The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA

One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.

On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through their legal guardian Clinton Farwell v. Google, LLC, 20-CV-2257 NC (N.D. Cal. 2020) which brings issues related to data gathered from students during e-learning front and center. Allegations that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘Chromebook’ laptops, which come pre-installed with its ‘G-Suite for Education’ platform…to over half of the nation’s schoolchildren, including those in Illinois, most of whom are under the age of 13” form the basis of this Class Action Complaint. (See Complaint at ¶ 6). In general, the minor plaintiffs in H.K. claim “[t]hese Google-manufactured and provided laptops come equipped with Google’s ‘G Suite for Education’ platform, which requires the children using it to speak into a microphone on the laptop that records their voices and look into a camera on the laptop that scans their faces.”(See Complaint at ¶ 46).

In providing the factual background for their claims, the minor plaintiffs in H.K. assert “Google provides its ‘Chromebook’ laptops to grade schools, elementary schools and high schools nationwide, who in turn make these computing devices available for use by children who attend their schools.” (See Complaint at ¶ 33). The Complaint alleges that Google collects the following student information through this program:

• The student’s physical location;
• The websites visited by each student;
• Every search term used by the student in Google’s search engines;
• Every video watched by the student on the device;
• The student’s personal contact lists;
• Voice recordings;
• Saved passwords; and
• “Other behavior information.”

The Complaint in H.K. has allegations that Google collects students’ “voiceprints” and face images. (See Complaint at ¶ 38). Next, the Complaint asserts “Google uses the voiceprints and face templates it collects to, inter alia, identify and track the children who its Chromebook laptops and the “G Suite for Education” platform that comes installed on them.”  (See Complaint at ¶ 38). Further, the minor plaintiffs allege “[t]he unique voiceprints and face templates that Google has collected from children in Illinois and across the country are not only used by Google to identify children by name, they are also used by Google to recognize…gender, age and location.” (See Complaint at ¶ 40).

As for the specific allegations by the minor plaintiffs in H.K., the Complaint alleges that H.K and J.C. were Illinois residents, under the age of 13 years old, when they used Google’s G Suite for Education platform in their elementary school located in Bushnell, Illinois. (See Complaint at ¶ 10). Further, the Complaint alleges that neither minor “was asked for verifiable or written parental consent authorizing Google extraction, collection, storage and use of their personal and uniquely identifying ‘biometric identifiers’ or ‘biometric information’…”

Based on these allegations, the plaintiffs in H.K. claim Google violated the Illinois Biometric Information Protection Act (“BIPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) in the following manner:

• The Complaint in K. states that Illinois enacted BIPA in 2008 to protect Illinois’ citizens’ biometric data which prohibits the collection or use of this information without providing notice to the individual and places a number of requirements on data collectors. (See Complaint at ¶ 17). The plaintiffs claim Google violated BIPA with its “practices of collecting, storing and using biometric identifiers and information from school children in Illinois without the requisite informed written consent…” (See Complaint at ¶ 19). Simply, plaintiffs in H.K. claim Google collected this information without obtaining parental consent. (See Complaint at ¶ 41). Based on these allegations the minor plaintiffs claim Google violated BIPA in their first cause of action.

Here, we may see Google argue that it is not subject to BIPA as a manufacturer of Chromebooks. BIPA lawsuits against the manufacturers of biometric equipment have not seen much success. As seen in the recent case Bray v. Lathem Time Co. 19-cv-3157 (C.D. Ill. March 27, 2020), in addition to suing his former employer, Bray sued Lathem, the company that designed and sold biometric-based timekeeping systems to employers to track time worked by hourly employees. “Lathem claims BIPA was not designed to apply to third-party technology vendors like itself. Although BIPA may give Bray a cause of action against his employer, Hixson—which he is pursuing in a separate action in state court—it does not give him a claim against Lathem.” Consequently, the District Court’s reasoning in Bray makes it more difficult to sue manufacturers of the equipment that collects biometric data.

• The Complaint in K. states that the federal government enacted COPPA in 1999 after “recognizing the vulnerability of children in the Internet age.” (See Complaint at ¶ 20).  “Under COPPA, developers of child-focused applications like Google’s ‘G Suite for Education’ service cannot lawfully obtain the personally identifiable information of children under 13 years of age without first obtaining verifiable consent from their parents.”

Privacy issues related to “e-learning” are developing at a rapid pace.  For example, on April 9, 2020, the Federal Trade Commission took a position that undercuts the plaintiffs’ assertions in H.K. that Google violated COPPA. In her blog post on the FTC’s website, Lisa Weintraub Schifferle wrote it was the FTC’s position that schools can consent to the collection of information for educational purposes:

If your child’s school is providing remote learning: Under COPPA, schools can consent on behalf of parents to the collection of student personal information by educational technology services. If your school has consented, then the service may only use that information for educational – not commercial – purposes. If you have questions about a service’s privacy and security practices, first review its online privacy notice. If you still have questions, consider asking your school. Remember, please, to be patient with your child’s school, as many schools are working hard to implement distance learning and may not be able to respond quickly. If you’d like to learn more, check out the U.S. Department of Education’s Student Privacy Policy Office’s new guidance on the Family Educational Rights and Privacy Act (FERPA) – “FERPA and Virtual Learning.”

Schools and educational technology companies can expect these privacy issues to become more prevalent once “brick and mortar” schools reopen. Further, in addition to seismic changes in this technology, schools will also need to monitor changes in the law. For example, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (“SOPPA”) by setting forth an extensive list of requirements that schools must implement by July 1, 2021.