What is parental consent?
Privacy laws and/or regulations often require that parents (or legal guardians) consent to or are notified prior to their child's personally identifiable information (PII) being disclosed to a third party.
In the field of edtech, this means that teachers and schools must have proven parental consent before students provide any personal information to third parties, like Edpuzzle.
The fact that teachers cannot invite students to their Edpuzzle classrooms without confirming parental consent, combined with the impossibility of creating a student account without a unique class code or link, ensures that Edpuzzle does not collect any data it should not be allowed to collect.
When is it necessary to obtain parental consent?
As a general rule, parental consent may apply to different age ranges depending on state or regional law.
In the United States, student privacy is primarily governed by two federal laws: the Federal Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).
- FERPA generally prohibits schools from disclosing personally identifiable information from a student's education records to a third party without written consent from the parent (or the student if over age 18). At the same time, however, FERPA allows for exceptions under which student PII may be shared without consent. One of these exceptions is the "school official exception," under which schools may share student PII with designated school officials with a legitimate educational interest. Third parties may be considered school officials if they are performing a service for which the school would otherwise use employees. Schools define who constitutes a school official with a legitimate educational interest in their annual notification of rights under FERPA.
- COPPA protects children under the age of 13 who use commercial websites, online games and mobile apps. While schools have an obligation to make sure the services their students use treat the data they collect responsibly, COPPA ultimately places the responsibility on the online service operator. At the same time, COPPA generally does not apply when a school has hired a website operator to collect information from students for educational purposes for use by the school. In those instances, the school (not an individual teacher) can provide consent on behalf of the students when required, as long as the data is used only for educational purposes.
In the European Union, the General Data Protection Regulation (GDPR) states that the processing of a child's PII is only lawful when the child is at least 16 years old, although it allows for Member States to lower the age provided that it is not below age 13. Currently, the age limits are the following:
- Croatia, Germany, Hungary, Ireland, Italy, Lithuania, Luxembourg, Malta, The Netherlands, Romania and Slovakia: minors under 16.
- France, Czech Republic, Greece and Slovenia: minors under 15.
- Austria, Bulgaria, Cyprus and Spain: minors under 14.
- Belgium, Denmark, Estonia, Finland, Latvia, Poland, Portugal, Sweden and the UK: minors under 13.
According to the GDPR, schools are considered data controllers and are responsible for ensuring that student data is processed accordingly. In other words, schools from the EU must obtain parental consent prior to disclosing PII to any third-party service provider from children under the age limit determined by each Member State’s law.
In Canada, according to the Personal Information Protection and Electronic Documents Act (PIPEDA), consent is valid only if it is reasonable to expect that the student whose personal information is collected would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. The Office of the Privacy Commissioner of Canada (OPC) has taken the position that, in all but exceptional circumstances, this means anyone over the age of 13. In other words, disclosure of PII of children under age 13 must be previously authorized by the children's parents or legal guardian.
Where do I get it from?
Contacting your IT admin – or anyone at your school responsible for data protection – should be the very first step. If you are not part of a school or in the unlikely event that your school will not take care of parental consent, you should request it for EVERY student that you invite to Edpuzzle.
What if I don't need parental consent or am exempt from obtaining it?
If you are not planning to use Edpuzzle with students in the above-mentioned age ranges, parental consent is not required in your case, or any legal exemption applies to the obtainment of parental consent, you can simply select the "No, it’s not required by my local laws" option when asked if you have parental consent.
Have more questions? Contact firstname.lastname@example.org.