The attorneys general from 24 states and the District of Columbia are urging the Federal Trade Commission to strengthen rules prohibiting ed-tech companies and other web-based platforms from collecting personal information from children under age 13 and using that information to track them online.
Issued in 2000 and revised in 2013, an FTC rule related to the Children’s Online Privacy Protection Act of 1998, or COPPA, requires that online operators provide notice to parents and obtain their consent before collecting, using, or disclosing personal information from children.
Among other things, the rule also mandates that companies secure the information and bans them from conditioning children’s participation in activities on the collection of more personal information than reasonably necessary to participate in such activities.
But in their Dec. 9 letter to the FTC, the 25 attorneys general said those rules aren’t providing parents and students with the safeguards they need.
The FTC should reconsider its guidance essentially stating that the COPPA rule allows schools to act as “intermediaries” between operators and parents, as it pertains to COPPA’s requirement for parents to give their consent for their children’s information to be collected.
“Children are more susceptible to deception and exploitation, which is why I’m proud to push for added legal protections for our minors,” said Nevada Attorney General Aaron D. Ford, in a statement accompanying the letter. “No one should be allowed to take advantage of Nevada’s children by collecting their private information.”
The state officials said the issue has become more urgent with the “explosion” of the ed-tech market, which they estimated is now an $11 billion industry.
Ed-tech tools are often designed to encourage use by students at home or for non-educational purposes, the AGs said.
For example, Google’s G-Suite for Education is marketed to schools as a purely educational platform tool, but includes access to Gmail, Calendar, Talk/Hangouts and Drive, among other Google services.
“In a commercial context, Google relies on these same services to collect and monetize users’ personal data,” the attorneys general wrote.
The FTC declined comment, when asked by EdWeek Market Brief to respond to the AGs’ letter.
Stricter Definitions for Marketing Tech?
The state AGs signing the letter were from Connecticut, Delaware, Idaho, Illinois, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, New Mexico, New York, North Carolina, Oregon, Pennsylvania, Tennessee, Vermont, Virginia and Washington, plus the District of Columbia.
The attorneys general also criticized the COPPA rule’s definitions of “operator” and “website or online service directed to children” as out of step with advances in the tech field.
For instance, it could be argued that none of the thousands of marketing technology firms are covered by the existing “operator” definition, because the main sources of data they collect are not their own websites, but other operators’ websites that fall within the definition.
In addition, while the COPPA rule established strict liability for first-party websites and other online services that provide child-directed content, many, if not all of the platforms embed third parties to do “the bulk of the types of privacy-invasive online tracking COPPA is concerned with,” the attorneys general wrote.
The COPPA rule binds third parties only if they have actual knowledge that they are tracking children under 13, a provision that requires significant strengthening, the attorneys general argued.
The threshold establishes “actual knowledge” as either an instance where the child-directed content provider directly communicates the child-directed nature of its content to the third party or where a representative of the third party “recognizes the child-directed nature of the content,” the letter notes. That level of regulation doesn’t work in practice, the state officials said.
“Self-regulatory systems like this are ineffective when those responsible for the self-regulation profit handsomely from failing to do so,” the attorneys general wrote. “On top of these structural problems, the largely automated nature of the modern data economy and the sheer volume of information and transactions involved make it even easier for platforms and publishers to feign ignorance of each other’s practices and target audiences.”
In addition to expanding COPPA applicability to more entities, the attorneys general said the rule’s definition of protected “personal information” should expand to biometric data such as imagery of the iris, retina, fingerprint, hand, palm, vein patterns, and voice recordings, and keystroke patterns, gait patterns, and sleep, health, and exercise data that contain identifying information, in addition to genetic information.