FTC Prioritizes COPPA Cybersecurity and Data Minimization Enforcement to Bolster Student Privacy
Student and children’s privacy laws have long been criticized for their lack of enforcement, but in an important step toward improving privacy for students and children and securing their data, the Federal Trade Commission (FTC) unanimously approved a policy statement that makes clear the agency’s intent to prioritize enforcement of existing cybersecurity and data minimization requirements under the Children’s Online Privacy Protection Act (COPPA). CDT welcomes the statement, which highlights the importance that education technology vendors meet their existing responsibilities under COPPA.
“The FTC’s policy statement underscores the importance of thoughtful data practices in protecting students’ privacy,” said CDT President & CEO Alexandra Givens. “Limitations on data collection, use, and retention are essential to protect individuals from privacy harms and cybersecurity risks. We applaud the FTC for its work to strengthen enforcement of children’s privacy requirements in the context of education technology, and particularly thank the Commissioners who championed data minimization as a vital component of this work. While this policy statement represents an important step forward, we also join the call for the FTC to complete its long-awaited review of the regulations that govern children’s privacy, and to align those reforms with the wider movement to protect everyone’s privacy at the federal level.”
Critically, the statement notes that “even absent a breach, COPPA-covered [education technology] providers violate COPPA if they lack reasonable security.” Strong cybersecurity protections are essential, as K-12 cyberattacks are not only on the rise but increasingly aimed at the online services that COPPA covers. COPPA and its rules already require online service providers to adopt “reasonable procedures to protect the confidentiality, security, and integrity” of children’s data, and the policy statement underscores that security must be a top priority.
Further, the statement clarifies that COPPA’s privacy requirements will be enforced, particularly around data minimization, use limitations (for educational purposes), and retention limits. These requirements have long been part of COPPA, and CDT supports these increased enforcement efforts to help protect students online in the same way we expect them to be protected in the classroom.
