What is the Privacy Technical Assistance Center (PTAC)? |
a "one-stop" resource for answering questions and addressing concerns related to privacy, confidentiality, and security practices |
What is FERPA? |
Family Educational Rights and Privacy Act: This federal law applies to all schools that receive funds from the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. |
What does FERPA protect and give you the right to do what three things? |
It protects identifiable information about students in records kept by schools and gives you the right to access these records, to seek to correct it, and to generally consent to its disclosure. |
What are examples of some kinds of records FERPA protect? |
grades, special needs information, disciplinary actions |
Under FERPA, what is necessary for a school to release records generally? |
written consent |
Are there exceptions to this written consent rule? |
Yes |
FERPA allows schools to disclose those records, without consent, to the following parties or under the following 9 conditions |
1. School officials with legitimate educational interest; 2. Other schools to which a student is transferring; 3. Specified officials for audit or evaluation purposes; 4. Appropriate parties in connection with financial aid to a student; 5. Organizations conducting certain studies for or on behalf of the school; 6. Accrediting organizations; 7. To comply with a judicial order or lawfully issued subpoena; 8.Appropriate officials in cases of health and safety emergencies; and 9. State and local authorities, within a juvenile justice system, pursuant to specific State law. |
What is directory information? |
basic information about students like name, picture, address, grade level telephone number, date and place of birth, honors and awards, and dates of attendance. "Directory information" is information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed |
If a school is going to publish directory information under the "directory information exception" it must what? |
To disclose student information under this exception, individual school districts must establish the specific elements or categories of directory information that they intend to disclose and publish those elements or categories in a public notice giving parents and eligible students the opportunity to "opt out" in a reasonable amount of time. |
Why would the "directory information exception" not be feasible for disclosing PII from education records to providers to create student accounts or profiles? |
because of the number of parents (and eligible students) who elect to opt out of directory information |
Which exception is more likely to apply to schools’ and districts’ use of online educational services? |
The FERPA school official exception |
Under the school official exception, schools and districts may disclose PII from |
1. Performs an institutional service or function for which the school or district would otherwise use its own employees; 2. Has been determined to meet the criteria set forth in in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; 3. Is under the direct control of the school or district with regard to the use and maintenance of education records; and 4. Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA). |
Does FERPA require a written agreement for use in disclosures under the school official |
No but in practice, schools and districts wishing to outsource services will usually be able to establish direct control through a contract signed by both the school or district and the provider. In some cases, the "Terms of Service" (TOS) agreed to by the school or district, prior to using the online educational services, may contain all of the necessary legal provisions governing access, use, and protection of the data, and thus may be sufficient to legally bind the provider to terms that are consistent with these direct control requirements. |
If a student or their parents (if under 18) and a school disagree about the student’s records, FERPA does what? |
gives the student or their parents the right to request a hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information. |
Does FERPA require colleges and universities to release records to student’s parents? |
no but it does allow colleges and universities to do this if the parents claim their kid on their federal tax return |
What happens when a student starts college and turns 18? |
The parents’ FERPA rights are transferred to the student |
What are Online Educational Services? |
computer software, mobile applications (apps), and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and use as part of a school activity. |
What are examples of Online Educational Services? |
Examples include online services that students use to access class readings, to view their learning progression, to watch video demonstrations, to comment on class activities, or to complete their homework. |
Is Student Information Used in Online Educational Services Protected by FERPA? |
It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question. The Family Educational Rights and Privacy Act (FERPA) (see 20 U.S.C. § 1232g and 34 CFR Part 99) protects personally identifiable information (PII) from students’ education records from unauthorized disclosure. |
FERPA defines education records as "records that are: |
(1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution" |
FERPA also defines |
direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name) |
Some types of online educational services do use FERPA-protected information. For example, |
a district may decide to use an online system to allow students (and their parents) to log in and access class materials. In order to create student accounts, the district or school will likely need to give the provider the students’ names and contact information from the students’ education records, which are protected by FERPA |
other types of online educational services may not implicate |
a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII from the students’ education records would be disclosed to (or maintained by) the provider. |
Online educational services increasingly collect a large amount of ____________ or _____________ data as |
contextual, transactional, "metadata." |
Metadata refer to… |
information that provides meaning and context to other data being collected |
Examples of metadata are? |
information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). |
Are Metadata that have been stripped of all direct and indirect identifiers considered protected information under FERPA? |
No because they are not PII. |
A provider that has been granted access to PII from |
false |
Schools and districts will typically need to evaluate the use of online educational services ___________________________________________________________ to determine if FERPA-protected information (i.e., PII from education records) is implicated. |
on a case-by-case basis; FERPA requirements; the requirements of any other applicable federal, state, tribal, or local laws |
Whenever a provider maintains a student’s education records… |
the school and district must be able to provide the requesting parent (or eligible student) with access to those records. Schools and districts should ensure that their agreements with providers include provisions to allow for direct or indirect parental access. |
Under FERPA, a school must comply with a |
45, 45 |
Schools and districts are encouraged to remember that FERPA represents a ______ __ of |
minimum set, Thus, even when sharing PII from education records under an exception to FERPA’s consent requirement, it is considered a best practice to adopt a comprehensive approach to protecting student privacy when using online educational services. |
Do FERPA and the Protection of Pupil Rights Amendment (PPRA) Limit What Providers |
On occasion, providers may seek to use the student information they receive or collect through online educational services for other purposes than that for which they received the information, like marketing new products or services to the student, targeting individual students with directed advertisements, or selling the information to a third party. If the school or district has shared information under FERPA’s school official exception, however, the provider cannot use the FERPAprotected information for any other purpose than the purpose for which it was disclosed. |
under FERPA’s school |
true |
that student information that has been properly de-identified |
not protected by FERPA, and thus is not subject to FERPA’s use and re-disclosure limitations |
FERPA is not the only statute that limits what providers can do with student information. The |
Protection of Pupil Rights Amendment (PPRA) |
PPRA requires… |
that a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities. PPRA also requires districts to develop and adopt policies, in consultation with parents, about these activities. |
PPRA is also concerned with what 3 other areas? |
student privacy, parental access to information, and the administration of certain physical examinations to minors. |
The rights under PPRA transfer from the parents to a student who… |
is 18 years old or an emancipated minor under State law. |
Parents or eligible students who believe their rights under PPRA have been violated may file a complaint with the… |
Family Policy Compliance Office. |
Complaints under PPRA must contain… |
specific allegations of fact giving reasonable cause to believe that a violation of PPRA occurred. |
PPRA has an important |
Neither parental notice and the opportunity to opt-out nor the development and adoption of policies are required for school districts to use students’ personal information that they collect from students for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools. |
While FERPA protects _______________________________________, ________________, PPRA is invoked |
PII from education records maintained by a school or district, when personal information is collected from the student. |
The use of online educational services may |
situations where the school or district provides FERPA-protected data to open accounts for students, and subsequent information gathered through the student’s interaction with the online educational service which involves PPRA. |
Student information collected or maintained as part of an |
on the content of the information, how it is collected or disclosed, and the purposes for which it is used |
Who does PPRA apply to? |
Only to k-12 institutions that receive funding from the U.S. Department of Education, the programs and activities of a State educational agency (SEA), and the programs and activities of a local educational agency (LEA), |
PPRA governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas: |
• political affiliations or beliefs of the student or the student’s parent; • mental or psychological problems of the student or the student’s family; • sex behavior or attitudes; • illegal, anti-social, self-incriminating, or demeaning behavior; • critical appraisals of other individuals with whom respondents have close family relationships; • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; • religious practices, affiliations, or beliefs of the student or student’s parent; or, • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program). |
Is there a time limit |
No so, for example, while PPRA would not limit the use of information collected from college students for marketing, it would restrict the use of information collected from students while they were still in high school (if no notice or opportunity to opt-out was provided) even after those students graduate. |
Schools and districts should be aware that neither FERPA nor the PPRA absolutely prohibits them from |
to serve generalized, non-targeted advertisements. |
While FERPA and PPRA provide important protections for student information… |
additional use or disclosure restrictions may be advisable depending on the situation and the sensitivity of the information. Any additional protections that a school or district would like to require should be documented in the written agreement (the contract or TOS) with the provider. |
What are Some Other Best Practices for Protecting Student Privacy When Using Online |
•Maintain awareness of other relevant federal, state, tribal, or local laws. FERPA and PPRA are not the only laws that protect student information. Like COPPA • Be aware of which online educational services are currently being used in your district. • Have policies and procedures to evaluate and approve proposed online educational services. • When possible, use a written contract or legal agreement. • Extra steps are necessary when accepting Click-Wrap licenses for consumer apps • Be transparent with parents and students. • Consider that parental consent may be appropriate. Even in instances where FERPA does not require parental consent, schools and districts should consider whether consent is appropriate. |
The Federal Trade Commission (FTC) has interpreted COPPA to allow… |
schools to exercise consent on behalf of parents in certain, limited circumstances |
With Click-Wrap agreements, the act of clicking a |
to enter the provider and the end-user (in this case, the school or district) into a contractual relationship akin to signing a contract. |
When drafting and reviewing these |
Security and Data Stewardship Provisions Collection Provisions Data Use, Retention, Disclosure, and Destruction Provisions Data Access Provisions Modification, Duration, and Termination Provisions. Indemnification and Warranty Provisions |
Extra caution and |
Check Amendment Provisions. In addition to reviewing for the above terms, you should review the TOS to determine if the provider has retained the right to amend the TOS without notice Print or Save the TOS Limit Authority to Accept TOS. |
FERPA requires that schools and districts issue … |
an annual notification to parents and eligible students explaining their rights under FERPA |
PPRA also requires schools and districts to |
parents and students with effective notice of their PPRA rights, to provide notice to parents of district policies (developed and adopted in consultation with parents) regarding specific activities, and to notify them of the dates of specific events and the opportunity to opt out of participating in those events. |
In order to ensure that only appropriate individuals and entities have access to education records, organizations must implement various forms of authentication to establish |
the identity of the requester of the information with a level of certainty that is commensurate with the sensitivity of the data, identifying and validating the identity of the requesting entity with the required degree of confidence that he or she is who that person claims to be |
FERPA requires the use of _____________________________________ to __________________________________________________________ |
reasonable methods to authenticate the identity of parties to whom educational agencies and institutions disclose education records, help educational agencies and institutions improve the transparency and availability of education data while protecting the privacy and security of education records by increasing the effectiveness of access controls. |
Further, the |
parents, students, school officials, and other parties |
What is Identity Authentication? |
"Authentication of identity" means ensuring that the recipient of education records or the party who receives or transmits students’ records is, in fact, the authorized or intended recipient or sender. |
What is authentication? |
Authentication is the process by which an educational agency or institution establishes the appropriate level of identity authentication assurance, or confidence in the identity of the person or entity requesting access to the records. |
Requirements for specific authentication factors or their combination may vary depending on…(2) |
the type of education records being accessed (e.g., more or less sensitive) and the way in which they are accessed (e.g., in person or electronically). |
The same degree of certainty in the requester’s identity should be required for _________________________________________________________________. This means that although |
access to data of the same sensitivity level, the same level of identity authentication assurance |
What are Authentication Factors? |
Typically, an individual’s identity is authenticated through the use of one or more factors, such as a Personal Identification Number (PIN), password, or some other factor known or possessed only by the authorized user. |
What is single-factor authentication? |
Single-factor authentication requires a user to confirm identity with a single factor, such as a PIN; an answer to a security question; or a fingerprint. |
What is two-factor or multifactor authentication? |
Two-factor and multifactor approaches require the use of two or more methods to authenticate an individual’s identity. For example, in addition to the PIN, a user has to provide an ID card and/or have a matching iris pattern. |
What are the three types of authentication factors? |
Knowledge Factors (something the user knows): The requesting party demonstrates that it has knowledge of some unique data associated with the party whose identity is being authenticated, such as a password, security questions, or a PIN. Ownership Factors (something the user has): The requesting party demonstrates that it has possession of something uniquely associated with the party whose identity is being authenticated, such as a security token (see Glossary for definition), email account, ID card, or a mobile device (in the case of a mobile device, ownership can be confirmed by sending a one-time password to the device that has been pre-registered with the organization). Inherence Factors (something the user is or does): The requesting party demonstrates that it has a feature inherent to the party whose identity is being authenticated, such as a matching fingerprint, iris pattern, or facial features (these techniques are commonly referred to as "biometrics"). |
The choice of the specific authentication method often varies depending on …. |
the level of sensitivity of the data that are being disclosed. For example, an organization may determine that a single-factor identity authentication, such as using a standard format username combined with a secret PIN or password, is reasonable for protecting access to student attendance records. Single-factor authentication may not be reasonable, however, for protecting access to highly sensitive information, including health records and information that could be used for identity theft and financial fraud, such as social security numbers (SSNs) and credit card numbers |
While the use of any single factor provides a minimal level of identity authentication assurance, that |
using multiple authentication factors of different types. For example, for "in person" transactions, in the case of a parent or student accessing education records from a school office, the school official might request a photo ID to validate the identity of the person requesting the records. This approach utilizes two factors to validate the identity of the requester—an ownership factor in the form of a valid photo ID and an inherence factor, which is the physical resemblance of the person to the one pictured in the photo ID. Often, this type of visual authentication is not possible for electronic and phone transactions (although video cameras can be used for identifying individuals in some cases, such as for granting physical access to a secure facility). |
In addition to using multiple authentication factors, higher levels of assurance can be achieved through… |
the use of authentication factors that are harder to guess or falsify and by implementing stricter mechanisms to protect their secrecy. Stronger factors (e.g., more complex passwords) and better protection from being compromised through malicious activity (e.g., encrypting passwords with a strong algorithm) offer a greater level of confidence in a user’s identity authentication. |
How can an educational agency or institution determine the appropriate level of identity authentication assurance? |
To address this question, an organization should conduct a risk assessment to determine the threats to its data and evaluate the likelihood of inappropriate data disclosure based on its specific situation. This assessment should include a review of a potential impact of unauthorized disclosure or, conversely, of inappropriate denial of access to education data (e.g., when an authorized staff member is unable to perform his or her duties due to limited access to data). |
The analysis of the risks of a potential authentication failure and associated impact should then be used to determine… |
the necessary levels of identity authentication assurance the organization needs to establish. |
What are some best reasonable authentication practices? (5) |
conducting privacy risk assessments to determine potential threats to the data; selecting authentication levels based on the risk to the data (the higher the risk, the more stringent the authentication); developing a process to securely manage any secret authenticating information, or, "authenticators" (e.g., passwords) throughout their creation, use, and disposal; enforcing policies to reduce the possibility of authenticator misuse (e.g., encrypting stored passwords, locking out accounts with suspicious activity, etc.); and managing user identities through creation, provisioning, use, and disposal (with periodic account recertification, to confirm that a user account has been properly authorized and is still required by the user). |
Authentication factors like PINs, passwords, and security tokens are |
This sometimes makes it difficult to recover a user’s ability to access the data from a system if the user has forgotten the password or misplaced his or her token. |
True or false: No agency officials should be able to recover passwords or security tokens for any reason. |
With that in mind, full, unencrypted passwords in plain text should never be stored within electronic systems. We recommended that you work with your Information Technology (IT) Administrator or Security Officer to ensure that stored passwords are encrypted using a strong cryptographic algorithm. This approach reduces the risk of password data leakage and prevents administrators or school officials from being able to access actual passwords, increasing the assurance level of the system |
True of false: For electronic systems, well designed account recovery mechanisms and cryptographic protection of the authentication process are of great importance and should be incorporated into the system development process. One unwavering fact of electronic data systems is that users will, at some point,lose or forget their account password, PIN, or other authenticating information. |
true It is important that these systems include the ability to safely recover or reset the authenticating information without negatively impacting the integrity of the authentication system. The method might be as simple as an email-based recovery option that asks alternate security questions created during user registration. This type of recovery procedure relies on the knowledge of the security questions, which the user created upon registration, and requires the party being authenticated to have access to the email account utilized for the registration. These two factors together increase the security of the transaction and allow a user to recover information without delay. |
Identity authentication relies on…. |
the secrecy of authentication factors. Consequently, it is advisable that all exchanges of passwords or other authenticating information be sent through encrypted channels using a secure transfer protocol, such as Transport Layer Security. |
For online systems, organizations should implement basic authentication controls to reduce the ability of an attacker to guess at authentication credentials until the correct combination is achieved (known as "brute force password guessing") by… |
introducing mechanisms to lockout or prevent repetitive failed authentication attempts (the account can then be unlocked only by a system administrator or help desk). This approach can help to reduce the threat of brute-force attacks. |
Care should be taken when developing and implementing authentication systems within web applications to ensure that the applications are built… (using what 2 things along with what to prevent attacks like what 3 things) |
using secure coding and session management techniques along with thorough validation of user input to prevent attacks like SQL injection, Cross Site Scripting, and Cross Site Request Forgery, among others |
What are some benefits Arne Duncan gave for how technology improves teaching? (4) |
1. It can enable teachers to focus their time on the things they do best like teaching critical thinking skills. 2. helping the children who are struggling the most by providing up to the minute information about where students are doing well and where they need the most help 3. It can help them reinvent the most traditional (some would say boring) school experiences. 4. empower parents giving them a stronger connection to what their kids are actually doing |
According to a PBS survey, ___% of teachers have access to computers but only about ___% say they have access to the right level of technology. |
91, 20 |
What are the three keystone federal laws that protect student’s privacy? |
the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupils Rights Amendment (PPRA), and the Children’s Online Privacy Protection Act (COPPA) |
What are five questions, according to Arne Duncan, that schools and school districts should be asking themselves? |
1. Do you know what online services your schools and teachers use? 2. Are you offering teachers timely approval of technologies that they want to use in the classroom? 3. Do your contracts explicitly lay out the ownership and appropriately limit the use of any data collected? 4. Are you transparent with parents about how your district uses that data? 5. Do your schools allow students to bring their own devices as tools for learning and do your policies protect them? |
What is COPPA? |
Children’s Online Privacy Protection Act; The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. |
What is CIPA, when was it enacted, and who does it apply to? |
Children’s Internet Protection Act; CIPA was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools and libraries. |
In early ______, the FCC issued rules implementing CIPA and provided updates to those rules in ____. |
2001, 2011 |
Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless… |
they certify that they have an Internet safety policy that includes technology protection measures. |
Under CIPA, the protection measures must block or filter Internet access to pictures that are: (3) |
(a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors) |
Under CIPA, before adopting this Internet safety policy, schools and libraries must… |
provide reasonable notice and hold at least one public hearing or meeting to address the proposal. |
Schools subject to CIPA have two additional certification requirements: |
1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response. |
Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing: (5) |
1. Access by minors to inappropriate matter on the Internet; 2. The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications; 3. Unauthorized access, including so-called "hacking," and other unlawful activities by minors online; 4. Unauthorized disclosure, use, and dissemination of personal information regarding minors; and 5. Measures restricting minors’ access to materials harmful to them. |
Schools and libraries must certify they are in compliance with CIPA before they can receive E-rate funding with what three exceptions? |
1. CIPA does not apply to schools and libraries receiving discounts only for telecommunications service only; 2. An authorized person may disable the blocking or filtering measure during use by an adult to enable access for bona fide research or other lawful purposes. 3. CIPA does not require the tracking of Internet use by minors or adults. |
PPRA is intended to protect the rights of parents and students in two ways: |
1. It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and 2. It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals certain information. |
A Statement of Basis and Purpose is… |
a document an agency issues when it promulgates or amends a rule, explaining the rule’s provisions and addressing comments received in the rulemaking process. |
Congress enacted the Children’s Online Privacy Protection Act (COPPA) in |
1998 |
COPPA required the Federal Trade Commission to… |
issue and enforce regulations concerning children’s online privacy |
The Commission’s original COPPA Rule became effective on ________________. The Commission issued an amended Rule on ____________________. The amended Rule took effect on ____________. |
April 21, 2000, December 19, 2012, July 1, 2013 |
The primary goal of COPPA is to… |
place parents in control over what information is collected from their young children online. |
The Rule of COPPA was designed to ________________________ while ______________________ |
protect children under age 13, accounting for the dynamic nature of the Internet. |
The Rule of COPPA applies to two types of commercial websites and online services which are? And what other additional situation? |
The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. |
Operators covered by the Rule must do what 7 things? |
1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; 2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; 3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents); 4. Provide parents access to their child’s personal information to review and/or have the information deleted; 5. Give parents the opportunity to prevent further use or online collection of a child’s personal information; 6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and 7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. |
What does COPPA consider as personal information? (10) |
1. First and last name; 2. A home or other physical address including street name and name of a city or town; 3. Online contact information; 4. A screen or user name that functions as online contact information; 5. A telephone number; 6. A social security number; 7. A persistent identifier that can be used to recognize a user over time and across different websites or online services; 8. A photograph, video, or audio file, where such file contains a child’s image or voice; 9. Geolocation information sufficient to identify street name and name of a city or town; or 10. Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above. |
The term "online service" broadly covers…. |
any service available over the Internet, or that connects to the Internet or a wide-area network. Examples of online services include services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements, or interact with other online content or services. Mobile applications that connect to the Internet, Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA. |
Does COPPA apply to information about children collected online from parents or other adults? |
No. COPPA only applies to personal information collected online from children, including personal information about themselves, their parents, friends, or other persons but the Commission expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA |
Why does COPPA apply only to children under 13? What about protecting the online privacy of teens? |
In enacting the Children’s Online Privacy Protection Act, Congress determined to apply the statute’s protections only to children under 13, recognizing that younger children are particularly vulnerable to overreaching by marketers and may not understand the safety and privacy issues created by the online collection of personal information. |
Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation? |
No. COPPA covers operators of general audience websites or online services only where such operators have actual knowledge that a child under age 13 is the person providing personal information. The Rule does not require operators to ask the age of visitors. |
What are the penalties for violating the COPPA Rule? |
A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. |
The amount of civil penalties a court assesses may turn on a number of factors which are: (7) |
1. the egregiousness of the violations 2. whether the operator has previously violated the Rule 3. the number of children involved 4. the amount and type of personal information collected 5. how the information was used 6. whether it was shared with third parties 7. the size of the company. |
Can the states or other federal government agencies enforce COPPA? |
Yes. COPPA gives states and certain federal agencies authority to enforce compliance with respect to entities over which they have jurisdiction. |
Are websites and online services operated by nonprofit organizations subject to the Rule? |
COPPA expressly states that the law applies to commercial websites and online services and not to nonprofit entities that otherwise would be exempt from coverage under Section 5 of the FTC Act. In general, because many types of nonprofit entities are not subject to Section 5 of the FTC Act, these entities are not subject to the Rule. However, nonprofit entities that operate for the profit of their commercial members may be subject to the Rule. |
The Internet is a global medium. Do websites and online services developed and run abroad have to comply with the Rule? |
Foreign-based websites and online services must comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the U.S. The law’s definition of "operator" includes foreign-based websites and online services that are involved in commerce in the United States or its territories. As a related matter, U.S.-based sites and services that collect information from foreign children also are subject to COPPA. |
My child-directed website doesn’t collect any personal information. Do I still need to post a privacy policy online? |
COPPA applies only to those websites and online services that collect, use, or disclose personal information from children. However, the FTC recommends that all websites and online services – particularly those directed to children – post privacy policies online so visitors can easily learn about the operator’s information practices. |
Section 312.4(d) of the amended Rule identifies the information that must be disclosed in your online privacy policy. While the original Rule required operators to provide extensive categories of information in their online privacy notices, the amended Rule now takes a shorter, more streamlined approach to cover the information collection and use practices most critical to parents. Under the amended Rule, the online notice must state the following three categories of information: |
1. The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents); 2. A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and 3. That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so. |
May I include promotional materials in my privacy policy? |
No. The Rule requires that privacy policies must be "clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials." |
Do I have to disclose in my privacy policy and direct notices to parents the collection of "cookies," "GUIDs," "IP addresses," or other passive information collection technologies on or through my site? |
The amended Rule defines "personal information" to include identifiers, such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different websites or online services, even where such identifier is not paired with other items of personal information. Therefore, you will need to disclose in your privacy policy (see FAQ C.2), and in your direct notice to parents (see FAQ C.11), your collection, use or disclosure of such persistent identifiers unless (1) you collect no other "personal information," and (2) such persistent identifiers are collected on or through your site or service solely for the purpose of providing "support for the internal operations" of your site or service. |
Where should I post links to my privacy policy? |
The amended Rule requires that the operator post a clearly and prominently labeled link to the online privacy policy on the home or landing page or screen of the website or online service, and at each area of the site or service where personal information is collected from children. This link must be in close proximity to the requests for information in each such area. the Commission explained that "’clear and prominent’ means that the link must stand out and be noticeable to the site’s visitors through use, for example, of a larger font size in a different color on a contrasting background. The Commission does not consider ‘clear and prominent’ a link that is in small print at the bottom of the home page, or a link that is indistinguishable from a number of other, adjacent links." |
I have an app directed to children. At what point in the download process should I send parents my direct notice? |
Unless one of the limited exceptions applies (see FAQ H.2), the Rule requires that you send parents the direct notice prior to the collection of any personal information from the child. The limited exception to this is that you may collect the parent’s online contact information for the sole purpose of sending the parent the direct notice. Alternatively, you may provide the direct notice to the parent through other means, such as through the device onto which the app is downloaded, if the mechanisms both (1) provide such notice and obtain the parent’s consent before any collection of personal information and (2) are reasonably designed to ensure that it is the parent who receives the notice and provides the consent. |
What factors are included when determining a website is directed towards children? (8) |
subject matter of the site or service, its visual content, the use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, or whether advertising promoting or appearing on the website or online service is directed to children. |
Because of its very nature, in most instances, a website or online service (such as an app) directed to children must treat all visitors as… |
children and provide COPPA’s protections to every such visitor. This means that for the most part, a website or online service directed to children may not screen users for age. However, the amended Rule provides for a narrow exception for a site or service that may be directed to children under the criteria set forth in FAQ D.1 above, but that does not target children as its primary audience. For instance, a child-directed site may target children under age 13, as well as parents or younger teens. An operator of a site or service meeting this standard may age-screen its users if it: (1) does not collect personal information from any visitor prior to collecting age information, and (2) prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the amended Rule’s notice and parental consent provisions. |
I run a site that I believe may fall within the FTC’s sub-category of a website directed to children but where it is acceptable to age-screen users. Can I age-screen and completely block users who identify as being under age 13 from participating in any aspect of my site? |
No. If your site falls within the definition of a "Web site or online service directed to children" as set forth in paragraph (1) of 16 C.F.R. § 312.2, then you may not block children from participating altogether, even if you do not intend children to be your primary target audience. Instead, what the amended Rule now permits you to do is to use an age screen in order to differentiate between your child and non-child users. You may decide to offer different activities, or functions, to your users depending upon age, but you may not altogether prohibit children from participating in a child-directed site or service. |
Do I have to get parental consent if first I blur images in the children’s photos so that you cannot see any facial features when the pictures go live on my site? |
An operator of a site directed to children does not need to notify parents or obtain their consent if it blurs the facial features of children in photos before posting them on its website. See 2012 Statement of Basis and Purpose, 78 Fed. Reg. 3972, 3982 n.123. The same goes for a site that has actual knowledge it has collected the photos from children. Before posting such photos, however, the operator must also remove any other personal information they contain, such as geolocation metadata, and ensure that it is not using or disclosing persistent identifiers collected from children in a manner that violates the amended Rule. |
Does the amended Rule prohibit adults, such as parents, grandparents, teachers, or coaches from uploading photos of children? |
COPPA only covers information collected online from children. It does not cover information collected from adults that may pertain to children. Thus, COPPA is not triggered by an adult uploading photos of children on a general audience site or in the non-child directed portion of a mixed-audience website. However, operators of websites or online services that are primarily directed to children (as defined by the Rule) must assume that the person uploading a photo is a child and they must design their systems either to: (1) give notice and obtain prior parental consent, (2) remove any child images and metadata prior to posting, or (3) create a special area for posting by adults, if that is the intention. |
The amended Rule covers "geolocation information sufficient to identify street name and name of city or town." What if my children’s app only collects coarse geolocation information, tantamount to collecting a ZIP code but nothing more specific? |
COPPA does not require an operator to notify parents and obtain their consent before collecting the type of coarse geolocation services described. However, the operator should be quite certain that, in all instances, the geolocation information it collects is more general than that sufficient to identify street name and name of city or town. |
The geolocation information I collect through my app provides coordinate numbers. It does not specifically identify a street name and name of city or town. Do I have to notify parents and get their consent in this instance? |
COPPA covers the collection of geolocation information "sufficient" to identify street name and name of city or town. It does not require the actual address identification of such information at the time of collection. One example where COPPA would be triggered is where an app takes the user’s longitude and latitude coordinates and translates them to a precise location on a map. |
Am I responsible if children lie about their age during the registration process on my general audience website? |
The Rule does not require operators of general audience sites to investigate the ages of visitors to their sites or services. See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59892. However, operators will be held to have acquired actual knowledge of having collected personal information from a child where, for example, they later learn of a child’s age or grade from a concerned parent who has learned that his child is participating on the site or service. |
I have an online service that is intended for teenagers. How does COPPA affect me? |
Although you may intend to operate a "teen service," in reality, your site may attract a substantial number of children under 13, and thus may be considered to be a "Web site or online service directed to children" under the Rule. If your service targets children as one of its audiences – even if children are not the primary audience – then your service is "directed to children." In circumstances where children are not the primary audience of your child-directed service, the amended Rule allows you to employ an age screen in order to provide COPPA’s protections to only those visitors who indicate they are under age 13. Note that sites or services directed to children cannot use the age screen to block children under age 13. |
Can I block children under 13 from my general audience website or online service? |
Yes. COPPA does not require you to permit children under age 13 to participate in your general audience website or online service, and you may block children from participating if you so choose. By contrast, you may not block children from participating in a website or online service that is directed to children as defined by the Rule. |
If you choose to block children under 13 on your general audience site or service, you should… |
take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID. |
I want to offer a child-directed app. The app would allow children to upload pictures of their favorite pets or places. I do not ask children to provide their email addresses or their names, or really any personal information for that matter. How does COPPA apply to me? |
COPPA applies to photos, videos, and audio files that contain children’s images or voices. It also applies to geolocation data contained in these files sufficient to identify street name and name of city or town. Finally, it applies to any persistent identifiers collected via the children’s upload of their photos. Therefore, in order to offer an app without parental notice and consent, the operator must take the following steps 1. Pre-screen the children’s photos in order to delete any that depict images of children or to delete the applicable portion of the photo, if possible. The operator must also remove any other personal information; and 2. Ensure that any persistent identifiers are used only to support the internal operations of the app (as that term is defined in the Rule) and are not used or disclosed to contact a specific individual or for any other purpose. |
Does the amended Rule prohibit adults, such as parents, grandparents, teachers, or coaches from uploading photos of children? |
COPPA only covers information collected online from children. It does not cover information collected from adults that may pertain to children. Thus, COPPA is not triggered by an adult uploading photos of children on a general audience site or in the non-child directed portion of a mixed-audience website. However, operators of websites or online services that are primarily directed to children (as defined by the Rule) must assume that the person uploading a photo is a child and they must design their systems either to: (1) give notice and obtain prior parental consent, (2) remove any child images and metadata prior to posting, or (3) create a special area for posting by adults, if that is the intention. |
What if I give my users a choice to turn off geolocation information? Do I still have to notify parents and get prior parental consent? |
COPPA is designed to notify parents and give them the choice to consent. Therefore, it is not sufficient to provide such notification and choice to the child user of a website or service. If the operator intends to collect geolocation information, the operator will be responsible for notifying parents and obtaining their consent prior to such collection. |
I operate a general audience gaming site and do not ask visitors to reveal their ages. I do permit users to submit feedback, comments, or questions by email. What are my responsibilities if I receive a request for an email response from a player who indicates that he is under age 13? |
Under the Rule’s one-time response exception (16 C.F.R. § 312.5(c)(3)) you are permitted to send a response to the child, via the child’s online contact information, without sending notice to the parent or obtaining parental consent. However, you must delete the child’s online contact information from your records promptly after you send your response. You may not use the child’s online contact information to re-contact the child (or for any other purpose), or disclose the child’s online contact information. Note that if you choose not to respond to the child’s inquiry, you must still immediately delete the child’s personal information from your records. Additionally, such an email may give you actual knowledge that you have collected personal information from a child (e.g., if you had previously collected the child’s email address as part of a website registration process). In such a circumstance, you would need to take steps to ensure that you are complying with COPPA, such as obtaining parental consent or immediately deleting any personal information collected from the child. |
What happens if a child registers on my service and posts personal information (e.g., on a comments page) but does not reveal his age anywhere? |
The COPPA Rule is not triggered in this scenario. The Rule applies to an operator of a general audience website if it has actual knowledge that a particular visitor is a child. If a child posts personal information on a general audience site or service but does not reveal his age, and if the operator has no other information that would lead it to know that the visitor is a child, then the operator would not be deemed to have acquired "actual knowledge" under the Rule and would not be subject to the Rule’s requirements. However, even where a child himself has not revealed his age on a site or service, an operator may acquire actual knowledge where it later learns of a child’s age |
What happens if a child posts in a forum and announces her age? |
If no one in your organization is aware of the post, then you may not have the requisite actual knowledge under the Rule. However, you may be considered to have actual knowledge where a child announces her age under certain circumstances, for example, if you monitor your posts, if a responsible member of your organization sees the post, or if someone alerts you to the post (e.g., a concerned parent who learns that his child is participating on your site). |
When do I have to get verifiable parental consent? |
The Rule provides generally that an operator must obtain verifiable parental consent before collecting any personal information from a child, unless the collection fits into one of the Rule’s exceptions |
May I first collect personal information from the child, and then get parental permission to such collection if I do not use the child’s information before getting the parent’s consent? |
As a general rule, operators must get verifiable parental consent before collecting personal information online from children under 13. Certain, limited exceptions let operators collect certain personal information from a child before obtaining parental consent. See FAQ H.2 for a list of exceptions |
I collect personal information from children who use my online service, but I only use the personal information I collect for internal purposes and I never give it to third parties. Do I still need to get parental consent before collecting that information? |
It depends. First, you should determine whether the information you collect falls within one of the amended Rule’s limited exceptions to parental consent outlined in FAQ H.2 above. If you fall outside of one of those exceptions, you must notify parents and obtain their consent. However, if you only use the information internally, and do not disclose it to third parties or make it publicly available, then you may obtain parental consent through use of the Rule’s "email plus" mechanism, as outlined in FAQ H.4 below. |
How do I get parental consent and what are several methods do get it? |
You may use any number of methods to obtain verifiable parental consent, as long as the method you choose is reasonably calculated to ensure that the person providing consent is the child’s parent. 1. Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the "print-and-send" method); 2. Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; 3. Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or 4. Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification. |
If you are going to use children’s personal information only for internal purposes – that is, you will not be disclosing the information to third parties or making it publicly available – then you can use any of the above methods or you can use the "email plus" method of parental consent. "Email plus" allows you to request (in the direct notice sent to the parent’s online contact address) that the parent indicate consent in a return message. To properly use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the "plus" factor). The confirming step may be: |
1. Requesting in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or 2. After a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so. |
I know that I must allow parents to consent to my collection and use of their children’s information, while giving them the option of prohibiting me from disclosing that information to third parties. Does that mean that if I operate a social networking site, or have chat rooms or message boards, I have to offer the same kind of "choice" about these types of sites as well? |
The Rule requires an operator to give parents the option to consent to the collection and use of a child’s personal information without consenting to the disclosure of such information to third parties. See 16 C.F.R. § 312.5(a)(2). However, an operator must only provide this choice where the disclosure of the information is not inherent in the activity to which the parent is consenting. |
I am the developer of an app directed to kids. Can I use a third party, such as one of the app stores, to get parental consent on my behalf? |
Yes, as long as you ensure that COPPA requirements are being met. For example, you must make sure that the third party is obtaining consent in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child. You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent. |
What types of information can I collect to obtain or confirm parental consent? Can I use a parent’s mobile phone number to obtain or confirm parental consent? |
The Rule permits you to collect the parent’s "online contact information," defined as an email address, an IM user identifier, a VOIP identifier, a video chat user identifier, or other substantially similar identifier. A mobile phone number is not online contact information and therefore cannot be collected from the child as part of the consent initiation process. However, once you have connected with the parent via the parent’s online contact information, you may request a parent’s mobile phone number in order to further communicate with him or her. |
What is required for the "multiple-contact" exception |
you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt out. |
What does "support for the internal operations of the Web site or online service" mean? |
"Support for the internal operations of the Web site or online service," as defined in 16 C.F.R. 312.2, means activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill a request of a child as permitted by § 312.5(c)(3) and (4). Persistent identifiers collected for the sole purpose of providing support for the internal operations of the website or online service do not require parental consent, so long as no other personal information is collected and the persistent identifiers are not used or disclosed to contact a specific individual, including through behavioral advertising; to amass a profile on a specific individual; or for any other purpose. |
Can both a child-directed website and a third-party plug-in that collect persistent identifiers from users of that child-directed site rely on the Rule’s exception for "support for internal operations"? |
Yes. A child-directed site and a third-party plug-in collecting persistent identifiers from users of that child-directed site can both rely upon the Rule’s "support for internal operations" exception where the only personal information collected from such users are persistent identifiers for purposes outlined in the "support for internal operations" definition. The persistent identifier information collected by the third-party plug-in may in some instances support only the plug-in’s internal operations; in other instances, it may support both its own internal operations and the internal operations of the child-directed site. |
Does the exception for "support for internal operations" allow me to perform, or retain another party to perform, site analytics? |
Yes. Where you, a service provider, or a third party collects persistent identifier information from users of your child-directed site to perform analytics encompassed by the Rule’s "support for internal operations" definition, and the information is not used for any other purposes not covered by the support for internal operations definition, then you can rely upon the Rule’s exemption from parental and consent. |
I am an ad network that uses persistent identifiers to personalize advertisements on websites. I know that I operate on a child-directed site, but isn’t personalization considered "support for internal operations"? |
No. The term "support for internal operations" does not include behavioral advertising. The inclusion of personalization within the definition of support for internal operations was intended to permit operators to maintain user driven preferences, such as game scores, or character choices in virtual worlds. "Support for internal operations" does, however, include the collection or use of persistent identifiers in connection with serving contextual advertising on the child-directed site. |
I have a child-directed website. Can I put a plug-in, such as Facebook Like button, on my site without providing notice and obtaining verifiable parental consent and what 3 thing would you need to do this? |
In determining whether you must provide notice and obtain verifiable parental consent, you will need to evaluate whether any exceptions apply. Section 312.5(c)(8) of the Rule has an exception to its notice and consent requirements where: a third-party operator only collects a persistent identifier and no other personal information; the user affirmatively interacts with that third-party operator to trigger the collection; and the third-party operator has previously conducted an age-screen of the user, indicating the user is not a child. If the third-party operator meets all of those requirements, and if your site doesn’t collect personal information (except for that covered by an exception), you don’t need to provide notice or obtain consent. This exception doesn’t apply to types of plug-ins where the third party collects more information than a persistent identifier |
Do I have to keep all information I have ever collected online from a child in case a parent may want to see it in the future? |
No. As the Commission noted in the 1999 Statement of Basis and Purpose, "if a parent seeks to review his child’s personal information after the operator has deleted it, the operator may simply reply that it no longer has any information concerning that child." |
What if, despite my most careful efforts, I mistakenly give out a child’s personal information to someone who is not that child’s parent or guardian? |
The Rule requires you to provide parents with a means of reviewing any personal information you collect online from children. Although the Rule provides that the operator must ensure that the requestor is a parent of the child, it also notes that if you follow reasonable procedures in responding to a request for disclosure of this personal information, you will not be liable under any federal or state law if you mistakenly release a child’s personal information to a person other than the parent. |
If I want to share children’s personal information with a service provider or a third party, how should I evaluate whether the security measures that entity has in place are "reasonable" under the Rule? |
Before sharing information with such entities, you should determine what the service providers’ or third parties’ data practices are for maintaining the confidentiality and security of the data and preventing unauthorized access to or use of the information. Your expectations for the treatment of the data should be expressly addressed in any contracts that you have with service providers or third parties. In addition, you must use reasonable means, such as periodic monitoring, to confirm that any service providers or third parties with which you share children’s personal information maintain the confidentiality and security of that information. |
If I operate a social networking service and a parent revokes her consent to my maintaining personal information collected from the child, can I deny that child access to my service? |
Yes. If a parent revokes consent and directs you to delete the personal information you had collected from the child, you may terminate the child’s use of your service. |
I know that the Rule says I cannot condition a child’s participation in a game or prize offering on the child’s disclosing more information than is reasonably necessary to participate in those activities. Does this limitation apply to other online activities? |
Yes. The applicable Rule provision is not limited to games or prize offerings, but includes "another activity." See 16 C.F.R. § 312.7. This means that you must carefully examine the information you intend to collect in connection with every activity you offer in order to ensure that you are only collecting information that is reasonably necessary to participate in that activity. This guidance is in keeping with the Commission’s general guidance on data minimization. |
Can an educational institution consent to a website or app’s collection, use or disclosure of personal information from students? |
Yes. Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. In these cases, the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf. |
the school’s ability to consent for the parent is limited to… |
the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose. |
In order for the operator to get consent from the school, the operator must… (6) |
provide the school with all the notices required under COPPA. In addition, the operator, upon request from the school, must provide the school a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information. Schools also should ensure operators to delete children’s personal information once the information is no longer needed for its educational purpose. |
Under what circumstances can an operator of a website or online service rely upon an educational institution to provide consent? |
Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision. |
Operators may not use the personal information collected from children based on a school’s consent for… |
another commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context. |
Who should provide consent – an individual teacher, the school administration, or the school district? |
As a best practice, we recommend that schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher. Many schools have a process for assessing sites’ and services’ practices so that this task does not fall on individual teachers’ shoulders. |
When the school gives consent, what are the school’s obligations regarding notifying the parent? |
As a best practice, the school should consider providing parents with a notice of the websites and online services whose collection it has consented to on behalf of the parent. Schools can identify, for example, sites and services that have been approved for use district-wide or for the particular school. In addition, the school may want to make the operators’ direct notices regarding their information practices available to interested parents. Many school systems have implemented Acceptable Use Policies for Internet use (AUPs) to educate parents and students about in-school Internet use. The school could maintain this information on a website or provide a link to the information at the beginning of the school year. |
What information should a school seek from an operator before entering into an arrangement that permits the collection, use, or disclosure of personal information from students? 6 questions to ask |
In deciding whether to use online technologies with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are: What types of personal information will the operator collect from students? How does the operator use this personal information? Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent. Does the operator enable the school to review and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent. What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects? What are the operator’s data retention and deletion policies for children’s personal information? |
Under FERPA are schools required to provide parents and eligible students copies of educational records? |
Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies. |
In a traditional contracting process, the buyer and seller mutually agree on a set of terms and then sign a contract reflecting those terms. However, many providers of online educational services and mobile applications (i.e., vendors, contractors, and other service providers) instead rely on a… |
Terms of Service (TOS) agreement that requires a user to click to accept the agreement in order to access the service or application for the first time. These types of agreements are commonly referred to as "Click-Wrap" agreements |
.Once a user at the school or district clicks "I agree," these terms will likely govern…(3) |
what information the provider may collect from or about students, what they can do with that information, and with whom they may share it. |
Depending on the content, Click-Wrap agreements may lead to… |
violations of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), or other laws, as well as privacy best practice |
Does FERPA specify that education records shared under some of its exceptions must be returned or destroyed at the end of the contract? |
No, but it is a "best practice". |
What does FOIA stand for? |
Freedom of Information Act |
When was FOIA enacted? |
1966 |
What four things does FOIA provide? |
Any person has the right to request access to federal agency records or information. All agencies of the U.S. Government are required to disclose records upon receiving a written request for them. There are nine exemptions to the FOIA that protect certain records from disclosure. FOIA Statutory Exclusions |
Does the federal FOIA provide access to records held by state or local government agencies, or by private businesses or individuals? |
No, State Education agencies should be contacted for further information about these statutes. |
All agency records must be made available to the public under the FOIA, except for records that are: (9) |
Properly classified as secret in the interest of national defense or foreign policy (b)(1). Related solely to internal personnel rules and practices (b)(2). Specifically exempted by other statutes (b)(3). Concerning trade secrets and commercial or financial information obtained from a person that is privileged or confidential (b)(4). Privileged interagency or intra-agency memoranda or letters, except under certain circumstances (b)(5). Personnel and medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy (b)(6). Investigatory records compiled for law enforcement purposes (b)(7). Contained in or related to certain examination, operating, or condition reports concerning financial institutions (b)(8). Geological and geophysical information and data, including maps, concerning wells (b)(9). |
What, in general terms, are the FOIA exclusions and how many are there? |
In amending the Freedom of Information Act in 1986, Congress created a novel mechanism for protecting certain especially sensitive law enforcement matters, under subsection (c) of the Act. These three special protection provisions, referred to as record "exclusions," are reserved for certain specified circumstances. The record exclusions expressly authorize federal law enforcement agencies, under these exceptional circumstances, to "treat the records as not subject to the requirements of the FOIA." |
What is the first FOIA Exclusion? |
The first of these novel provisions, known as the "(c)(1) exclusion," provides as follows: Whenever a request is made which involves access to records described in subsection (b)(7)(A) and (A) the investigation or proceeding involves a possible violation of criminal law; and (B) there is reason to believe that (i) the subject of the investigation or proceeding is not aware of its pendency, and (ii) disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, the agency may, during only such time as that circumstance continues, treat the records as not subject to the requirements of this section. |
What is the second FOIA Exclusion? |
The second exclusion applies to a narrower situation, involving the threatened identification of confidential informants in criminal proceedings. The "(c)(2) exclusion" provides as follows: Whenever informant records maintained by a criminal law enforcement agency under an informant’s name or personal identifier are requested by a third party according to the informant’s name or personal identifier, the agency may treat the records as not subject to the requirements of [the FOIA] unless the informant’s status as an informant has been officially confirmed. |
What is the third FOIA Exclusion? |
The third of these special record exclusions pertains only to certain law enforcement records that are maintained by the FBI. The "(c)(3) exclusion" provides as follows: Whenever a request is made which involves access to records maintained by the Federal Bureau of Investigation pertaining to foreign intelligence or counterintelligence, or international terrorism, and the existence of the records is classified information as provided in [Exemption 1], the Bureau may, as long as the existence of the records remains classified information, treat the records as not subject to the requirements of the FOIA. |
The FOIA established a presumption that… |
records of the Executive Branch of the United States Government are accessible to the people. |
With the passage of the FOIA in 1966, the burden of proof shifted from the _____________ to the ____________ so … |
individual, government, those persons seeking information no longer are required to show a need for information. The "need to know" standard has now been replaced by a "right to know" standard. The government now has to justify the withholding of requested records. |
WHO CAN FILE A FOIA REQUEST? |
Any person can request ED’s records – individuals, foreign citizens, partnerships, corporations, and associations, foreign, state or local governments. Exceptions to this rule are Federal agencies, fugitives and, foreign government or international governmental organizations or their representatives. Requesters are treated equally under the FOIA; however, in certain instances distinctions are made in order to determine fee category, fee waiver requests, and requests for expedited processing. |
WHAT IS AN AGENCY RECORD? |
The FOIA does not define this term, but the courts have generally interpreted "agency records" to mean printed documents or other information-bearing materials (e.g., photographs or computer tapes) which (1) were created or obtained by a federal agency and (2) are, at the time of the request, within both the possession and control of the agency. |
Does the FOIA require an agency to "create" a record in response to a request if the record does not exist at the time the request is made? |
No |
True or false: the FOIA does require an agency to retrieve a requested record that is not in its possession at the time of the request? |
false |
CAN I ASK QUESTIONS UNDER THE FOIA? |
The FOIA does not require Federal Agencies to answer questions, render opinions, or provide subjective evaluations |
What are terms of service (terms of use) (terms and conditions)? |
rules by which one must agree to abide in order to use a service. |
What also can terms of service be? |
Terms of service can also be merely a disclaimer, especially regarding the use of websites. |
The Terms-of-Service Agreement is mainly used for… |
legal purposes by websites and internet service providers that store a user’s personal data, such as e-commerce and social networking services. |
A legitimate terms-of-service agreement is… (2) |
legally binding and may be subject to change. |
A terms-of-service agreement typically contains sections pertaining to one or more of the following topics: (8) |
Disambiguation/definition of key words and phrases User rights and responsibilities: Proper or expected usage; potential misuse Accountability for online actions, behavior, and conduct Privacy policy outlining the use of personal data Payment details such as membership or subscription fees, etc. Opt-out policy describing procedure for account termination, if available Disclaimer/Limitation of Liability clarifying the site’s legal liability for damages incurred by users User notification upon modification of terms, if offered |
What is a privacy policy? |
A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. |
What does a privacy policy do legally? |
It fulfills a legal requirement to protect a customer or client’s privacy. |
Does the US have a specific federal regulation establishing universal implementation of privacy policies? |
No but the U.S. Federal Trade Commission (FTC) published the Fair Information Principles which provided a set of non-binding governing principles for the commercial use of personal information |
In many cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by |
Section 5 of the FTC Act |
What does section 5 of the FTC act do? |
prohibits unfair or deceptive marketing practices. |
The FTC’s powers are… |
statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA), and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC). |
How do class action lawsuits fit in with privacy policies and terms of services? |
In some cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgments. However, such lawsuits are often not an option, due to arbitration clauses in the privacy policies or other terms of service agreements. |
Who is the Web designed for? |
The Web is fundamentally designed to work for all people, whatever their hardware, software, language, culture, location, or physical or mental ability. |
To be designed for everyone, who it the web accessible to? |
When the Web meets this goal, it is accessible to people with a diverse range of hearing, movement, sight, and cognitive ability. When websites, web technologies, or web tools are badly designed, they can create barriers that exclude people from using the Web. |
the UN Convention on the Rights of Persons with Disabilities recognizes access to information and communications technologies, including the Web, as… |
a basic human right |
What two bonuses are there to making web content accessible? |
Accessibility supports social inclusion for people with disabilities as well as others, such as older people, people in rural areas, and people in developing countries. There is also a strong business case for accessibility. Accessibility overlaps with other best practices such as mobile web design, device independence, multi-modal interaction, usability, design for older users, and search engine optimization (SEO). Case studies show that accessible websites have better search results, reduced maintenance costs, and increased audience reach, among other benefits. Developing a Web Accessibility Business Case for Your Organization details the social, technical, financial, and legal benefits of web accessibility. |
What are some examples of making the web accessible? |
alternative text for images, keyboard input (so you don’t have to use a mouse), transcripts for podcasts |
The W3C Web Accessibility Initiative (WAI)… |
brings together people from industry, disability organizations, government, and research labs from around the world to develop guidelines and resources to help make the Web accessible to people with disabilities including auditory, cognitive, neurological, physical, speech, and visual disabilities. |
WAI’s coverage of web accessibility includes (6) |
‘web content’ (websites and web applications), authoring tools (such as content management systems (CMS) and blog software), browsers and other ‘user agents’, and W3C technical specifications, including WAI-ARIA for accessible rich Internet applications. |
Module 5- Privacy, Rights, Terms of Service, and Accessibility
Share This
Unfinished tasks keep piling up?
Let us complete them for you. Quickly and professionally.
Check Price