An open letter in response to the FTC Policy Statement on Education Technology and the Children’s Online Privacy Protection Act

15 June, 2022

The Student Data Privacy Consortium (SDPC) is a non-profit community of school districts, edtech marketplace vendors, government agencies and partners addressing day-to-day operational issues related to student data privacy. Over 10,000 school districts, over 100 marketplace providers and government agencies across 4 countries make up a community developing tools, resources, operational practices and projects.  All the activities of the community are designed to address on the ground, real world impacts on student data privacy issues. 

Over the past seven years the SDPC has worked very closely with both schools and providers to address data privacy issues. The intersection of COPPA and FERPA with classroom educational technology usage continues to be a strong topic of interest, and in many cases a “pain point”, for all stakeholders. With this in mind, the SDPC feels obligated to respond to the FTC’s recent statement on educational technology and COPPA. 

The SDPC applauds the FTC for this policy statement and reinforcing the need to apply COPPA in the educational setting to ensure data is not overly or inappropriately being collected on students. In the past, the FTC has been instrumental in supporting parents and school personnel in their student data privacy stewardship roles.  The SDPC also can tout that our vendor members appreciate any and all clarity they can obtain to ensure they are doing their part as well in protecting student privacy.

Having said that, the SDPC feels the statement and FTC actions do not go far enough to both clarify the overlap of COPPA and FERPA, nor provide operational assistance to schools and vendors who are both trying to provide valuable online tools to support teaching and learning while staying within both legal and ethical guidelines. 

Specifically, the SDPC suggests:

• The Commission should use a different example in the prohibition against mandatory collection. In both education technology systems and the larger general technology market, the email address string has become the de facto login identifier even if the system vendor will never email the user.

• Both Edtech providers and schools need common guidance from the federal government on how COPPA and FERPA interact. SDPC applauds the long-time collaboration between the FTC and the US Department of Education and urges the continuance and expansion of those joint efforts.

The Student Data Privacy Consortium has had great success in assisting both schools and providers to navigate privacy issues while providing effective and secure online tools. The SDPC’s cornerstone work has been the creation of a National Data Privacy Agreement (NDPA) that is being implemented in 31 states. This DPA has successfully bridged the gap between school and provider expectations around protecting student data. The SDPC Registry currently contains over 67,000 Data Privacy Agreements between schools and vendors for close to 8,000 applications impacting 34 million students. 

Building off the success of the NDPA, the consortium is now implementing a proof-of-concept project demonstrating the use of the Global Education Privacy Standard (GEPS) to convey all privacy obligations “over the wire”. With regards to the statement “…COPPA-covered ed tech providers violate COPPA if they lack reasonable security”, the SDPC is working with all relevant stakeholder groups to provide clarity on the definition of ‘reasonable security’. To achieve this, the SDPC is facilitating a global working group to develop an Education Data Security Standard that all stakeholders can adhere to. 

Through all of this work, the SDPC’s success can be attributed to the focus on bringing all sides together to find common ground and build from there. Similarly, we encourage the FTC to bring all stakeholders together to clarify expectations and develop operational standards to ensure both COPPA and FERPA are adhered to by our vendor community.

The SDPC is happy to work with the FTC to ensure schools, vendors, government entities, and even parents are successful in supporting the various student data privacy measures underway.  Please consider us a resource for your continuing work.

Signed, SDPC Management Board

Andy Bloom, McGraw-Hill

Libbi Garrett, California IT in Education (CITE)

Tom Ingram, Escambia County School District

Allen Miedema, Northshore School District

Josh Olstad, New Hampshire CTO Council

Jim Siegl, Future of Privacy Forum

Steve Setzer, Loop Data

Steve Smith, Cambridge Public Schools

Anthony Yaremenko, National Schools Interoperability Program (NSIP), Australia

To view the Open Letter (PDF), please click here >>

Leave a Reply

Your email address will not be published. Required fields are marked *