Skip to Content

Cybersecurity & Standards, Equity in Civic Technology, Privacy & Data

FTC to Prioritize Cybersecurity and Data Minimization Enforcement Under COPPA to Bolster Student Privacy

The Center for Democracy & Technology (CDT) welcomes the unanimous approval by the Federal Trade Commission (FTC) of a policy statement that underscores education technology vendors’ responsibilities under the Children’s Online Privacy Protection Act (COPPA). The statement acknowledges the importance of technology in students’ lives, and makes known that the FTC intends to increase its enforcement of COPPA’s existing requirements related to data security and data minimization. This development is an important step toward improving privacy for students and children and securing their data, as student and children’s privacy laws have long been criticized for their lack of enforcement.

“The FTC’s policy statement underscores the importance of thoughtful data practices in protecting students’ privacy,” said CDT President & CEO Alexandra Givens. “Limitations on data collection, use, and retention are essential to protect individuals from privacy harms and cybersecurity risks. We applaud the FTC for its work to strengthen enforcement of children’s privacy requirements in the context of education technology, and particularly thank the Commissioners who championed data minimization as a vital component of this work. While this policy statement represents an important step forward, we also join the call for the FTC to complete its long-awaited review of the regulations that govern children’s privacy, and to align those reforms with the wider movement to protect everyone’s privacy at the federal level.”

Critically, the statement notes that “even absent a breach, COPPA-covered [education technology] providers violate COPPA if they lack reasonable security.” Strong cybersecurity protections are essential, as K-12 cyberattacks are not only on the rise but increasingly aimed at the online services that COPPA covers. COPPA and its rules already require online service providers to adopt “reasonable procedures to protect the confidentiality, security, and integrity” of children’s data, and the policy statement underscores that security must be a top priority. 

Further, the policy statement clarifies that COPPA’s privacy requirements will be enforced, particularly around data minimization, use limitations (for educational purposes), and retention limits. These requirements have long been part of COPPA, and CDT supports these increased enforcement efforts to help protect students online in the same way we expect them to be protected in the classroom. 

For more information on this issue, see CDT’s previous call for the FTC to ensure that COPPA protects student privacy and for Congress to bolster protections for children and teenagers by establishing robust privacy protections nationwide.