edtech-privacy-assessment
EdTech Privacy Assessment — Children's Data in Educational Technology
Overview
Educational technology (EdTech) platforms that process children's personal data operate at the intersection of multiple privacy frameworks. In the United States, COPPA's school exception (16 CFR 312.5(c)(4)) allows schools to provide consent on behalf of parents for the collection of children's data in educational contexts, but only for school-authorised educational purposes. The Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. Section 1232g) governs education records maintained by educational agencies or institutions receiving federal funding. In the EU, GDPR applies with the heightened protections of Art. 8 (parental consent for children) and Recital 38 (specific protection for children). The UK AADC applies to EdTech services likely to be accessed by children. This skill provides a framework for conducting privacy assessments of EdTech platforms that navigate these overlapping requirements.
Regulatory Frameworks
COPPA School Exception — 16 CFR 312.5(c)(4)
COPPA permits an operator to collect personal information from a child for the use and benefit of the school, and for no other commercial purpose, without obtaining verifiable parental consent directly, when:
- The school has authorised the collection of personal information on behalf of the students
- The collection is solely for the school's use and benefit in the educational context
- The operator does not use the collected information for any commercial purpose unrelated to the educational context
- The operator does not disclose the information to non-school third parties