FTC Warns EdTech Providers Must Heed Children’s Privacy Rules

May 27, 2022

Click for PDF

The Federal Trade Commission recently doubled down on its efforts to combat perceived deception and privacy violations in the education sector, and in particular, perceived violations by education technology providers and for-profit educational institutions.

On May 19, 2022, the FTC commissioners unanimously[1] voted to adopt a new Policy Statement on educational technology and the Children’s Online Privacy Protection Act (COPPA). In the Policy Statement, the agency promised to “scrutinize compliance with the full breadth of the substantive provisions of the COPPA rule and statutory language,” with a particular focus on protecting children who are required to use certain technology to complete schoolwork.[2] The Policy Statement is one in a series of signals that the FTC will aggressively enforce COPPA, specifically in the context of technology used for school—a scenario in which “children are a captive audience,” according to the FTC.[3]

FTC Chair Lina Khan reinforced these sentiments at the FTC’s May 19 open meeting, stating that COPPA is not merely a notice and consent framework, but places clear restrictions on the data that companies may collect from children. She expressed particular concerns over children “surrender[ing their data] to commercial surveillance practices,” in order to access educational resources online. She also expressed concerns over “targeting” and “profiling” of children, across various platforms.[4]

With the Policy Statement, the FTC sends a reminder that covered businesses bear “the responsibility for COPPA compliance . . . not schools or parents.” Specifically, the agency will prioritize enforcement against:

(1) mandatory collection of information as a condition of participation, or collection of data beyond what is reasonably necessary;

(2) use of children’s data outside of the authorized limited purpose;

(3) the retention of information for longer than is reasonably necessary; and,

(4) the failure to maintain the confidentiality, security, and integrity of children’s personal information.

The FTC further made clear that it will take the position that a company is in violation of COPPA’s security provisions if the company fails to take reasonable security precautions, regardless of whether an actual breach occurs.[5]

President Joe Biden commended the FTC “for unanimously taking a big step” toward answering his call to strengthen privacy protections for children with the Policy Statement, and reiterated his stated intention to strengthen privacy protections and ban targeted advertising to children delivered in his State of the Union address.[6]

The FTC has been grappling with the perceived “proliferation of technologies that monetize the collection of personal information,” especially as it relates to children for over a decade. The FTC has been charged with enforcing COPPA since it took effect in 2000, and the agency amended COPPA in 2013 to broaden its scope to include previously unregulated information, such as “persistent identifiers,” as well as photographs and voice recordings, and to encompass third parties that have actual knowledge that they’re collecting personal information from children.[7] With the proliferation of online learning, the FTC wants to ensure that “ed tech doesn’t become a pretext for companies to collect personal information in the classroom and in the home.”[8] Indeed, the FTC opened a review of the COPPA Rule in 2019, ahead of the regulatory review schedule, to explore whether amendments are needed in light of rapid technological advancements, and asking specific questions concerning the EdTech industry, including whether to change requirements concerning the deletion of children’s information and parental consent. The FTC received 170,000 public comments in this review, setting the record for any proceeding.[9]

The FTC issued the May 19 Policy Statement even though the agency’s COPPA review is still pending. FTC Commissioner Christine Wilson asked the agency to prioritize the conclusion of this review, given that it has been pending for three years.

The May 19 Policy Statement is not the only recent development related to COPPA. In March 2022, the FTC settled a matter over allegations that a company collected data from children without proper parental consent.[10] As part of the settlement, the company paid a $1.5 million penalty, was required to delete all personal information that was collected in a manner that violated COPPA, and had to destroy all models or algorithms developed in whole or in part using improperly collected personal information. More than a mere interest in enforcing COPPA generally, this case signals the Commission’s focus on the use of children’s data to create advanced algorithms, and therefore, the destruction of such algorithms as a remedy for COPPA violations.

The FTC also signaled its interest in how children interpret advertising, both in the context of COPPA and its Guides on Endorsements and Testimonials. The same day the FTC issued the Policy Statement, the agency announced an October workshop focusing on “stealth advertising” to children—a phenomenon where the line between paid advertisements and unsponsored influencer content has become blurred—particularly with respect to the rise of the child influencer.[11] The workshop will feature legal experts as well as scientists to discuss the development of children’s brains and the impact of stealth advertising on impressionable children, in order to develop strategies to best protect kids. The FTC is currently seeking research papers and written comments on topics including children’s capacity at different ages and developmental stages to recognize and distinguish advertising content, the “harms to children” caused by a failure to recognize advertising, and what measures should be taken to protect children.[12]

EdTech is not the FTC’s only educational sector interest area.  The agency recently issued Warning Letters in the for-profit education space, as well. Specifically, the FTC put 70 for-profit educational institutions on notice that the agency will seek to impose civil penalties on any institution that commits acts that have been previously found to be unfair or deceptive under Section 5,[13] using its Penalty Offense Authority.[14] The Commission cautioned these companies against deceptive advertising, making false promises of jobs or other favorable employment outcomes, and driving students into debt. Educational institutions found to be in violation of these rules could face “steep penalties”—including fines of more than $46,000 per violation.

Companies and other entities engaged in the education sector should be particularly mindful of the FTC’s activities in this space, especially if they collect any information from children, and ensure their practices do not run afoul of COPPA, the FTC Act, or related requirements.

We are closely monitoring FTC developments, and are available to discuss these issues as applied to your particular situation.


   [1]   While every Commissioner ultimately voted to adopt the Policy Statement, 4 Commissioners (out of 5) issued their own, individual statements on the issue, noting a spectrum of opinions. In fact, Commissioner Wilson only “reluctantly vot[ed] yes” on the Policy Statement; and even so, only because the Statement “neither expands the universe of entities covered by the COPPA Rule nor the circumstances under which the Commission will initiate enforcement.”  Oral Remarks of Commissioner Wilson at the Open Commission Meeting (May 19, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/P155401WilsonRemarks_0.pdf.  Notably, the May 19 open meeting was the first for newly installed Commissioner Alvaro Bedoya.  He stated that the Policy Statement reinforced original intent of Congress to go beyond the notice and consent framework. Oral Remarks of Commissioner Bedoya at the Open Commission Meeting, 13 (May 19, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/Transcript-Open-Commission-Meeting-May-19-2022.pdf. He also expressed the view that children have different online experiences based on family circumstances.  “Kids from working-class families … [are] more likely to use free apps, which track much more data than paid apps, and for a variety of reasons, they end up giving up much more sensitive information about themselves.”  Id. at 14. Hence, Commissioner Bedoya was encouraged by Chair Khan’s call for “systemic responses to problems.” While some tracking is benign, “I want to push back on the idea that we need all this tracking . . . to make better apps for kids.” Id.

   [2]   Federal Trade Commission, Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act (2022).

   [3]   Id.

   [4]   Oral Remarks of Commission Chair Lina Khan at the Open Commission Meeting (May 19, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/Transcript-Open-Commission-Meeting-May-19-2022.pdf.

   [5]   Id.

   [6]   The White House, Statement from President Biden on FTC Vote to Protect Children’s Privacy (May 19, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/19/statement-from-president-biden-on-ftc-vote-to-protect-childrens-privacy.

   [7]   See, https://www.ftc.gov/business-guidance/blog/2022/05/ftc-ed-tech-protecting-kids-privacy-your-responsibility.

   [8]   Id.

   [9]   See, FTC, Student Privacy and Ed Tech (December 2017), https://www.ftc.gov/news-events/events/2017/12/student-privacy-ed-tech.

  [10]   FTC, FTC Takes Action Against Company Formerly Known as Weight Watchers for Illegally Collecting Kids’ Sensitive Health Data, https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive.

  [11]   https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-hold-virtual-event-protecting-kids-stealth-advertising-digital-media.

  [12]   Id. The FTC will continue to accept comments and papers until July 18, 2022.

  [13]   https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-targets-false-claims-profit-colleges.

  [14]   FTC, Notices of Penalty Offenses, https://www.ftc.gov/enforcement/penalty-offenses. See also, Gibson Dunn, The FTC at Full Strength: What to Expect Next (May 16, 2022), https://www.gibsondunn.com/the-ftc-at-full-strength-what-to-expect-next/.

The following Gibson Dunn lawyers prepared this client alert: Svetlana S. Gans and Brendan Krimsky.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])

Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.