If you hadn’t noticed, the U.S. doesn’t give much of a shit about this whole privacy thing. Our privacy regulators are comically and intentionally understaffed and underfunded, we still have no meaningful privacy law for the Internet era, and when regulators do act, it’s generally months after the fact with penalties that are easily laughed off by companies rich from data over-collection.
That apathy extends to kids’ privacy, of course. For years, online education software vendors have engaged in just an absurd level of data over-collection and monetization, with massive data repositories culled via everything from facial recognition to keystroke tracking and deep packet inspection.
During COVID, it became increasingly clear that many of these companies were blocking students from participating in online education if they weren’t willing to agree to extensive monitoring and monetization. In direct response, the FTC last week announced the agency had issued a new policy statement reminding these companies that COPPA still exists.
In short, the FTC warned educators and companies about collecting more data than they need, implementing some basic levels of privacy and security standards (half a million Chicago area student records were leaked due to ransomware attack recently), selling data they collect, and restricting privacy conscious student and parent access to educational software:
“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”
Unlike the broader dumpster fire that is adult data collection and monetization on the Internet, kids are at least semi-protected by the sloppy mess that is COPPA, a law that was intended to protect kids’ privacy, but was so poorly written as to create all manner of unintended consequences.
The FTC policy statement notes that edu-software companies that fail to adhere to the COPPA Rule may face potential civil penalties, “and new requirements and limitations on their business practices aimed at stopping unlawful conduct.”
The problem of course is that the FTC is tasked with everything from policing accuracy in bleach labeling to protecting folks from scams. But the U.S. is an absolute scam-infested mess, and we (and by we I mean industry lobbyists who want government to be a toothless subsidy machine) have consistently ensured the FTC lacks the staff, resources, or authority to actually do its job on privacy or much of anything else.
So when it does act (which generally involves slam dunk cases and the lowest hanging fruit) the punishment can be laughed off as a minor cost of doing business. And that’s assuming litigation doesn’t wind up eliminating the fine altogether later on when the press and public aren’t paying attention.
That said it’s clear that the current FTC is actually taking this stuff seriously, which is an improvement from outright apathy of years’ past. The DOJ and FTC recently not only hit Weight Watchers with a $1.5 million fine for “illegally harvesting” personal health information of children, they required the company delete the data collected, and scrap the technology used to collect it.