; (2) call a toll-free number staffed by a trained person; (3) provide a copy of a form government issued ID to be checked against a database, as long as the information is later deleted once the identification process is finished.
  • Implement reasonable procedures to protect the security of children’s personal information. Reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children include the following: (1) minimizing collection of data, (2) using third party services capable of maintaining its confidentiality, security, and integrity, (3) holding on to children’s personal information only as reasonably necessary, and (4) securely disposing of the information once there are no longer reasonable legitimate reasons for retaining it.

As with any industry, COVID-19 has forced regulated entities to evaluate and balance compliance with applicable law and meeting the needs of those needing their services. Schools and online education providers are no different. Adopting broad, privacy and security-focused governance programs can ensure student information is used consistently and compliantly across platforms and in compliance with the growing number of laws impacting student privacy. Taft’s Privacy and Data Security Practice or Higher Education Practice can assist in answering any questions or developing strategy to assist in balancing the competing elements of the current school environment.