A new policy statement adopted by the Federal Trade Commission (FTC) on Thursday announced that the agency intends to enforce Children’s Online Privacy Protection Act (COPPA) rules barring companies from illegally collecting children’s data when they go online to learn. The statement acknowledges that while companies across the economy are becoming more aggressive in harvesting and monetizing individuals’ data, education technology (ed tech) providers cannot do the same.
The FTC explains that COPPA “demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure.” The statement underscores several COPPA prohibitions, including one barring mandatory data collection.
In addition, the FTC cautions, ed tech providers that collect a child’s personal information with school permission may not use that information for any commercial purpose, including marketing and advertising. Further, retention limitations bar providers from keeping information longer than necessary for the purpose for which it was collected, the statement says.
Lastly, the agency reminds ed tech companies that they must have sufficient procedures in place to “maintain the confidentiality, security, and integrity of children’s personal information.” Failure to follow the COPPA rules can and will result in civil penalties and other restrictions, the FTC adds.
In the agency’s accompanying press release, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, commented that “[p]arents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”
In recent years, FTC COPPA enforcement actions included a $2 million fine levied against OpenX, a company that monetizes websites and mobile apps by selling ad space, for improperly collecting children’s data in December 2021. Before that, the agency took issue with video game maker Miniclip S.A. over misleading statements about its membership in an online privacy program which helped ensure companies’ COPPA compliance.
