FTC to enforce COPPA in EdTech

Julie Rubash, Chief Privacy Counsel
May 23, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


FTC to Enforce COPPA in EdTech

The Federal Trade Commission (FTC) issued a policy statement on Education Technology and the Children’s Online Privacy Protection Act (COPPA), in which the FTC committed to fully enforce COPPA’s limitations on EdTech operators’ ability to collect, use and retain children’s personal data, including in school and learning settings.

In particular, the FTC will focus on prohibiting mandatory collection of unnecessary personal data as a condition for participating in educational technology, prohibiting commercial or other secondary use (beyond providing the service) of data collected with school authorization, prohibiting retention of data longer than necessary to provide the service, and requiring procedures to maintain the confidentiality, security and integrity of children’s personal information.


The policy statement was adopted by a 5-0 vote of the Commission and is consistent with a resolution issued by the FTC in 2021 to focus its enforcement efforts over the next 10 years on eight core priority areas, including harmful conduct directed at children under 18. 

See last week’s A Little Privacy Please for more context behind the vote to prioritize COPPA enforcement

Bedoya Sworn in as FTC Commissioner

Alvaro Bedoya was officially sworn in May 16 as an FTC Commissioner, after receiving a 51-50 vote from the U.S. Senate in early May.


Bedoya’s addition gives the FTC a democratic majority, which may propel the FTC to move forward in certain areas, such as rulemaking. 

The FTC in December 2021 announced in a public filing that the commission was considering initiating a rulemaking regarding commercial surveillance, privacy abuses and algorithmic decision-making, on which we have not yet seen momentum.

When asked about rule making authority in his nomination hearing, Bedoya clarified that he thought it preferable for Congress to pass a law, rather than the FTC opening a rule making for privacy. However, considering the apparent lack of a consensus in Congress on privacy legislation, the FTC may consider a rulemaking to be the most efficient path forward to address privacy at the federal level. 


The French Data Protection Authority (CNIL) published criteria to assess the legality of websites conditioning access to a service on the acceptance of cookies or other tracers on the user’s terminal device, otherwise known as a “cookie wall”.

Specifically, the CNIL’s legality assessment considers whether a fair alternative to access the content is available, whether any payment required for users to refuse cookies is a “reasonable price”, whether the cookie wall is limited to the purposes that allow for fair remuneration, and whether the selection of the paid alternative results in appropriate limitation of unnecessary tracers.


The GDPR requires that consent under the law be “freely given” and an “unambiguous indication of the data subject’s wishes” and instructs that “Consent is presumed not to be freely given…if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

However, it does not specify the extent to which remuneration can be requested as an alternative to consent.

The Court of Justice of the European Union has opined that a “tracking wall” with no alternatives to consent is prohibited, but it also has not taken an express position on how and to what extent pay-walls fit within the requirements of GDPR or the ePrivacy Directive.

Until such guidance is issued, companies must rely on the guidance of their local DPAs to assess the legality of paywalls.

For companies in France, this guidance provides clarity that “reasonable” pay walls are permitted.    

Google Fined for Sharing Deletion Requests Without Valid Basis

Spain’s Data Protection Authority (the AEPD) sanctioned Google 10 million euros for sending user content removal requests, including associated identifying information, to the Lumen Project, a third party database that collects, analyzes and publishes online content removal requests in order to study, facilitate and educate the public about such requests.

The AEPD alleged that Google did so without a valid legal basis. In addition to the fine, Google was required to correct its violations and delete all personal data communicated to the Lumen Project. 


Google had relied on legitimate interest as a valid legal basis for this data sharing, since its purpose was to provide transparency to the public of content removal requests for fraud prevention. The AEPD rejected such defense, however, based on findings that it was unnecessary to communicate personal data to achieve the purpose, that the processing was not expected, and that the request form did not allow for opposition. 


Google Updates Android Privacy Sandbox Timeline

Google released an updated timeline for developer preview releases as it designs, builds and tests new solutions for the Privacy Sandbox on Android.

The first developer preview, providing a look at SDK Runtime and Topics APIs, was released in late April, and per the timeline, developer previews will be released in May and June 2022 for FLEDGE and Attribution Reporting APIs, as well as updates to the SDK Runtime and Topics APIs, which will continue to receive updates in July 2022 onwards.

A Beta release of the Privacy Sandbox for Android is expected to be available on consumer mobile devices by the end of 2022. 


Privacy Sandbox for Android got a late start, having just been announced in February 2022, compared to Privacy Sandbox for Chrome, which Google started rolling out in early 2021. Privacy Sandbox for Chrome has had some setbacks due to scrutiny from regulators.

Google announced in April 2022 origin trials for Privacy Sandbox Topics, FLEDGE and Attribution Reporting APIs for a limited number of Chrome Beta users.  

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Revised Version of APRA Advances Out of U.S. House Subcommittee

May 28, 2024

New Version of the American Privacy Rights Act of...

Exciting New Diagnose Features: New Filters and More Vendor Details

May 21, 2024

New features to help you with your vendor governance,...

Minnesota Sends Comprehensive Privacy Law to Governor

May 20, 2024

Minnesota Sends Privacy Law to Governor. One day before the...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]