Online Education and the Responsibility to Protect Children’s Privacy
Co-Authored with Michelle Gordon, Privacy Lawyer & Consultant
The COVID-19 pandemic has brought significant changes to the way children are learning. With increased uncertainty around learning models and delivery, both school boards and parents are becoming increasingly reliant on online educational tools to deliver innovative learning for children. Given this shift shows no signs of slowing down, there has been an increase in the number of online education companies targeting school boards. Likewise, they are targeting parents who are independently supplementing their children’s education with online tools. This increased demand for educational online tools has created a competitive space for online education companies.
Understandably, school boards and parents are concerned about what personal information online tools are collecting about children and with whom they may share that information. However, in the rush to get to market, many online education companies have failed to develop a mature privacy posture, which may pose a barrier for entrance into this space. To be successful in this market, online education companies will gain a competitive advantage by demonstrating privacy compliance in a creative manner that speaks to both school boards and parents.
The Legislative Landscape
Online education companies should be cognizant of school boards’ privacy responsibilities to students as that will impact whether they can engage the online platform. For instance, school boards in Ontario must comply with Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) to ensure online tools offered to their students have adequate privacy and security protections. Online education companies must also comply with Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). Although PIPEDA does not specifically provide prescriptive requirements on the collection, use and disclosure of children’s personal information, the privacy principles contained in the legislation, along with regulatory guidance, provide online education companies with direction on how to handle children’s personal information with particular sensitivity.
Privacy Implementation for Online Educational Tools
Online education companies hoping to either secure a contract with a school board or become a household brand will need to strategically shift the way they think about privacy. While there is a myriad of privacy considerations, the factors listed below require special attention by those companies who are collecting, using and disclosing children’s personal information and who aim to be successful in doing so:
1.User-friendly, meaningful privacy policy: A company’s privacy policy must be accessible, user-friendly and easy to understand to ensure meaningful consent is obtained. The following are key issues that should be included and made very transparent in the privacy policy:
Minimum user age for the website/application;
A clear description of how children’s personal information is collected, used, and disclosed;
Disclosure of personal information, including de-identified and aggregated information, to third parties and the purpose for the disclosure;
Instructions on how an individual may request access to personal information and request deletion;
Transparency about retention of personal information;
Monetization on advertisements; and
Security measures to limit access and protect the information.
A one-size-fits-all privacy policy is likely not suitable for tools that are targeting children. Companies need to be cognizant that while adults may be reviewing the Privacy Policy, so too might children who are 13 years old or older and do not require parental consent. To address the varying levels of maturity and comprehension, companies should be creative with their Privacy Policy to ensure their audience, regardless of age or stature can understand the company’s position on privacy. Companies should be creative with their Privacy Policy. For instance, in addition to a written Privacy Policy, companies may consider developing a video about the company’s privacy stance along with instructions on how to use the tool and protect personal information will not only enhance the consent process but also help gain consumer trust.
Furthermore, companies should ensure that the privacy policy is easily accessible on the site’s landing page and disclose the contact information of the designated individual responsible for handling privacy inquiries or complaints.
2. Consent: Various legislation, such as PIPEDA and the U.S. Children's Online Privacy Protection Act (COPPA), along with regulatory guidance, provides direction on obtaining valid consent. Children’s online education companies must obtain parental consent before collecting personal information from a child under the age of 13. For youth ages 13 to 18, companies may consider developing a meaningful consent process that considers the level of maturity. Given that children may easily lie about their age, companies should consider using a stringent vetting system, such as verifying age through parent phones or email. Lastly, the tool should make it very simple for users to withdraw their consent and understand the consequences of doing so.
3. Location Data: The collection of children’s location data should be limited as much as possible. The recently-released U.K. Children’s Code, aimed to protect children online, specifically states that geolocation should be switched off by default. If a program requires location data to operate properly, a clear explanation should be provided in the Privacy Policy. By design, the collection of location data should be turned off and permission to enable the feature should be requested when it is relevant to do so, therefore, providing context (i.e. just-in-time notification). Furthermore, companies should avoid collecting precise location data if the data is not required to provide the user with the service. Lastly, location data should be discarded as soon as it is no longer needed to provide the service.
4. Minimize the Data Collected: Child-focused online tools should be designed to require as little information about the child as possible. This “privacy by design” approach means that privacy is embedded into the design of the tool, rather than added as an afterthought. For example, apps or websites should be designed to avoid collecting personal information when an anonymous approach would work equally well. In some use-cases, companies may consider removing free-text boxes to avoid collecting unnecessary information from the child and rather just rely on multiple-choice questions.
5. Privacy Default Settings: Companies should ensure that user settings default to the most privacy-protected mode. For example, apps should, by default, disable the use of the video camera and rather have users opt in to using the camera.
Where there are options to enable less privacy-protected functionality, provide a clear just-in-time notice so that the parent or child can make an educated and informed decision. The notice should explain what information is being collected, what it is being used for and with whom it may be shared.
6. Clearly Defined Data Sharing Agreements: When school boards and parents vet children’s online tools, they look to see who the personal information will be shared with and to what extent. A carefully crafted and outlined data sharing agreement between the online education company and its third-party vendors is imperative to define and restrict the use of personal information by the vendor. For example, restrictions of advertising or location tracking should be well documented. Given the sensitive nature of the data and heightened third party risks, companies should audit third parties to ensure they are not using the personal information for a secondary purpose not stipulated in the agreement.
7. Privacy Culture and Trust: Education companies should use privacy as a means of building public trust. Privacy can become a competitive advantage since consumers are more likely to use an online service if they are aware that privacy is at the forefront of a company’s mission and program.
A strong privacy culture may be achieved in various ways, including:
Developing privacy awareness and training for staff so that they not only understand their privacy responsibilities but also become the company’s best privacy advocates.
Engaging a privacy expert to conduct a Privacy Risk Assessment (“PRA”). Once risks have been remediated, obtain an updated PRA and voluntarily publish the results to customers. For example, a pre-published PRA would appeal to school boards as it will save them the time, effort and budget to vet the tool for privacy compliance.
Developing or adopting a privacy pledge or commitment, such as the Student Privacy Pledge, and include it on your public-facing website and marketing materials.
Given the current climate, online education companies are in a unique position to shape the future of learning and to help build an innovative educational environment that reaches children across the socio-economic spectrum. By putting privacy at the forefront of its core principles, a company can gain a competitive edge and ensure that the value placed on privacy leads to trust in its overall commitment to children’s education.