Protecting Children's Data Online

by Michael Riedijk on March 25, 2015

Protecting Children's Data Online: FTC Standards, Legislation and Radical Enforcement

With advances in technology and online activity, both for recreational and educational purposes, concerns have been long growing for the safety and use of children and student’s data collected in the use of certain apps and websites. Not only is this concern regarding the collection and use of children’s data, but the onus on those liable for protecting, and maintaining a balancing act between the benefits of technology for educational purposes.

US Federal Laws have long been implemented for the protection of children, data, and also for the safe use and promotion of the internet and its technology. With technological advances and an increasingly younger demographic of internet and social media users, the crossover of child protection, data protection and the internet has been challenged by those willing to exploit it - and so lobbyists have brought forth calls for amendments and new legislation such as COPPA (Children’s Online Privacy Protection Act), FERPA (Family Education Rights and Privacy Act) and recently SOPIPA (Student Online Personal Information Protection Act).

The issue at hand is who is accessing student data - and who is trying to buy and sell it to third party vendors. Student data should belong to students and their parents, used exclusively for educational purposes - and not be sold or used for companies’ or advertisers benefits. Targeted advertising and building profiles on students for future advertising purposes is a main concern with exploitative use of this data.

Lobbyists are currently focused on the matters of use, protection and retention of children’s sensitive information and data, with strong calls for reform on regulators, online operators, application developers, schools and local governments alike.

Federal privacy policies, such as COPPA and FERPA are both integral and essential to the protection of student data privacy, with a duty on school districts and schools to implement such standards. Provisions, however, should assist not burden local and state governments in the implementation, monitoring and decision making processes.

Balancing Act

It is inevitably hard to dispute the need for student data protection and privacy - but a conflict inevitably lies in the damage that potentially overreaching limitations could have. Highly restrictive provisions could have adverse effects on the development of educational technology, and deter creators and investors from the educational sphere out of fear of risk and liability.

Appropriate level of data sharing is necessary for developing educational technology to assist current teachers and students - and the future of the digital education sphere. Just as overreaching laws could conflict this, a balanced approach, taking into consideration the privacy of children, burdens on creators and duty on school districts and teachers. Where do restrictions on data usage meet with sanctions for mis-use?

An onus is on many parties - namely tech companies to review current provisions and safeguards, to communicate a level of transparency with school officials and parents on the use of data and for parents and teachers to ensure that online and interactive educational tools are likewise inline with the relevant legislation and consented to.


Websites collecting the information of children under the age of 13 must comply with the FTC's regulation of COPPA; the Children's Online Privacy Protection Act. Such websites (between social media, general products, apps etc) must have user safeguards and consensual agreements in place or face harsh fines, and should archive themselves inline with FTC compliance standards.

Evidence and data must be stored from websites collecting such information. Coming into effect in 2000, this regulation exists to ensure transparency surrounding data collection of the information society's most vulnerable demographic, state that parents may revoke consent from site and information usage, outline site requirements and minimum security standards.

The FTC regulates and enforced COPPA under the designated "Safe Harbor" provision, aggressively attempting to enforce it in a trend of making an example of those who don't by way of excessive fines and damage to reputation, such as Yelp, Hershey, TinyCo. Inc. and more.

Case Study: Google Apps for Education.

Google Apps for Education is an application targeting K-12 and postsecondary students; but allows students under the COPPA restricted age of 13 to use their range of programs without verified parental consent for schoolwork. If children under the age of 13 use these services, however, Google’s agreement with schools seemingly plane on onus on educational institutions alone to enforce and comply with COPPA standards.

As COPPA is a federal requirement, there is a duty on participating schools to spend additional resources ensuring these standards are in place, causing additional economic and regulatory burdens on schools and school districts.

Onus on Schools

Schools must take appropriate levels of caution and monitoring to ensure that any apps and services utilised in the classroom and for educational purposes are in line with COPPA standards and protect the privacy of their students’ data.

The undertaking of assessing the privacy standards of each digital educational tool individually is a demanding and cumbersome undertaking - and to COPPA compliance is instead the best tool to use when evaluating the the privacy safeguards of apps or services utilised by a school district, teachers or students.

App developers and site operators should be able to provide clear and concise information on their data collection and usage policies and COPPA compliance standards. Therefore, it is a chain of operators and developers ensuring their standards are in line with COPPA, and also on teachers and school officials to adhere with due diligence standards to ensure the security of students’ privacy rights.


The existing 41 year old FERPA privacy statute is in dire need of reform, according to Congress, as its provisions have failed to keep up with the technological developments in the classroom, or in the 21st Century. As it was initially drafted to apply only to educational institutions, current provisions fail to provide adequate protection of student from third party use. A balancing act between restricting the integrity, usage and collection of data whilst simultaneously providing scope for educational technologies is needed to advance.


SOPIPA (California’s Student Online Personal Information Protection Act) is the latest Californian data-protection legislation is aimed at students and is highly unique and forward thinking in that it expressly restricts use of their educational data from third-parties. SOPIPA is a dynamic landmark attempt to challenge the balancing of protecting children’s sensitive information and security with the advances in online and digital learning technologies.

The aim of this student-data-privacy legislation is that it will become an example for other states and school districts as concern and danger of the sharing of under-13's data by third-party vendors increases at a rapid pace.

Inline with and in addition to COPPA requirements on privacy standards, the safe retention and deletion of children’s information, SOPIPA prohibits the selling of student data acquired to advertisers, to “amass a profile” on student for non-educational purposes and a requirement to delete such data on request by a school or district.

In recent legislative sessions, over 20 states have enacted or updated student-data-privacy laws, focusing on the prohibition of collection of data or requiring school districts and schools to improve their monitoring and processing practices. A bill updating federal standards on student privacy is currently under review in the United States Senate.

SOPIPA, however, is unique in that it places the responsibility for ensuring a high standard of privacy of student data on industry leaders, placing restrictions on privacy-related provisions in contracts with vendors.

Yet in need of the balance for restrictive laws and technological developments, accommodations have been made for industry concerns enabling operators to maintain and use “de-identified” or anonymous student information to develop and improve their own products and services.

After Google faced criticism for scanning and data mining the content of student emails for marketing use, provisions - expressly- prohibiting vendors from using “information, including persistent unique identifiers, created or gathered by the operator’s site, service or application to amass a profile about K-12 student except in furtherance of K-12 school purposes” were identified as essential.

How PageFreezer can help

Websites and applications targeted at children, notably those under the age of 13, need to comply with federal privacy protection standards such as COPPA and must determine if they need to be archived for compliance issues.

The FTC have both the ability and duty to sanction any website operators or developers who do not comply with COPPA regulations during the operation of their products or resources. Website operators and application developers must have regard to those who register for their services if actual knowledge is provided to them, by way of registering a date of birth or answering certain security question e.g. “What school do you currently attend” that they are children and subject to COPPA protection measures, and could be liable for improper use or retention of personal information collected.

With recent COPPA amendments, there is an onus also on schools and school districts to assess, monitor and ensure COPPA compliance when utilizing online and interactive educational tools targeted at students.FTC compliant companies must store transparent and reliable records, for the safety of their customers and their reputation in the threat of non-compliance.

Ensure the integrity and safety standards of child-targeted websites when reviewing compliance standards by recording the information collected, privacy policies and more using this efficient and simple tool.

The information and materials on this blog are provided for general and informative purposes only and are not intended to be construed as legal advice. Content on this blog is not intended to substitute the advice of a licensed attorney, as laws are subject to change and vary with time, from jurisdiction to jurisdiction. Content on this blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date.



to our RSS feed for updates.

Recent Posts

Start Archiving Automatically
Schedule a Demo