Online Student Privacy Updates: COPPA Receives Clarification From The Federal Trade Commission And New Laws From The California Legislature

April 13, 2015 | Bulletin No. 1247039.1

Children Online Privacy Protection Act

The Children's Online Privacy Protection Act or COPPA was enacted by Congress in 1998 to prohibit unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet.  COPPA is intended to place parents in control of the information that is collected from their children online.

COPPA requires the Federal Trade Commission ("FTC") to issue and enforce regulations relating to children's online privacy.  The FTC adopted the COPPA Rule in 1999.  The Rule applies to operators of commercial websites and online services, including mobile apps, that collect, use, or disclose personal information from children under age 13.  Among other things, COPPA requires operators to post privacy policies online, provide notice to parents and obtain parental consent before collecting personal information from children while they are online.

Many school districts contract with third-party website operators to offer online programs for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services.

The FTC provided guidelines for schools under the COPPA Rule in 2014, which have recently been updated in March 2015.  This update addresses parental consent in the educational context, the types and disclosure of personal information collected, and recommended best practices for informing parents.

Additional information regarding the updated guidelines is available in the FTC's COPPA FAQ's at:

What This Means to You

The FTC has clarified that school districts or schools that contract with third-party website operators and/or mobile app operators to offer online programs for educational purposes may consent on behalf of parents for the collection of pupil information by the third-party website operators.  The school's consent is of course limited to the educational context.  This was vague in prior guidelines.

As long as the operator limits the use of student information to the educational context authorized by the school or district, the operator can presume that the district or school’s authorization is based on the district or school’s having obtained the parent’s consent.  However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the district or school may make an informed decision.

The FTC suggests as best practices, that school districts also provide parents with notices of the websites and online services whose collection it may have consented to on their behalf; consider the feasibility of allowing parents to review the personal information collected, and ensure operators delete children’s personal information once the information is no longer needed for its educational purpose.

Practically speaking, it is also important for a district to ensure that they are using contractual language to limit any third-party operator from using children's personal information to the educational purpose for which it has been collected, and prohibit use for the third-party's own commercial purposes.

District's should be sure to understand how an operator will collect, use, and disclose data collected from students before entering into any agreement for services.  The FTC suggests asking questions to determine what data is collected, how the data is used, is there any commercial use, is advertising involved, who can review and correct the data, what security measures are in place, and what are the data retention and destruction polices.

Many of these issues are covered in both federal and state laws and districts and/or schools must ensure that they are protecting student information and pupil records. Federal law and new California laws interact to provide positive protections for K-12 students. 

New California Laws

AB 1584

AB 1584 amends the Privacy of Pupil Records Article of the Education Code by adding section 49703.1, authorizing districts to enter into contracts with a third party to provide services for digital storage, management, and retrieval of pupil records and/or to provide digital educational software.  (Ed. Code, § 49073.1.)  Such contracts must include specified provisions, including a statement that the pupil records continue to be the property of and under the control of the local educational agency, a description of the actions the third party will take to ensure the security and confidentiality of pupil records, and a description of how the local educational agency and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act.

AB 1584 became effective on January 1, 2015, except that contracts in effect before January 1, 2015 having terms that are in conflict with the provisions of AB 1584, are not affected until the expiration, amendment, or renewal of the agreement.

SB 568 and SB 1177

SB 568 enacted the Privacy Rights of Minors in the Digital World Act which became effective on January 1, 2015.  SB 568 prohibits an operator of an Internet website or online service from knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. (Bus. & Prof. Code, §§ 22580-22582.)

The California Student Online Information Act (AB 1177), effective on January 1, 2016, will impose requirements upon operators of web sites, online services, online applications, or mobile applications prohibiting them from knowingly engaging in targeted advertising, using covered information to amass a profile about K-12 students, selling student information, or disclosing student information. (Bus. & Prof. Code, §§ 22584-22585.)

AB 1442

AB 1442 imposes new limits on school districts when gathering and maintaining any information from social media of any enrolled pupil.

These issues are complex and varied and your district should contact legal counsel for guidance in navigating this evolving area of providing a high quality, technology rich education.

We also updated you on recent legislative updates in our Legal Alert Student Health & Safety and Discipline Related Legislative Changes.


If you have any questions concerning this Legal Alert, please contact the following from our office, or the attorney with whom you normally consult:

Sally Jensen Dutcher | 916.321.4500 or Daniel M. McElhinney | 805.786.4302