Children’s Privacy in the Zoom Classroom
The COVID-19 pandemic has accelerated the introduction of online learning platforms to elementary and secondary schools across the United States. In many ways, online learning—via Zoom, for example–has presented younger students the opportunity to continue their education during a time when they’re not able to be physically present in a classroom, but online learning has also presented privacy concerns to these students that school districts and parents must grapple with. Virtual education has historically not been offered to younger students, meaning that this is new territory for school districts and parents alike. This post will focus on one major online learning platform, Zoom, and evaluate how it is complying with federal law in this new era of online learning.
This discussion implicates two federal privacy laws. The first is the Children’s Online Privacy Act (“COPPA,” 15 U.S.C. §§ 6501-6505), which was passed in 1998 to “prohibit unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the internet.” Among other things, COPPA requires operators of web sites or online services directed at children
• to provide notice on their web sites of the information it collects from children, how it uses the information, and its disclosure practices;
• to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children;
• to provide a reasonable means for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance; and,
• to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
The second implicated law is the Family Educational and Privacy Rights Act (“FERPA,” 20 U.S.C. § 1232g), which gives parents of children under the age of 18 control over their children’s education records. The act defines these records as records, files, documents, and other materials that contain personally identifiable information (“PII”) about a student and that are maintained by an education agency or institution or by a person acting for such agency or institution. In most cases, FERPA prohibits schools from sharing these records with third parties without written permission from a student’s parent.
Given its role as an online learning platform that serves students—including some that are under the age of 13 (the relevant age for COPPA)—in this new era of education, Zoom must comply with both laws.
Zoom’s COPPA Compliance
Zoom’s FERPA Compliance
Allegations of Noncompliance
Others have raised questions regarding the security of Zoom’s platform, which is of concern since Zoom stores student data and since COPPA requires website operators that serve children to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of the information collected from children. Some instances of security breaches and weaknesses include:
• Zoom leaking personal information, including email addresses and photos, to other users on the platform;
• Zoom’s iOS App sending data to Facebook; and, finally,
• trolls hijacking educational sessions and posting hateful messages.
While none of these instances necessarily equate to a violation of COPPA or FERPA, they raise valid concerns over how secure Zoom is as a platform and whether the company is taking reasonable procedures to protect the information it collects from children.
In sum, in this new age of education, Zoom has seen a rapid increase in users which has exposed several flaws in the platform’s privacy policies and practices. But regardless of this sudden increase, Zoom has an obligation to comply with COPPA and FERPA and to protect the information it gathers from students. While the company’s privacy policies proclaim compliance with these laws, it is vital that government officials continue to police the platform to ensure that children’s privacy and education records are safeguarded, as required by COPPA and FERPA.
Steve Komorek is a second-year law student at Northwestern Pritzker School of Law.