Youth Privacy Protection and the Failure of COPPA in Schools

By: Bella Gianani YLS ‘23

The data marketplace has become one of the largest and most profitable in the United States, complete with databases on billions of facets on the lives of U.S. consumers. While the datafication of the human experience has been largely accepted as a reality, the personal information of children has been determined to warrant heightened legal protection. Student data, in particular, is seen as particularly sensitive, as ‘information deriving from pursuit of an education should not be exploited without restraint.’ Current federal policy, in the form of COPPA, has failed to adequately protect the privacy rights of children, especially within the nation’s schools.

The Children’s Online Privacy Protection Act (COPPA) was enacted in 1998, amidst growing concerns about the dissemination of children’s data on the internet. Legislators were particularly concerned that children would be unable to meaningfully understand the potential consequences of giving out their personal information online and would be susceptible to harms from deceptive trade practices, abuses by online marketers, and more sinister threats to children’s safety. With the passage of COPPA, Congress aimed to limit the amount of personally identifiable information collected about children without parental consent. Though a worthy and necessary goal, COPPA has proven ineffective at achieving this aim.

COPPA Requirements

COPPA specifically prohibits unfair and deceptive practices in the collection, use and disclosure of personal information online of children under the age of 13. The Act applies to all online services, including websites and applications, operated for commercial purposes that are “directed towards children under 13” or general audience sites that have knowledge that children under 13 are providing their personal information on the site.

In order to be COPPA compliant, sites that collect data from children under 13 must post a privacy policy that lists all third-party operators collecting personal information, a description of the personal information collected and how it is used, and a notification of parental rights to review or delete the information. COPPA also requires that sites give parents ‘direct notice’ of their information practices and obtain parents’ verifiable consent before collecting any personal information from their kids. If a parent’s verifiable consent is obtained, companies are then required to implement procedures to protect the confidentiality, security and integrity of personal information collected from children.

Age Fraud

Though the stipulations of the Act are certainly expansive and restrictive, the goals of the legislation have failed to be achieved in practice. As it currently stands, COPPA creates an incentive for users to commit age fraud. While children under 13 are not barred from sharing personal information, as long as they have parental permission, many sites opt to disallow children under 13 from using their services due to the high cost of complying with the law and the risk undertaken if they err in complying. These age restrictions are relatively easy for children to circumvent, and parents often help their kids to do so without an adequate understanding of the risks undertaken.

The prevalence of age fraud can be seen through popular social media sites like Facebook, Twitter, Instagram and Snapchat, which each require users to be 13 years old to create an account. Despite the minimum age requirement of most major social media platforms, 50% of U.S. children open their first social media profile by age 12. Since websites are able to claim they do not allow under 13-year-olds to use their site, companies are able to bypass not only obtaining parental consent to collect data, but all other protections under COPPA regarding how the collected data may be used. In practice, COPPA encourages age fraud and allows for the free use and sale of children’s data, as long as companies can claim they did not have knowledge that they were using it.

COPPA in Schools

In addition to social networking sites and applications, children’s data is at risk of exploitation within U.S. schools. In 2019, 65% of teachers used digital learning tools – defined as websites, apps, and online tutorials, games, videos, or programs – daily in their classroom instruction. The virtual learning required by the pandemic has exponentially increased the U.S. school system’s reliance on third-party educational tools, with frightening implications for student privacy rights online.

Privacy nonprofit Me2B Alliance analyzed a sample of mobile applications used in schools across the country to determine the extent to which student personal information was being shared from educational sites. Alarmingly, the study found 60% of education apps used by schools were sending student data to third-party advertising platforms. Of the sample of schools included in the research, 67% of public schools were found to be sending data compared to 57% of private schools. The discrepancy between public and private institutions is particularly troubling as this suggests students at public schools are more likely to have their personal information shared than those who are able to attend a private school. Furthermore, public schools most likely use public funding to develop or outsource the apps, suggesting taxpayers are likely funding the use of apps that are sending student data to advertisers. Disturbingly, 18% of apps used by public schools send data to ‘very high-risk third parties,’ or vendors that further share student data in networks consisting of hundreds or even thousands of other entities.

Once shared with multiple third-parties, data becomes more susceptible to malicious breaches. And it is not just the sharing of names or birthdates that is cause for concern. A study by Fordham University found that companies have gathered lists of student data that includes as personal characteristics as location, affluence, lifestyle and even social characteristics such as ‘awkwardness.’

The situation in schools is complicated further by the FTC’s policy that schools can consent on behalf of parents to the collection of student personal information, with the stipulation that data collected must be only for a school-authorized educational purpose and for no other commercial purpose. The FTC further states that schools and school districts should decide whether a particular site or service’s privacy and information practices are appropriate in consultation with an attorney and information security specialists, rather than delegating that decision to a teacher. The FTC advises schools that when determining which online technologies to use, they should be careful to understand how an operator will collect, use and disclose personal information from its students.

Parents are therefore forced to place their children’s privacy rights into the hands of schools with little to no knowledge of what information is being gathered and how the information is being used. Not only should parents have more control over their children’s personal information, but schools should not have the burden of determining whether student’s data is “appropriately” protected, as school administrators are neither technical or informational privacy experts, and most educational institutions simply do not have the funding to hire such expertise.

As the inefficacy of COPPA has become clearer, amendments have been proposed by congressional representatives across the aisle. Yet, legislators have continued to overlook the challenges to protecting children’s right to privacy within schools. Lawmakers must reckon with the most effective way to ensure technology can continue to be used to advance educational goals, while simultaneously ensuring the data of children is obtained with parental consent and is securely stored.

Recommended Reading