FERPA, COPPA and the myths we tell each other

This Sunday is Data Privacy Day., so I thought I would list some of the more “interesting” interpretations I have heard (and read) about COPPA, FERPA and how schools approve educational services.

I eventually plan to write up an annotated version of this list, so if you have additions, please tweet them to me @jsiegl

  1. “In Loco Parentis” means schools/teachers can consent to students use of any online services on parent’s behalf,
  2. It does not matter if a password protected site is secure if it does not collect any sensitive data.
  3. I only have to get permission if I am creating student accounts/the student is logging in,
  4. If an online services requests “only” directory information to sign up, it is OK for schools to sign students up/have them sign up.
  5. Vendors can say in their Terms of Service that schools are responsible for complying with COPPA.
  6. If the student is 13 or over, as a teacher, I don’t need to get/think about parental consent,
  7. Vendors can delegate collecting and managing parental permission to schools even if the school is not “contracting with the vendor to perform an educational purpose”,
  8. As a vendor, you can comply with COPPA if you just say “this site is not for children, if you are under 13 you may not access this site” , regardless of anything else,
  9. Social Login, (that “Login with X” button e.g. twitter, O365, Google Facebook etc.) means you are just logging in and not really creating an account on the site,
  10. Related-“Login with X” means that you are “just” creating an account,
  11. It is an valid COPPA workaround for a vendor, in their terms, to tell a teacher that to comply with COPPA, for them to sign up the student,
  12. Anonymized and Aggregated data are the same thing,
  13. Anonymous and Pseudonymous are the same thing,
  14. (related) Creating Pseudonymous accounts (e.g. usernames that do not have the student’s full name or ID) is a valid “workaround” to avoid the challenges of complying with FERPA or COPPA,
  15. If the site uses https, it means the product is secure,
  16. “Security by obscurity” is security,
  17. A privacy policy means the site protects your privacy,
  18. “COPPA compliant” means the information is kept private,
  19. Ad networks and data brokers are same thing,
  20. Related-Ad networks sell or trade user data
  21. Ad networks and analytics are same thing,
  22. COPPA covers information collected about children under 13,
  23. If it is in the vendor’s policy/terms, then it must be true,
  24. If it involves student health information, you have to comply with HIPAA,
  25. Student IDs are confidential, and can be used to pay for lunches or to post grades,
  26. Student IDs are not confidential, so are a good choice for student usernames/email addresses,
  27. Not private by default is fine, cause students and teachers can just change it to be private,
  28. A tool that only offers the option of public posting is OK as long as you get permission, as long as they are over 13…., (“privacy as a premium”)
  29. When a vendor says they are “FERPA compliant”, that means something,
  30. Related, a vendor can designate themselves as a “school official” by saying so in their terms.

Happy Data Privacy Day