Will the updated rule implementing the Children's Online Privacy Protection Act — finalized in the waning days of the Biden administration — be published by the Trump administration? What would it mean for schools if it remains intact?
Those are questions that school leaders are wondering about, as the future remains up in the air for the new rule implementing COPPA, a 26-year-old federal law that gives parents control over the data that websites collect from children younger than 13.
The new COPPA Rule is set to go into effect 60 days after it is published in the Federal Register, and companies would have a year before they must fully comply, said Reg Leichty, during a Consortium for School Networking webinar last week on the K-12 impacts of the latest iteration of the Federal Trade Commission’s COPPA Rule.
The regulation is enforced by the FTC, which clarifies the additional protections and procedures required for companies that collect the data of children 13 and younger. The FTC must review the COPPA Rule every five years, as stipulated by Congress in COPPA, said Leichty, attorney and founder of Foresight Law + Policy.
The new rule was approved by the FTC in a 5-0 vote just days before President Donald Trump’s inauguration in January. Since then, however, the FTC has transitioned from a Democratic to a Republican majority with the change in administrations.
There’s a chance — though unlikely — that the FTC could decide to not follow through with publishing the COPPA Rule in the Federal Register, Leichty said. It’s also possible that federal lawmakers could use the Congressional Review Act to revoke regulations that were recently approved by federal agencies like the FTC, he added.
“We have no indication or evidence that this is happening, but there’s a lot of change underway in Washington right now,” Leichty said. “We need to keep close watch on what the FTC does and also on what the new Congress does.”
Leichty noted that in the last Congress, the Children and Teens Online Privacy Protection Act, or COPPA 2.0, passed the Senate but languished in the House. The bill would have expanded COPPA’s coverage to teens ages 14-16. This and similar legislation are worth watching out for in the new Republican-led House and Senate, Leichty said.
Adding to this complicated federal policy landscape, Trump issued an executive order on Tuesday requiring “all executive departments and agencies, including so-called independent agencies," to submit all proposed and final "significant regulatory actions" to the White House before publication in the Federal Register.
The Center for Democracy & Technology said in a Wednesday statement that this executive order seeking complete control over most federal agencies, including the FTC, “contradicts” the Constitution.
Based on the Biden administration's update, here’s what student data privacy experts suggest schools should look out for under the revised COPPA Rule.
What has and hasn’t changed
While the law does not directly apply to school districts, the rule can affect the way K-12 leaders interact with ed tech companies.
That’s important to keep in mind, said Linnette Attai, a consultant and project director for CoSN’s Student Data Privacy Initiative and Trusted Learning Environment Program, during the webinar.
“There is no such thing, really, as a school employee having to comply with COPPA,” said Attai. “COPPA is something that would apply to your education technology providers that are creating products and services online that are intended for children under 13, or that know that they're collecting personal information from children under 13.”
The new rule requires that companies collect parental consent before using their children’s data for targeted advertising or disclosing their children’s information to third parties. In the case of schools, district leaders can give consent to ed tech companies in lieu of parental consent as long as children’s data is used only for educational purposes — and not commercial ones, Leichty said.
The COPPA Rule’s definition of “personal information” expanded to include biometric data like facial recognition or fingerprints. In addition, personal information now includes online contact information and government-issued IDs such as Social Security numbers, Attai said.
Companies will also be required to bolster safeguards by developing an information security plan. Under that plan, they must conduct annual risk assessments and implement safeguards to prevent the unauthorized disclosure, compromise or misuse of children’s sensitive information. Additionally, companies will have to regularly test and monitor those measures.
Though online providers cannot hold onto children’s data indefinitely, the FTC did not specify a duration. The commission, however, said information can be retained "for only as long as is reasonably necessary to fulfill the specific purpose(s) for which the information was collected.”
The new COPPA Rule added that when companies provide a direct notice to parents — or in the case of ed tech, to school districts — the operator must simply disclose how they intend to collect and use children’s data once given consent, similar to how a privacy policy is handled, Attai said.
This expanded disclosure means that schools will likely see more transparency from ed tech companies, particularly about the kind of personal data being collected and when that information will be deleted, Attai said. The rule also places a bigger focus on data security.
“So basically, what you're going to see in these notices — which are sent to parents but also should be sent to you as districts when a company is asking you to stand in lieu of parents in providing consent — you're going to see more information, and I think more good information, about what data is collected, how it's going to be used and who it's going to be shared with,” Attai said.
Dive Awards
