COPPA and Educational Websites
What is the Children’s Online Privacy Protection Act and how does it apply to your school entity?
The Children’s Online Privacy Protection Act (COPPA) applies to commercial and general audience websites where children under 13 years old will be sharing personally identifiable information such as a name, e-mail address, screen name, geo-location, or certain other identifying information. Increasingly, school districts must interpret a blurred line as to what constitutes a commercial or general audience website and what constitutes a contractor providing web-based services to the school district. Because COPPA does not apply to the latter, school districts should carefully examine their web-based education resources.
Websites, applications, and other internet-based resources generally fall into three categories – those that require a COPPA certification upon registration, those that delegate COPPA responsibility, and those that don’t require COPPA compliance.
For those that require COPPA certification, informed parent consent is required prior to any child under 13 accessing the resource. If school district personnel are completing the registration process on behalf of any students, those personnel must first obtain informed parent consent so that the district employee can legally register the child. Under no circumstances should any school district personnel acknowledge that parent consent has been given unless informed consent has actually been given by the parent. Misrepresenting that a parent has given consent when they have not may constitute forgery or fraud.
For those websites, applications, and other internet-based resources that do not directly require COPPA certification, school districts should determine whether the school district has a contractual obligation to comply with COPPA on behalf of the provider per the software or application user agreement, sales agreement, or any other user agreement that comes with the resource. Some such agreements delegate the responsibility for COPPA compliance to the school district. Consequently, if the contract or user agreement requires that the school district comply with COPPA on behalf of the provider, the school district must secure verifiable parent consent prior to utilizing the resource with users under 13.
In the remaining cases where COPPA compliance is not required by the electronic resource itself and no such delegation of COPPA compliance is found in the contract or user agreements, the school district does not have the responsibility to comply with COPPA. In most circumstances, this will be because COPPA does not apply to the website or web-based resource. Many educational resources where school districts have contracted directly with the provider will fall into this category because the personal information of students collected by the website or application is used for educational purposes only.
Because it’s not always clear where COPPA applies, school districts should carefully screen electronic resources and websites to ensure full compliance with the law. But COPPA is not a good reason to avoid a resource; rather, it simply means that parent consent will be required prior to using with students under 13 years old.
Clients who have questions regarding issues discussed in this article, or any education law matter, should feel free to call us at 215-345-9111.