JTIP Blog

Introduction

The COVID-19 pandemic has accelerated the introduction of online learning platforms to elementary and secondary schools across the United States. In many ways, online learning—via Zoom, for example–has presented younger students the opportunity to continue their education during a time when they’re not able to be physically present in a classroom, but online learning has also presented privacy concerns to these students that school districts and parents must grapple with. Virtual education has historically not been offered to younger students, meaning that this is new territory for school districts and parents alike. This post will focus on one major online learning platform, Zoom, and evaluate how it is complying with federal law in this new era of online learning.

Statutory Discussion

This discussion implicates two federal privacy laws. The first is the Children’s Online Privacy Act (“COPPA,” 15 U.S.C. §§ 6501-6505), which was passed in 1998 to “prohibit[] unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the internet.” Among other things, COPPA requires operators of web sites or online services directed at children 

• to provide notice on their web sites of the information it collects from children, how it uses the information, and its disclosure practices;

• to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children;

• to provide a reasonable means for parents to review the personal information collected from their children and to refuse to permit its further use or maintenance; and,

• to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The second implicated law is the Family Educational and Privacy Rights Act (“FERPA,” 20 U.S.C. § 1232g), which gives parents of children under the age of 18 control over their children’s education records. The act defines these records as records, files, documents, and other materials that contain personally identifiable information (“PII”) about a student and that are maintained by an education agency or institution or by a person acting for such agency or institution. In most cases, FERPA prohibits schools from sharing these records with third parties without written permission from a student’s parent. 

Given its role as an online learning platform that serves students—including some that are under the age of 13 (the relevant age for COPPA)—in this new era of education, Zoom must comply with both laws. 

Zoom’s Privacy Policy

Before the COVID-19 pandemic forced students to switch to online learning, Zoom was a relatively unknown company. Now, it is a household name, offering its services to 90,000 schools across 20 countries as of April 1, 2020. This sudden increase in users has exposed some underlying privacy issues with Zoom, but over the past several months, the company has made changes to its policies to better comply with the relevant laws. To comply with COPPA and FERPA, Zoom has a privacy policy specifically for users of the Zoom Education service. This privacy policy, Zoom for K-12/Primary and Secondary Schools Privacy Statement (“K-12 Privacy Policy”), declares compliance with COPPA and FERPA by enumerating privacy protections for users of the education service that are distinct from the protections listed in the general privacy policy. 

Zoom’s COPPA Compliance

As for compliance with COPPA, the K-12 Privacy Policy lists the data the company collects from student users, including “customer content” uploaded to the platform, which can contain information such as files shared by users, meeting transcripts, and chat messages. In addition, Zoom automatically collects information concerning student users’ use of Zoom, including “type and frequency of actions taken, number of logs in or meeting entries, date and time, duration, quantity, quality, network connectivity, other platform performance metrics, and feature usage information, including use of video and screen sharing” and “information about a user’s device, network, and internet connection, such as IP address(es), MAC address, other device ID, device type, operating system type and version, type of camera, microphone and speaker, and client version.”

Pursuant to the COPPA requirement that website operators disclose how data collected from students is used, Zoom states that this information is only used to deliver the functionality of the Zoom platform, to operate the business, and as directed by school subscribers. The student data, according to the K-12 Privacy Policy, is not shared with companies, organizations, or individuals outside of Zoom without consent. Furthermore, Zoom does not permit students, including children under the age of 13, to create K-12 accounts. Instead, school subscribers must provide their students with accounts after obtaining the required parental consent. Lastly, Zoom will share the personal information it collects with individuals when directed to do so by school subscribers, thus creating a method for parents to obtain information collected from their children.

Zoom’s FERPA Compliance

Concerning FERPA, Zoom operates as a “school official” and collects and maintains student PII “on behalf of, and at the direction of, the School Subscriber.” In other words, schools are the owners of the information Zoom collects. Zoom places the onus on the school subscriber to determine how personal information is processed and maintained by requiring the school subscriber to decide which features to utilize in a Zoom meeting (i.e., the recording or chat features—both of which may contain PII) and to decide if the information should be saved in the Zoom Cloud. Additionally, the K-12 Privacy Policy states that this information is only accessed by Zoom upon the documented request of a school subscriber, when required by law, or to improve the platform. If parents wish to access these records or have them deleted, which are their rights according to FERPA, they must go through their child’s school. 

Allegations of Noncompliance

Despite asserting compliance with COPPA and FERPA, authorities and school districts have raised concerns in the past several months stating that Zoom is either not complying with these laws or that there are potential security concerns in using the platform. One concern is that Zoom provides a free service which is not subject to the company’s K-12 Privacy Policy. While Zoom’s Privacy Policy claims that the company does not knowingly allow children under the age of 16 to create accounts, the company recently lifted the forty-minute time limit ordinarily placed on its free accounts for K-12 schools that have been closed due to the pandemic. This may encourage schools to utilize the free service, instead of the education service, which will consequently deny students the heightened protections contained in the K-12 Privacy Policy. This fear is not unfounded, because until recently Zoom shared user data that it collected from its free service with third parties, including advertisers. While it is unclear if this data included information collected from minors, if it did, Zoom possibly violated COPPA and FERPA.   

Others have raised questions regarding the security of Zoom’s platform, which is of concern since Zoom stores student data and since COPPA requires website operators that serve children to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity” of the information collected from children. Some instances of security breaches and weaknesses include:

• hackers obtaining and selling 500,000 Zoom passwords; Zoom—for a time—misleadingly reporting that it offers “end-to-end encryption” while in reality only offering “transport encryption”; 

• Zoom leaking personal information, including email addresses and photos, to other users on the platform; 

• Zoom’s iOS App sending data to Facebook; and, finally, 

• trolls hijacking educational sessions and posting hateful messages. 

While none of these instances necessarily equate to a violation of COPPA or FERPA, they raise valid concerns over how secure Zoom is as a platform and whether the company is taking reasonable procedures to protect the information it collects from children. 

Conclusion

In sum, in this new age of education, Zoom has seen a rapid increase in users which has exposed several flaws in the platform’s privacy policies and practices. But regardless of this sudden increase, Zoom has an obligation to comply with COPPA and FERPA and to protect the information it gathers from students. While the company’s privacy policies proclaim compliance with these laws, it is vital that government officials continue to police the platform to ensure that children’s privacy and education records are safeguarded, as required by COPPA and FERPA. 

Steve Komorek is a second-year law student at Northwestern Pritzker School of Law.