An era of remote learning raises questions about children’s data privacy.
As COVID-19 spread through the United States this spring, school districts across the country scrambled to find a way to teach students remotely. Many turned to Zoom, the videoconferencing platform that has rapidly become a household name. But as the usage of Zoom skyrocketed, the platform’s data privacy policies came under heightened scrutiny. Just a few weeks after Zoom CEO Eric Yuan gave K-12 schools in the U.S. free accounts in mid-March, the New York attorney general and Senators Ed Markey and Elizabeth Warren sent letters to the company requesting more information about its privacy and security measures. Both parties were particularly concerned about how Zoom handled children’s personal data now that so many minors were using the service for their education.
Children’s online privacy in the United States is governed by the Children’s Online Privacy Protection Act (COPPA). Passed in 1998, COPPA is intended to protect the privacy of children under 13 by giving their parents control over the kind of information that is collected about them online. COPPA applies to web services that are either aimed at children under 13 or have “actual knowledge” that they collect and store personal information from children under 13. Personal information includes data like a child’s name, contact information, screennames, photos and videos, and geolocation information. In order to comply with COPPA, covered websites must publish their privacy policies, provide notice to parents and obtain their consent before collecting personal information from children, and give parents the opportunity to review and delete the information and opt-out of further collection. The sites must keep this information confidential and can’t retain it longer than necessary.
While children today are more internet-savvy than in 1998, they’re more vulnerable to sophisticated data collection. The pandemic has illustrated how essential the internet is — it’s where many aspects of everyday life now take place for adults and children alike. That can make it harder to identify what sites actually have to comply with COPPA. For example, for many years YouTube’s position was that it had a “general audience” and was thus not subject to COPPA restrictions. But a 2019 complaint brought by the Federal Trade Commission alleged that parent company Google knew they had viewers under 13 and still tracked their viewing habits to serve them targeted ads. Google settled with the FTC for $170 million and agreed to make changes in the way it collects and uses data from videos aimed at children.
Zoom prohibits users from creating Zoom accounts if they are under 16, but schools with Zoom subscriptions can provide students under 16 with student accounts which have certain restrictions. This gives the school district the responsibility for obtaining the parental consent required by COPPA. Zoom collects personal information like names from adult K-12 users (like teachers) but does not collect this information from student users. The only personal information Zoom receives from students is data saved by adult users like meeting recordings or chat logs. The policy doesn’t provide timelines for how long this data might stay in the Zoom system (just “as long as necessary”) but it does allow parents to access, review, delete and opt out of further collection data as long as they send the request via the school (the actual Zoom client). Finally, Zoom states that it does not sell data or use data from users it knows to be underaged to deliver targeted ads. It provides personal information to third-parties only to help provide services — an issue Zoom is probably particularly sensitive to after attracting a lawsuit for allegedly sharing data with Facebook without notice.
If Zoom is following the policies it outlines in its K-12 Privacy Statement, it’s in compliance with COPPA when children use the service for virtual learning. But it’s not clear what protections (if any) Zoom has in place for children using their service outside of school. If a parent allows a child to use the parent’s personal Zoom account to talk to her friend on the weekend, Zoom may still be using cookies to collect data for interest-based ads. Since the account is registered to an adult and Zoom’s general service is not aimed at children, it wouldn’t be bound by COPPA privacy restrictions. Requiring Zoom to be more vigilant about inadvertently collecting data from children outside of virtual learning is a tall ask — perhaps too tall for the company. Zoom would probably argue that parents and guardians are responsible for managing their child’s online privacy, not Zoom. On the other hand, the FTC thinks that at least platforms like YouTube bear some responsibility when they know children are using their services in certain ways. It’s not yet clear how far that responsibility extends.
* Ashley Bishel is an Associate Editor on the Michigan Technology Law Review.