The Children’s Online Privacy Protection Act (COPPA) was enacted by Congress in 1998, and it is regulated by the Federal Trade Commission. The primary goal of COPPA is to allow parents to have control over what information is collected online from their children under age 13.

The law applies to any operators of websites, online services including web-based testing, programs or “apps” that collect, use, or disclose children’s personal information, whether at home or at school. COPPA only applies to personal information collected online from children; however it does not cover information collected from adults that may pertain to children.

The personal information covered can include the child’s name, email, phone number or other persistent unique identifier, and information about parents, friends and other persons.

Schools were given an exception from some COPPA requirements. Specifically, they are allowed to provide parental consent to operators for the use of strictly educations apps and services, but they do not HAVE to disclose to parents the websites for which they are contracting and ultimately issuing Verified Parent Consent (VPC) through their Acceptable Use Policy (AUP) process.

Unfortunately, one challenge with COPPA is that many schools fail to engage in proper due diligence in reviewing third-party privacy and data-security policies, and inadvertently authorize data collection and data-mining practices that parents find unacceptable.

What rights do parents have under COPPA?

Per FTC guidance on best practices, schools should be providing parents with a list of all the online programs that a child participates in at school and at home which are collecting a child’s personal information.   If an under-13 child is participating in an online program from a service provider or commercial website collecting personal information, whether for instructional, testing, or other purposes, the school and/or vendor or service provider must provide parents with a clear and prominent privacy policy and use practices on its website or elsewhere, including the following:

  • The name, address, telephone number, and email address of the vendors collecting or maintaining personal information through the site or service;
  • A description of what personal information the operator is collecting, including whether the website or program enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
  • That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and provide the procedures for doing so.
  • Best practice on the part of the school would also be to require written consent from parents if their child under 13 is using such a program, especially if the program contains ads or any marketing material.

For more information, visit the FTC website.