Google Apps for Education: Users Under 13 Years Old

I got a question the other day, which I had not researched before: what do we have to do for students under 13 years old that we want to give Google Apps accounts to?

I knew that we probably had to get parent permission, but didn’t really have much to back that up. We do restrict email for student accounts to within the domain--students can only send and receive email to and from other students and teachers. This is for further protection, at least for those in the lower grades.

The following is some research I’ve done on the subject. By no means does this take the place of legal counsel, and I haven’t run it past a lawyer, but to the best of my knowledge this is accurate.

Two laws that we have to comply with when it comes to students and online data are COPPA and FERPA.


Google Apps’ website says this about COPPA:
How does use of Google Apps affect compliance with the Child Online Privacy and Protection Act (COPPA)?
Your school assumes the responsibility for complying with COPPA and the information that students submit. Per the GoogleApps Education Edition Agreement, any school administering Google Apps Education Edition acknowledges and agrees that it is solely responsible for compliance with COPPA, including, but not limited to, obtaining parental consent concerning collection of students' personal information used in connection with the provisioning and use of the Services by the Customer and End Users.

So the compliance with COPPA is on us. Which is a little strange, since we already have the students’ information, but not in an online form, so I guess it’s a little different. This led me to the FTC’s website on COPPA for the official rundown on COPPA:
Congress enacted the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6508, in 1998. COPPA contains a requirement that the Federal Trade Commission (FTC or Commission) issue and enforce a rule concerning children’s online privacy, which the Commission did in 1999. The Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, became effective on April 21, 2000.

The primary goal of COPPA and the Rule is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
Operators covered by the Rule must:

  1. Post a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;

  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;

  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;

  4. Provide parents access to their child’s personal information to review and/or have the information deleted;

  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;

  6. Maintain the confidentiality, security, and integrity of information they collect from children.

In addition, the Rule prohibits operators from conditioning a child’s participation in an online activity on the child’s providing more information than is reasonably necessary to participate in that activity


In the Google Apps Terms that we agreed to when joining Google Apps for Education, there’s a little blurb about FERPA:
5.4 FERPA The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records,Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.


What I gather from all that is that Google is not expected to comply with COPPA, we are. COPPA more has to do with the collection of information of students for online services...which means that we just have to get the parent's ok to 'gather' their child’s information for online services IF the student is under 13, and to do so in a verifiable form. It seems funny that we need permission for that, since we already have their information, but I guess it makes sense since their information is not in use in 'online services' currently.
If the 6 points are followed, as stated on the FTC's website, to gain parent permission and provide for ways for them to later “renege” on that for those under 13, then the school district should be covered. With those students that are older, a district might be fine without parent permission, but I would venture a guess that it might be a good practice to have that at the least communicated to the parents, but that's another subject. FERPA is mainly handled on Google's end as I understand it from their terms of service, so we don't have to worry about that part of it.

Again, I’m not a lawyer, and I haven’t run this by one, but this is what I found and seems to be the general consensus from the education community as far as I know.


Popular posts from this blog

Quizzes and Google Forms--It Just Keeps Getting Better

Setup Ubuntu Server as a Simple Router

How I Work - FREEPing