In a new enforcement policy statement, the Federal Trade Commission (FTC) announced it will vigorously enforce the Children’s Online Privacy Protection Act (COPPA), particularly against educational technology companies that provide services used in schools and that collect personal information from children under 13.  The statement, which was approved unanimously at the FTC’s May 19 Open Meeting, is one of the first clear indications of the FTC’s intent to impose “substantive limits” on data collection and use as opposed to focusing on whether companies provided notice of their collection of children’s data and obtained parental consent to do so. The unanimous vote, one of the first for newly confirmed Commissioner Alvaro Bedoya, suggests the FTC will closely scrutinize EdTech providers and will prioritize enforcement of COPPA’s limitations on use, retention, and data security, as well as data collection.

Substantive Limits on Data Collection and Use: The FTC’s policy statement does not actually change the FTC’s authority under the COPPA statute but it does invoke substantive provisions of the COPPA Rule that have not seen much enforcement in the past.  These provisions include:

• Collection Limitations – COPPA, and §  312.7 of the COPPA rule, prohibit covered companies from “conditioning” a child’s participation in an online activity on the collection of “more personal information than is reasonably necessary” for the child’s participation.  The FTC explained that companies cannot require students to submit to “unnecessary data collection” in order to do their schoolwork.

• Use Prohibitions – COPPA places some limits on how companies can use personal information they collect from children.  The FTC states it will prohibit educational technology firms from using children’s personal information, collected as a result of school authorization, for any commercial, marketing, or advertising purpose unrelated to providing the school-requested online service. (Note: some of these prohibitions are specific to Ed Tech, as they depend on student privacy restrictions in the Federal Educational Rights and Privacy Act (FERPA)).

• Retention Limitations – COPPA-covered companies must not retain personal information collected from children for “longer than reasonably necessary to fulfill the purpose for which it was collected.”  The FTC states it is unreasonable to retain children’s information for speculative future purposes.

• Data Security – COPPA has long required covered companies to implement reasonable security protections for children’s personal information.  The FTC emphasized that covered entities can violate this requirement even if they have not experienced a breach.

Key Takeaways:  The policy statement does not substantively change companies’ existing obligations under COPPA, but the FTC’s aggressive rhetoric indicates that kids’ privacy will be a top priority for the Commission – and it won’t be limited to Ed Tech.  

• Expect More COPPA Enforcement – Unlike violations of Section 5 of the FTC Act, COPPA violations carry civil penalties and other monetary relief.  In the wake of last year’s decision in AMG Capital Management v. FTC, the FTC is reevaluating all of its existing tools and thinking creatively to pursue aggressive enforcement and deterrence – so expect more COPPA enforcement.

• Data Minimization at the Forefront – The FTC is plainly moving away from a “notice and consent” focus and towards an enforcement regime that imposes more “substantive limits” on the collection, use, and retention of data, a theme that Chair Khan has reiterated several times in recent months.  A recent speech from the Director of the FTC’s Bureau of Consumer Protection highlighted that the FTC will seek to use its unfairness authority more aggressively to stop “commercial surveillance” in a wide variety of contexts, through both enforcement and rulemaking.

• Review Your COPPA Compliance – If you operate a child-directed service, or have actual knowledge that children under 13 are using your site, now is the time to ensure you are complying with COPPA – especially in the Ed Tech space. If you collect kids’ information, you should understand the limitations and any exceptions that permit collection and use without obtaining verifiable parental consent.  With bipartisan support for kids’ privacy at the Commission and in Congress, the FTC will be looking to bring more cases under COPPA.  Investigations are sure to follow.

Baker Botts lawyers closely follow developments at the FTC.  If you need assistance complying with the COPPA rule, or other privacy, security or consumer protection issues, please contact Ben Rossen, Maureen Ohlhausen, or another member of Baker Botts’ privacy and data security team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.