Is Pledge-Drive.net COPPA/FERPA Compliant?
Our Pledge-Drive program is COPPA/FERPA compliant. Below we will share reasons why. The following information was taken from http://www.business.ftc.gov/. It addresses COPPA and schools and how that relationship has a bearing on the limited information that Pledge-Drive.net requests about students/players.
We offer comments throughout this text. We have italicized our comments for easy recognition.
FERPA MODEL NOTICE FOR DIRECTORY INFORMATION
Note: Per 34 C.F.R. § 99.37(d), a school or school district may adopt a limited directory information policy. If a school or school district does so, the directory information notice to parents and eligible students must specify the parties who may receive directory information and/or the purposes for which directory information may be disclosed.]
The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that [School or School District], with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, [School or School District] may disclose appropriately designated “directory information” without written consent, unless you have advised the [School or School District] to the contrary in accordance with [School or School District] procedures. The primary purpose of directory information is to allow the [School or School District] to include information from your child’s education records in certain school publications. Examples include:
- A playbill, showing your student’s role in a drama production;
- The annual yearbook;
- Honor roll or other recognition lists;
- Graduation programs; and
- Sports activity sheets, such as for wrestling, showing weight and height of team members.
Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks. In addition, two federal laws require local educational agencies (LEAs) receiving assistance under the Elementary and Secondary Education Act of 1965, as amended (ESEA) to provide military recruiters, upon request, with the following information – names, addresses and telephone listings – unless parents have advised the LEA that they do not want their student’s information disclosed without their prior written consent. [Note: These laws are Section 9528 of the ESEA (20 U.S.C. § 7908) and 10 U.S.C. § 503(c).]
If you do not want [School or School District] to disclose any or all of the types of information designated below as directory information from your child’s education records without your prior written consent, you must notify the [School or School District] in writing by [insert date]. [School District] has designated the following information as directory information: [Note: an LEA may, but does not have to, include all the information listed below.]
- Student’s name
- Telephone listing
- Electronic mail address
- Date and place of birth
- Major field of study
- Dates of attendance
- Grade level
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Degrees, honors, and awards received
- The most recent educational agency or institution attended
- Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user
- A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user.
M. COPPA AND SCHOOLS
1. Can an operator of a Web site or online service rely upon an educational institution to provide consent to the operator’s collection, use or disclosure of personal information from students? COPPA does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parent’s agent in the process of collecting personal information online from students in the school context. See 1999 Statement of Basis and Purpose, 64 Fed. Reg. 59888, 59903. Determining whether the school may provide consent on behalf of a parent, or whether the operator can rely on the school for consent, will depend on the nature of the relationship between the online service and the school or child, and the nature of the collection, use, or disclosure of the child’s personal information. See FAQ M.2 below. Whether the operator is working with the school, or obtaining consent directly from parents, it must provide a complete and accurate disclosure regarding what data is collected from children, how it will be used, and with whom it will be shared. The operator may violate the Rule if it fails to disclose its data collection, use, or disclosure practices to the consenting party. In addition, the school also must consider its obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children’s education records. FERPA is administered by the U.S. Department of Education. For general information on FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Many school systems have implemented Acceptable Use Policies for Internet Use (AUPs) to educate parents and students about in-school Internet use.
Pledge-Drive.net requests very basic information about participants. We ask for first and last name and we ask for a parent’s email address. That information is used to create student take home print materials designed for parental information. We give the school administrator/principal the ability to send emails directly to parents, telling the parents about the pledge-drive event and requesting that they share page with family and friends for their student. NO EMAILS ARE SENT WITHOUT FULL CONTROL OR CONSENT FROM THE SCHOOL ADMINISTRATOR. Any parent can request that their student be removed from the system at any time. The names and email addresses are not used for any other purpose other than for those expressly pertaining to the specific pledge-drive event.
2. Under what circumstances can an operator of a Web site or online service rely upon an educational institution to provide consent? Many school districts contract with third-party Web site operators to offer online programs solely for the benefit of their students and for the school system, for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision. The school may also want to inform parents of these practices in its Acceptable Use Policy. If, however, an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent.
Pledge-Drive only uses the limited personal information for one pledge-drive fundraising event which is held for the benefit of the student and school or group holding the event. We do not use any student or parent information for any other commercial purpose.
3. What information should a school seek from an operator before entering into an arrangement that permits the collection, use or disclosure of personal information from students? A school should be careful to understand how an operator will collect, use, and disclose personal information from its students in deciding whether to use these online technologies with students. Among the questions that a school should ask potential operators are:
What types of personal information will the operator collect from students? Pledge-Drive only collects student first name, student last name class designation, and parents email. These items listed fall under FERPA’s definition of Directory Information, which are not generally considered to be harmful or an invasion of privacy. Pledge-Drive does not use student photos, ID, social security, home address, Parent Names, or any other identifiable information protected under FERPA. The ONLY things that can be done on the participant website is share and donate. (No photo sharing, collection of share button emails, texts, or personal messaging. There is ZERO way for a person to contact a child or the parent of a child who happens to be a participant in a pledge-drive fundraiser through the pledge-drive website.)
How does the operator use this personal information?
Pledge-Drive uses the limited personal information collected to build a Pledge-Drive fundraising website on behalf of the school that includes a student page that offers no specific contact information about the student.
Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? We do not use any information for any other purpose other than the single pledge-drive event that was created.
Does the operator enable parents to review and have deleted the personal information collected from their children? No personal information is collected other than directory information previously mentiuoned. Parents can opt out for their child at any time by request or unsubscribe.
What are the operator’s data retention and deletion policies for children’s personal information?
We delete all collected information shortly after the completion of each pledge-drive fundraiser.
4. I am an educator and I want students in my school to share information for class projects using a publicly-available online social network that permits children to participate with prior parental consent. Can I register students in lieu of having their parents register them? This question assumes that your school has not entered into an arrangement with the social network for the provision of school-based activities, but rather that you intend to use a service that is more broadly-available to children and possibly other users. The Commission has recognized the school’s ability to act in the stead of parents in order to provide in-school Internet access. However, where the activities and the associated collection or disclosure of children’s personal information will extend beyond school-based activities, the school should carefully consider whether it has effectively notified parents of its intent to allow children to participate in such online activities before giving consent on parents’ behalf.
COPPA was designed to protect children from unscrupulous companies that might take advantage of information entered online. Pledge-Drive requests very limited information that is used for specific and defined purposes. We do not share any personal information for any other commercial purpose. We do not contact children for any purpose other than the specific Pledge-Drive Campaign the child signed up for. Parents can always remove their child from the system. And, finally, data is removed from the system in a timely basis once the Pledge-Drive event has ended.