Student Privacy Boot Camp
for EdTech Companies
COPPA and FERPA
March3,2016
EmilyS.Tabatabai
NOTHINGINTHISPRESENTATIONISINTENDEDTOCONSTITUTEA
LEGALOPINION
Children’s Online Privacy Protection Act
COPPA
2
Children’s Online Privacy Protection Act
•  WhatisCOPPA?
•  Children’sOnlinePrivacyProtecLonAct-Federallawenactedin1998
•  LawdirectedtheFederalTradeCommission(FTC)tocreateandenforcerules
relaLngtotheonlineprivacyofchildren’sinformaLon.TheFTC’sChildren’s
OnlinePrivacyProtecLonRulewaseffecLvein2000andamendedin2012.
•  EnforcementandpenalLes
•  ViolaLonscancarrypenalLesupto$16,000perviolaLon.
•  PenalLesalsoincludedatadestrucLon,20yearreporLngrequirements
•  FTCenforcesaggressively(25publicconsentdecreessince1999)
• 
PenalLesrangefrom$35,000-$3,000,000
•  StateA]orneysGeneralmayalsoenforcetheRule
3
Who is Covered?
TheRuleappliestooperatorsofcommercialwebsitesandonlineservices(including
mobileapps)thatcollect,useordisclosepersonalinformaLonfromchildrenunder13
inthefollowinginstances:
1.  Thewebsiteoronlineservicesisdirectedtochildrenunder13,or
2.  ThegeneralaudiencewebsiteorservicehasactualknowledgethatitiscollecLng
informaLonfromchildrenunder13.
4
“Directed To”
“General Audience Site”
Subject matter
Visual content
Use of animated characters
Child-oriented activities
Music or audio content
Age of models
Child celebrities
Language
Advertising directed to kids
Intended audience
Collect birth date
Notified by child or parent
also ,
Knowledge that operator is collecting
info from kids on a site that is directed
to kids (i.e. plug-ins, ad networks)
What is Personal Data?
“PersonalInformaLon”ofchildrenunder13isdefinedverybroadlytoinclude:
•  Firstandlastname
•  homeaddressincludingstreetnameandnameofcity
•  onlinecontactinformaLon(emailaddress,username,screenname)
•  telephonenumber
•  socialsecuritynumber
•  persistentidenLfier(ex.cookie)thatcanbeusedtorecognizetheuseroverLme
•  photograph,videooraudiofilethatcontainsthechild’simageorvoice
•  geolocaLoninformaLonsufficienttoidenLfystreetnameandnameofcity
•  informaLoncollectedbythirdpartywhosecontentorpluginiscollecLng
informaLonontheOperator’ssite
•  anyotherinformaLonaboutthechildorthechild’sparentsthattheoperator
combineswiththeidenLfiersdescribedabove
5
What is Required?
•  Postaclearandcomprehensiveonlineprivacypolicy
•  Providedirectno3cetoparentsandobtainverifiableparentalconsentbefore
collecLngPIonlinefromchildren
•  GiveparentsthechoiceofconsenLngtotheoperator’scollecLonanduseofa
child’sPI,butprohibiLngtheoperatorfromdisclosingthatPItothirdparLes
(unlessdisclosureisintegraltothesiteorservice,inwhichcase,thismustbe
madecleartoparents)
•  Provideparentsaccesstotheirchild'sPItoreviewand/orhavetheinformaLon
deleted
•  Giveparentstheopportunitytodenyorrescindconsenttousechild’sPI
•  Maintaintheconfiden3ality,security,andintegrityofinforma3ontheycollect
fromchildren,and
•  RetainPIcollectedonlinefromachildforonlyaslongasisnecessarytofulfillthe
purposeforwhichitwascollectedanddeletetheinformaLonusingreasonable
measurestoprotectagainstitsunauthorizedaccessoruse.
6
What Can I Collect Without Parental Consent?
• Mustobtainparentalconsentbeforecollec3ngpersonalinforma3onfromthechild,
unlessthecollec3onfitsintooneofthelimitedexcep3onstopriorparentalconsent
• Excep3onstopriorparentalconsent
•  Forpurposeofobtainingconsent-WhensolepurposeofcollecLonistoprovide
noLcetoparentandobtainparentalconsent.Maycollectname,emailaddress
andemailaddressofparent.Ifconsentisnotobtained,mustdeletethe
informaLon.
•  OneLmecontact-WhenoperatorcollectsonlinecontactinformaLonandno
otherinformaLon,forthesolepurposeofrespondingoneLmetothechild;PIis
notusedforanyotherpurposeortore-contactthechild;PIisdeletedaieroneLmecontact
•  InternalOperaLons-WhenoperatorcollectsapersistentidenLfierandnoother
informaLonanditisusedsolelytoprovidesupportforinternaloperaLonsofthe
website
7
How Can I Get Parental Consent?
Operator must obtain parental consent through a means “reasonably calculated,” in light of
available technology, to ensure that the person providing consent is the child’s parent.
Email Plus
Verifiable Parental Consent
If operator uses information only for internal
purposes and will not share the information
with third parties, you may use “Email Plus”
1. 
2. 
3. 
8
Send email notice to parent that provides
information on the collection and use of
child’s information (Rule sets forth what must
be included in notice)
Receive parental consent (usually via reply
email)
Follow up with confirmation email, fax, or
telephone call to parent. Include parental
notice information again, along with
instructions on how to opt-out.
If operator uses information to share with third
parties or to share publicly (or facilitate a
means by which the child can share publicly),
you must obtain verifiable parental consent.
Methods:
§ 
consent form to be signed by parent and
returned by mail, fax, or electronic scan
§ 
credit or online payment transaction ($$)
§ 
taking phone calls through toll-free telephone
number or engaging in video conference
§ 
checking form of government-issued ID
§ 
knowledge-based identification
§ 
consent mechanism provided by Safe Harbor
provider
How Can I Avoid The Hassle and Expense?
Mostcompaniesgotogreatlengthstoavoidcollec3nginforma3onfromchildrenthat
wouldtriggerCOPPAparentalconsentrequirements.
•  DonotcollectpersonalinformaLon
•  CollectonlypersistentidenLfiersthatwillbeusedsolelytosupportinternaloperaLons
•  ImplementanAgeScreentoscreenoutkidsunder13.Ifyouhaveageneralaudiencesite
(i.e.,thesiteisnotdirectedtokidsunder13),youcanblockkidsunder13fromproviding
personalinformaLonbyimplemenLnganAgeScreen
Neutral Age Screen
Age screen mechanism must be age-neutral and not encourage falsification
Mechanism should request user to enter age accurately (i.e., require user to
freely enter day, month, and year)
Do not warn the kid that users under 13 will not be permitted to participate
Use non-specific language when user is blocked (“Sorry, you are not permitted to
register at this time)
Use cookie to prevent back-buttoning to try again
9
COPPA and Schools
Ifanoperatorisofferinganonlineprogramsolelyforthebenefitofstudentsandtheschool,the
schoolcanactastheparent’sagentandcanconsenttothecollec3onofkids’informa3ononthe
parent’sbehalf
•  SchoolcanconsenttothecollecLonofchildren’sinformaLonsolelyforeducaLonalpurposes,
andnoothercommercialpurpose
—  i.e.,operatorcannotusechildren’sdataforotherpurpose,likemarkeLng,adverLsing,
sharingwithotherparLesunrelatedtotheeducaLonalcontext.IfOperatorwantstouse
studentdataforothercommercialpurpose,mustgetparentalconsent
•  OperatormustprovideschoolwithCOPPAnoLces,andprovide(onrequest)adescripLonof
PIcollected,anopportunitytoreview/deletethechild’sPI,andopt-outoffurthercollecLon
•  Preferconsenttocomefromtheschoolordistrict,ratherthanteacher.Schoolshouldhave
contractwithOperator
•  Mustdeletechildren’sPIonceinformaLonisnolongerneededforeducaLonalpurpose
•  BestpracLce:SchoolshouldprovideparentswithnoLceofoperatorswhocollectanduse
children’sinformaLon(AcceptableUsePoliciesforInternetUse)
•  ExamplesofOperatorswhomaypresumeconsentfromSchools:homeworkhelplines,
educaLonmodules,researchtools,web-basedtesLngservices
10
COPPA Safe Harbor Programs
•  Rule created “Safe Harbor” program whereby an Operator is
deemed to be in compliance with COPPA if it adheres to a set
of self-regulatory guidelines approved by the FTC. To be
approved by the FTC, the guidelines must be at least as
restrictive as COPPA.
Approved Safe Harbor
Programs (as of 12/2015)
•  Most are merely self-regulatory compliance programs, which
are overseen and audited by the organization. PRIVO,
Imperium (ChildGuard Online), and Aristotle (Integrity
System) have parental consent tools as well.
•  Privo
•  TRUSTe consent decree (November 2014) found that
TRUSTe did not adequately maintain its oversight function
and misled consumers as to the strength of its program.
•  CARU
•  ESRB
•  TRUSTe
•  Aristotle International,
Inc. (“Integrity”)
•  kidSafe
•  Imperium (“ChildGuard
Online”)
•  iKeepSafe
11
Resources
•  ReadtheRule
h]p://www.ecfr.gov/cgi-bin/text-idx?
SID=4939e77c77a1a1a08c1cbf905fc4b409&node=16:1.0.1.3.36&rgn=div5
•  ReadtheFAQs(lastrevisedMarch20,2015)
h]p://www.business.ic.gov/documents/0493-Complying-with-COPPAFrequently-Asked-QuesLons#GeneralQuesLons
•  FTC6-StepCompliancePlanforYourBusiness
h]p://www.business.ic.gov/documents/bus84-childrens-online-privacyprotecLon-rule-six-step-compliance-plan-your-business
•  BrowsetheFTCwebsitesecLononchildren'sprivacy
12
Family Educational Rights and Privacy Act
FERPA
13
Family Educational Rights and Privacy Act
WhatisFERPA?
•  FederallawthatappliestoeducaLonalinsLtuLonsthatacceptpublicfunds
•  Prohibitsaschoolfromdisclosingpersonallyiden3fiableinforma3onfromastudent’s
educa3onalrecordtoathirdpartywithoutconsentfromtheparent.Thereareseveral
excepLons,however.
•  ProvidesparentstherighttoinspectandcorrecttheinformaLoncontainedinthestudent
record
•  Rightstransfertothestudentwhenthestudentturns18orentersHigherEdatanyage.
Enforcement
•  FERPAisenforcedbytheDepartmentofEducaLon.Schoolisresponsiblefor(andliablefor)
complianceofitsvendorsandserviceproviders.
•  Issueacomplaint,ceaseanddesistorder,withholdfurtherfundingfromDept.
•  SeeksvoluntarycompliancebeforeimposingsancLons
14
What Type of Data Does FERPA Protect?
“Educa3onalRecords”–Recordsthataredirectlyrelatedtoastudentandare
maintainedbyaneducaLonalagencyorinsLtuLonorbyapartyacLngforthe
educaLonalagencyorinsLtuLon
“PersonalInforma3on”–directiden3fiers(suchasastudent’sorfamilymember’s
name)andindirectiden3fiers(suchasdateofbirth,mother’smaidenname)
•  ExcepLons:
•  De-idenLfiedData–De-idenLfieddataisdatawhichhasbeenstrippedofall
directidenLfiersaswellasindirectidenLfiersthatmayincombinaLonidenLfy
aparLcularindividual,maybesharedwiththirdparLeswithoutconsent
•  Metadata–MetadataiscontextualortransacLonaldata(ex.dataabouthow
longastudenttookforaparLcularacLvity,whentheacLvitywascompleted,
etc.)thathasbeenstrippedofalldirectandindirectidenLfiersisnotcovered
byFERPA
•  (ThesedatapointscouldsLllbePersonalInformaLonifareasonablepersonin
thecommunitycouldidenLfytheindividualstudentwiththisdatain
combinaLonwithreadilyavailablepublicinformaLon).
15
When is consent not required for disclosure?
AneducaLonalagencyorinsLtuLonmaydisclosepersonallyidenLfiableinformaLon
fromtheeducaLonalrecordwithoutconsentinlimitedcircumstances,including:
•  ToaSchoolOfficialwithalegiLmateeducaLonalinterest
•  TofederalorstateeducaLonalauthorityinconnecLonwithauditandevaluaLonof
federallysupportededucaLonprogram
•  ToarepresentaLveoftheA]orneyGeneralforlawenforcementpurposes
•  InconnecLonwithastudent’sapplicaLonforfinancialaid
•  Persondesignatedinafederalgrandjurysubpoenaorothersubpoena
•  AccrediLngorganizaLonscarryingoutaccrediLngfuncLons
•  OrganizaLonsconducLngstudiesforpurposesofdeveloping,validaLng,
administeringpredicLvetests,administeringstudentaidprograms,improving
instrucLon
16
•  DirectoryinformaLonnotsubjecttothesedisclosurelimitaLons,aslongasstudent
canopt-out
Directory Information
•  “DirectoryInformaLon”–informaLoncontainedintheeducaLonalrecordthat
wouldnotgenerallybeharmfulifdisclosed,includingstudentnameandaddress.
•  Usually,directoryinformaLonincludesname,telephonenumber,dateandplaceof
birth,honorsandawards,clubsandsports,datesofa]endance
•  Schoolshouldestablishwhichelementsareconsidered“directoryinformaLon”and
noLfyparentsthatthisinformaLonmaybesharedpublicly.Parentsusuallyhave
therighttoopt-outofthesharingofdirectoryinformaLon
àBecauseparentshavetheabilitytoopt-outofDirectoryInformaLondisclosures,this
makesitdifficultforEdTechproviderstorelyonDirectoryInformaLontosupply
necessarystudentdata
17
To Be a “School Official”
Schoolsusuallysharedatawithavendor/providerunderthe“SchoolOfficial”
excep3ontoFERPA.Underthisexcep3on,SchoolsmaysharePIIfromtheeduca3onal
recordwithoutparentconsentaslongastheprovider:
•  PerformsaserviceorfuncLonforwhichtheschoolwouldotherwiseuseitsown
employees(i.e.,actsasaoutsourcedserviceprovider)
•  IsunderthedirectcontroloftheschoolwithregardtothecollecLonanduseof
data
•  Usesdataonlyforauthorizedpurposesanddoesnotre-disclosePIIfrom
educaLonalrecordtootherparLesunlesswithconsentofSchoolorpermi]edby
FERPA
•  TIP:TheserestricLons(i.e.,DirectControl;authorizeduse;andprohibiLon
againstre-disclosure)shouldbeestablishedinthecontractbetweentheschool
andtheprovider.SomeLmes,thesecanbeestablishedintheonlineTermsof
Service(TOS)
• 
18
Seeslideon“Tip:ElementstoIncludeinaContract”atendofpresentaLon
Obligations of EdTech vendors
•  Remember,whenPersonalInformaLonisdisclosedtotheEdTechvendor,FERPA
sLllgovernsitsuse!AndtheSchoolisincontrolof,andresponsiblefor,its
protecLon.
•  EdTechvendormust:
•  RequestonlythepersonalinformaLonrequiredforaparLculartask
•  NotusepersonalinformaLonforpurposesotherthanthosedisclosedinthe
contractwiththeschool
•  NotdisclosestudentdatatoathirdpartywithoutdirecLonfromandconsent
ofschool
•  Maintainappropriatephysical,technicalandadministraLvesafeguardsto
protectstudentpersonalinformaLon
•  Createandmaintaincomprehensivesecurityincidentresponsepolicyandplan
tonoLfyintheeventofabreach
•  DestroypersonalinformaLonattheendofthecontractterm
19
FERPA Resources
FERPARegula3ons,hWps://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf
FinalRegula3ons,withcomments,publishedbyDepartmentofEduca3on,
hWp://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf
PrivacyTechnicalAssistanceCenter:
•  Protec3ngStudentPrivacyWhileUsingOnlineEduca3onalServices:Requirements
andBestPrac3ces,
hWps://tech.ed.gov/wp-content/uploads/2014/09/Student-Privacy-and-OnlineEduca3onal-Services-February-2014.pdf
•  Responsibili3esofThirdPartyServiceProvidersUnderFERPA,
hWp://ptac.ed.gov/sites/default/files/Vendor%20FAQ.pdf
•  ModelTermsofService,
hWp://ptac.ed.gov/sites/default/files/TOS_Guidance_Jan%202015_0.pdf
20
Other Rules that May Apply
• Protec3onofPupilRightsAmendment(PPRA)–(amongotherthings)requiresschool
toprovidenoLceandopt-outrightstoparentsifstudentsaregoingtoparLcipateinan
acLvityinvolvingthecollecLon,disclosure,oruseofPIcollectedfromstudentsandthat
willbeusedformarkeLngpurposes(appliesonlytoK-12insLtuLons)
• EuropeanDataProtec3onDirec3ve–Generally,thesameEUdataprotecLonlaw
appliestostudentdataaswell,andmaybemorerestricLve
•  BreakingNews:US-EUSafeHarbordeemedinvalidonOct6,2015
•  AwaiLngdetailsonUS-EUPrivacyShield
21
TIP: Elements to Include in Contract
Toqualifytoreceivestudentrecordsunderthe“SchoolOfficial”excep3on,theserviceprovider
shouldagreetocertaincontractualprovisions.ProvisionsalsorequiredunderStateLaws.
• EstablishthattheSchool“owns”thedataandvendorwilluseitonlyaccordingtotermsofthe
contractandforthepurposetobenefittheSchool
• WhatdataelementswillbecollectedorreceivedfromtheSchool
• Howdatawillbeusedbythevendor(explicituse)
• RestricLonsagainstabilitytoshare/re-disclosedatatothirdparLes,unlessspecificallyconsentedto
intheagreement
• RestricLonsagainstusingdataformarkeLng,includingbehavioraltargeLng,orprofile-building
• Caveatthatvendormayusede-idenLfieddata,metadataordatathatissharedunder“directory
informaLon”excepLonforitsownpurposes,includingtosharewiththirdparLes
• DataretenLonanddestrucLonpolicy
• Datasecurityprovisions,includingeachparty’sresponsibiliLesintheeventofadatabreach
TIP:ManySchoolsareunder-staffedandlacklegalcounsel,andSchoolrepresenta3veslooktothe
ServiceProvidertoconfirmcompliancewithFERPA,COPPAandstatelaws
22
Emily S. Tabatabai
Emily S. Tabatabai is a founding member of Orrick’s
Cybersecurity and Data Privacy team, which is nationally
ranked by the Legal 500 US. As a Certified Information
Privacy Professional in both European and US law
(CIPP/EU, CIPP/US), she counsels companies on all
matters of data privacy and consumer protection law,
with a special focus on retail products, EdTech, online
dating and social media, mobile and online gaming, and
all manner of entrepreneurial start-up endeavors. Emily
works with clients to evaluate compliance with multinational laws, regulations, and best practices, and
represents companies subject to regulatory
investigations or litigation involving a spectrum of federal
and state laws.
[email protected]
blogs.orrick.com/TrustAnchor
@EmilyTabatabai
23
Orrick, Herrington & Sutcliffe LLP | October 2015