Is Read-a-thon COPPA Compliant?Our Read-a-thon program is COPPA compliant. Below we will share reasons why. The following information was taken from http://www.business.ftc.gov/. It addresses COPPA and schools and how that relationship has a bearing on the limited information that Read-a-thon requests about readers.
We offer comments throughout this text. We have italicized our comments for easy recognition.
M. COPPA AND SCHOOLS
1. Can an operator of a Web site or online service rely upon an educational institution to provide consent to the operator’s collection, use or disclosure of personal information from students? COPPA does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parent’s agent in the process of collecting personal information online from students in the school context. See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59903.
Determining whether the school may provide consent on behalf of a parent, or whether the operator can rely on the school for consent, will depend on the nature of the relationship between the online service and the school or child, and the nature of the collection, use, or disclosure of the child’s personal information. See FAQ M.2 below. Whether the operator is working with the school, or obtaining consent directly from parents, it must provide a complete and accurate disclosure regarding what data is collected from children, how it will be used, and with whom it will be shared. The operator may violate the Rule if it fails to disclose its data collection, use, or disclosure practices to the consenting party. In addition, the school also must consider its obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children's education records. FERPA is administered by the U.S. Department of Education. For general information on FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Many school systems have implemented Acceptable Use Policies for Internet Use (AUPs) to educate parents and students about in-school Internet use.
Read-a-thon requests very basic information about readers. We ask for first and last name and we ask for a parent's email address. That information is used to create reader take home sheets designed for parental approval. Parental signatures are requested at the bottom of the take home sheet. We will also send one email telling the parent about the read-a-thon and requesting that they build a personal read-a-thon page for their reader. Any parent can request that their reader be removed from the system at any time. The names and email addresses are not used for any other purpose other than for those expressly pertaining to the specific read-a-thon event.
2. Under what circumstances can an operator of a Web site or online service rely upon an educational institution to provide consent? Many school districts contract with third-party Web site operators to offer online programs solely for the benefit of their students and for the school system, for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services.
Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision. The school may also want to inform parents of these practices in its Acceptable Use Policy.
If, however, an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent.
Read-a-thon only uses the limited personal information for one read-a-thon fundraising event which is held for the benefit of the reader and school or group holding the read-a-thon. We do not use any reader information for any other commerial purpose.
3. What information should a school seek from an operator before entering into an arrangement that permits the collection, use or disclosure of personal information from students? A school should be careful to understand how an operator will collect, use, and disclose personal information from its students in deciding whether to use these online technologies with students. Among the questions that a school should ask potential operators are:
What types of personal information will the operator collect from students? Read-a-thon only collects reader first name, reader last name and parents email. Parents can opt to upload a personal photo or they can use one of our stock photos.
How does the operator use this personal information? Read-a-thon uses the limited personal information collected to build a read-a-thon fundraising website on behalf of the school or school that includes a reader page that offers no specific contact information about the reader.
Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? We do not use any information for any other purpose other than the single read-a-thon event that was created.
Does the operator enable parents to review and have deleted the personal information collected from their children? Yes
What are the operator’s data retention and deletion policies for children’s personal information? We delete all reader personal information shortly after the completion of each read-a-thon fundraiser.
COPPA was designed to protect children from unscrupulous companies that might take advantage of information entered online. Read-a-thon re quests very limited information that is used for specific and defined purposes. We do not share any personal information for any other commercial purpose. We do not contact children for any purpose other than the specific read-a-thon the child signed up for. Parents can always remove their child from the system. And, finally, data is removed from the system in a timely basis once the read-a-thon event has ended.