Google Docs Does Not Violate CIPA (or COPPA*)

The following is an email I’ve found myself writing more and more often. This is the longest version (and the latest one I’ve sent off). I’ve decided to share my take on the situation here on this blog for three reasons. First, I hope I can point people here instead of writing more emails. Second, I hope this might benefit people who might never email me (such as people searching the web for this topic). And third, I hope those of you familiar with such things (either legal experts or educators who are fighting this fight – on either side) will provide feedback in the comments.

The most important thing is to understand this: not having control over documents doesn’t constitute a violation of CIPA. Not having control over an online document doesn’t make Google Docs a violation of CIPA any more than not having control over a pen and paper makes spiral bound notebooks a violation of CIPA.It’s actually more or less irrelevant to the law.

CIPA does require that school districts filter the internet to protect students from content that is “harmful to minors” (and the primary concern is porn). The key is that schools need to show due dilligence in blocking sites they know are “harmful.” There is no expectation that schools will block “anything that could possiblly or potentially be inappropriate.”

CIPA (and the related FCC regulations) do require that there is a process in place for adults to unblock legitimately educational sites… and one of the only reasons that CIPA has not been struck down in the courts is due to the ease of unblocking a site using filtering software. Ideally, teachers will have access to an individual password for bypassing a school web filter. However, many school districts make this process anything but easy – and in many cases it is effectively unavailable to teachers. This is a legal problem (and in terms IT would understand, I believe this is a liability). You’d be well within your rights to request (and expect) Google Docs to be unblocked.

But… remember that COPPA forbids Google from collecting profile information for users under 14 years old. So younger students should not be using any Google tool, including Google Docs, that requires them to log in with a Google Account. This is because Google has no mechanism for collecting “verifiable parent consent” for student profile information. However, school districts excell at collecting “verifiable parent consent” – we call this permission slips. So, if you set up Google Apps: Education Edition, collect parent consent for students to use it, and control the student accounts yourselves, you’re in good shape with respect to COPPA. (For students 14 and over, you’re legally fine having them use Google Docs – and despite the fact that Google’s terms of service say users need to be of legal age to enter into a contract, which i 18 in California, Google does encourage the use of their products with students aged 14-18.)

Regarding some of the other concerns in the thread below… much of it is off topic or irrelevant to the issue of using Google tools (such as Docs) in the classroom. Here is my brief response to a few other concerns:

  • We’re not talking about outsourcing HR, we’re talking about instructional use.
  • Google is explicit about the intellectual property still belonging to the user. (And their privacy policies and practices are very strong.)
  • We’re not talking about sharing confidential student information, we’re talking about instructional use.
  • With respect to archiving documents for public disclosure: Use of Google Docs for teaching and learning is no different than using spiral bound notebooks, photocopied assignments, or ordinary blackboards. In fact, I’d say the online documents are generally better archived than anything a district can ordinarily pull off in the classroom… particularly with the history of revisions. In any case, if districts are not concerned about “archiving” handwritten student essays on paper, I don’t see why Google Docs would be any different. We’re talking about instruction here, not district business. It’s important to remember the difference.

Again, I hope this has been helpful – and I hope you’ll leave me feedback in the comments below.

22 Responses to “Google Docs Does Not Violate CIPA (or COPPA*)”

  1. Chris Johnson Says:

    Interesting commentary. It got me thinking about this common problem from a more legal viewpoint.

    It frustrates me to no end how many valid educational resources are blocked by my district. I have submitted several requests to unblock legitimate sites and block inappropriate websites. Unfortunately most requests are ignored–good educational resources remain untouchable and other potentially harmful influences remain available for viewing.

    If I am not mistaken, this complaint is shared by many of my forward-thinking colleagues across the nation. I fairly frequently read lamentations about Youtube being blocked. (I’m tired of alternatives–I shouldn’t need alternatives!)

    Maybe I should try voicing my concerns from a different angle that they would be more receptive to (i.e. the legal angle). It seems that many administrators are so afraid of legal proceedings that they lose sight of why schools exist–to educate young people as best we can. What good is it if we keep our schools open and litigation-proof (purportedly) but fail to do our job as well as we could?

  2. Michael Morrison Says:

    I have actually wrestled with the issues stated here for about a year. We have now created a domain that is just docs. No email.. no chat. Just docs and the docs at this point will just be internal. AUP’s will be signed explaining the issues involved with docs. http://www.SaddleDocs.com will be an extension of the classroom for collaboration. It answers key logistical questions about how do i truly go paperless? How can we reduce Microsoft Licensing costs with declining budgets?

    We are also controlling the students username and password. So any teacher at anytime can login as a student.

    I don’t think it is without risk because like anything this technology could be used in a variety of inappropriate ways. My sense is I’ve finally gotten past my fear of the risk by taking all appropriate measures to insure that the experience is educational sound. If we find inappropriate behavior it will be dealt with as a discipline issue.

    As far as CIPA… let’s look at the language.

    http://www.fcc.gov/cgb/consumerfacts/cipa.html

    The only thing in question would be do we “enforce a policy to monitor online activities” Our policy will be that all student created material will be open to all teachers to monitor (we give the teachers the student login). This is the same policy we have of the student home directory at the school. We have firewalls and filters that will block inappropriate activity on the internet… so how if we have those OVERARCHING policies would a student place inappropriate material in googledocs? There are many ways but all of these would be in violation of our AUP and our policy. Monitoring is not full proof. I believe if we have detailed abilities to protect our students with firewalls, filters and spot monitoring based on questionable behavior that should be sufficient for erate purposes and for CIPA.

  3. Tim Lauer Says:

    Great post. Thanks for sharing this. Do you have any examples of permission forms for use of Google Apps for Education?

  4. kyle Says:

    Mark:

    One of the things I have been advocating to schools and districts is that they get a CIPA compliant filter, but this shouldn’t be something that they pay a ton of money for. It is good money after bad, since any filtering is going to filter some appropriate content. The better tactic is to educate and teach students appropriate use and Digital Citizenship.

    The level of fear has permeated so many school districts that the administration listens to an IT department that says we can block it all! This gives administrators a false sense of security. Which in the long run isn’t true, since every tech savvy kid will have some way to work around a district filtering mechanism. Filtering as a way to absolutely keep inappropriate content away from kids is a fantasy.

    (This is one of the reasons I became an administrator!)

    This analogy will work for some and not for others, but I do think it is applicable as we move forward.

    Think about how schools dealt with Sex Ed…. There was a debate for years whether schools should or should not teach sex ed in schools. In the 1970′s when I was going through Jr. High and High School, the debate was that if we teach kids about sex, they will be having more sex. The truth was that eventually people came to the realization that kids were having sex and there wasn’t much the adults could do about it. So, the emphasis became how to best teach kids how to be responsible and protect their health. There was also curriculum that centered around abstinence as well.

    See any parallels here?

    Students when they are outside of the school and sometimes inside the school, will engage in risky and inappropriate behavior when using digital tools. There isn’t much that schools can do about it when a student can have an iPhone or a Blackberry Storm and watch ANY YouTube video or access any web page with their friends at lunch. So, shouldn’t we have curriculum that teaches students how to be responsible users of the digital content they have access to? The tide is starting to turn towards a ‘yes’ answer to that question, but the problem then becomes is that there aren’t enough enlightened educators in each school to take on this task. So, as we move forward, we need to have a two-pronged approach. One to teach the kids ethical and appropriate behavior and the other to teach educators how to handle the issues that they will be confronted with.

    Just another way of bringing water to the desert!

    KB-

    Thin

  5. Karl Fisch Says:

    I’m wondering if you have any thoughts regarding Google Docs/Apps for Edu and FERPA? Some folks are worried about two things:

    1. That we could be in violation of FERPA, as we are “giving” student info to Google.

    2. That if there is any grade information that is shared via Google Apps (say, teacher feedback online on a Google Doc, as an example), that that may be a violation of FERPA as well.

    I don’t know nearly enough, but since you’ve obviously thought about this some, I would love to hear your take.

  6. Daily Bookmarks 04/04/2009 « Experiencing E-Learning Says:

    [...] Educational Technology and Life » Blog Archive » Google Docs Does Not Violate CIPA (or COPPA*) [...]

  7. David Says:

    Karl,

    FERPA is not applicable to the Google Docs question as the law refers to student records, these are records that are legally required and retained by a school or district which must be made available to parents upon request. As a student’s Google Docs account would be deleted should they leave the school (as opposed to being forwarded to the new school as Student Records are) they are not a part of the student’s record. Again, FERPA addresses the ‘folder’ that follows a child throughout their educational career. Google Docs is like the spiral bound notebook that is discarded once the assignments are graded and returned.

    At least that’s my take on it.

    David

  8. Harold Olejarz Says:

    “But… remember that COPPA forbids Google from collecting profile information for users under 14 years old. ” Mark Wagner

    “We have now created a domain that is just docs. No email.. no chat. Just docs and the docs at this point will just be internal.” Michael Morrison

    As Michael states above we too have created a domain that is just docs with no chat and no email. The docs are only internal and cannot be shared with anyone outside of our domain. Since I uploaded students names and we used their id number as their password Google is not collecting any profile information from students under 13. In some respects we are using Google Apps/Docs as an internal file storage system for students and teachers.

    Since the files are stored on Google’s servers as opposed to our servers do we need parental permission for students under 13? If the files were stored on our servers we would not need parental permission. Is there much of a difference? The only difference I can see is that we are giving Google the names of our students.

  9. Shared Items From Google Reader - April 5, 2009 « timlauer.org Says:

    [...] Educational Technology and Life » Blog Archive » Google Docs Does Not Violate CIPA (or COPPA*) [...]

  10. BrianCrosby Says:

    Great info here Mark as I too have wrestled with this and even had the Google Doc blog request us to write on THEIR BLOG about how our FIFTH GRADERS used Google Docs on an award winning project even though they were clearly NOT 14 years old: (http://googledocs.blogspot.com/2008/05/making-across-country-feel-like-across.html)

    I think the key was that students were using our teacher logins to gain access and no student info was released … in fact the “working copy” of their work was never made public (except to members of each others classrooms that were working together) but only the students’ finished work, which I believe actually is even more discreet than we HAD to be.

    Thanks again for this great clarification and I hope too that comments that will clarify this dilemma further will continue to be made.
    Brian

  11. Richard Says:

    Thanks for this, Mark: it summarizes most of the situation quite nicely.

    Unfortunately, the question of individual Google accounts for users age 14 to 18–the key age range in which Google’s services become very useful for many teachers–still hasn’t been definitively (and contractually) addressed by anyone I’ve spoken with at Google. You state that “despite the fact that Google’s terms of service say users need to be of legal age to enter into a contract, which is 18 in California, Google does encourage the use of their products with students aged 14-18,” and this is absolutely true. From the Terms of Service:

    “2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google…”

    It’s an interesting point that Google encourages users to misrepresent themselves, and a sticking point for parents and teachers who–with good reason, I think–encourage students to be honest.

    Has there been any official word from Google (preferably in the form of an updated TOS, or an announcement anywhere else) regarding this?

  12. Karl Fisch Says:

    @David – While I would like to define “student records” that narrowly, I’m not sure everyone does. Certainly many folks would consider any kind of grade information (say, feedback directly on a Google Doc) as part of the student’s record. And the difference is that that spiral bound notebook is given to the student, then it’s discarded by the student. In this case, we are “giving” the information to Google (a third party that doesn’t have “rights” to that student record under FERPA), and perhaps to everyone if that doc is published.

    Please note that I’m not trying to make the case against Google Apps for Education, as I would really like to have it. But this is one of the issues my district is currently struggling with as they consider adopting it, so I was wondering if other folks who had adopted it had specifically looked at the legal aspects of FERPA and addressed it somewhere.

  13. pirategirl Says:

    Great information, Mark. My school system is locked down like the Kremlin was in its prime.

  14. Check it out! 04/10/2009 | Feed for the Brain Says:

    [...] Educational Technology and Life » Blog Archive » Google Docs Does Not Violate CIPA (or COPPA*) [...]

  15. Julia Hengstler Says:

    Mark, I’m interested in the fact that no one has really picked up on your point that parents/guardians are the legal representatives of underage students and thereby should be able to enter into a legal contract with service providers on behalf of their children for educational purposes under the supervision of a school. Isn’t that also how credit cards make their ways into the hands of minors?
    I’m not a lawyer, but parents/ guardians seem to be in the “power of attorney” category. They sign all types of documents on behalf of the students that allow educators to bring them into areas with physical risks–e.g. field trips off school grounds, taking public transit, participating in school sports competitions, etc. Check out an example of a social learning permission slip that I found online: http://www.slideshare.net/cmitton/parent-permission-slip-shelfari-presentation.
    The educational utility in Web 2.0 services–like Google Docs, PageFlakes–etc. is obvious especially in the context of the calls for “21st Century Skills”. I am interested in the double layer of assent/oversight: e.g. informed consent of the parent/guardian for the creation of accounts under the supervision by the schools combined with a “digital citizenry” element in the curriculum. The issue is what happens outside of school as these socially networked accounts are persistent and accessible beyond the supervision of school.
    I know that a number of cyberbullying cases have indicated an appreciation that inappropriate behaviour off campus can affect the culture of a school, and therefore can have disciplinary implications for students—re. ability to attend/participate in school. I was interested, therefore, in a recent “sexting” case where a principal who referred several female students to some type of behavioural tutorial, was forced to back off on the grounds that the “sexting” behavior was not itself illegal. Perhaps we need to work with parents/guardians regarding supervision in these activities that transcend (or with the potential to transcend) the school/home/community borders. This implies that there needs to be internet safety/responsibility pieces not only for the students, schools & educators but also for the parents/guardians. As educators, we are increasingly called upon to transcend the school/home/community borders, how do we establish roles/responsibilities in ill-defined areas involving emergent technologies? Right now, I’m leaning toward the “permission forms” & educated supervision—eg. moderation of educational “social” areas—by educators & schools. To balance the advantages of the socially networked tools with student safety, we might be looking at the development of a secondary market for social networking providers based on Michael Morrison’s infrastructure in the post dated April 3rd, 2009 at 7:59 pm above—educational social networking products—that would be securely hosted on school/district-based servers, with some kind of intelligent monitoring software that would trigger designated school district employees to review a student user’s content. Of course, student accounts might also be reviewed based on other users reporting inappropriate use/abuse.

  16. Julia Hengstler Says:

    One more point–or question on this. Anytime we download/install software there’s generally a EULA to accept or terms of service. If students aren’t in a legal position to do this, isn’t the school–or whoever is installing the software on school computers assuming that legal role already on behalf of the students using that software? Just one more thought…

  17. Julia Hengstler Says:

    Check out this service from Learning Landscape for Schools–the commercial model of what Michael was proposing.
    http://www.ll4schools.co.uk/

  18. Mark Wagner, Ph.D. Says:

    Hi, Michael (Concretekax). Parents can sign up for Gmail and Google Docs and use it with their students. Google (and the law) has no problem with that.

    Ultimately, COPPA requires that online services (like Google) must have “verifiable parent permission” to collect profile information from minors under 13… and Google (and most others) are not in the business of collecting verifiable parent permission, so their user agreements simply state that minors under 13 can’t use the product. However, schools excel at getting verifiable parent permission (we call it permission slips), so you can always do that.

    And, Google is happy to let you administer the student accounts (and be responsible for parent permission) using Google Apps for Your Domain: Education Edition, which you might be interested in as well: http://www.google.com/a/help/intl/en/edu/

    Good luck in any case. :)

  19. mike Says:

    Some of the other things that is not coverd is -
    1.estimated time to implement all the accounts
    2. estimated time of one person to monitor and maintain the accounts
    3. estimated increase of bandwidth moving the data to and from the cloud database. Does this affect the end user ?
    4. If managment decides to move away from the application, do you have the storage space, if its decided that you want to keep the student data ?
    5. In order to create a google doc account the student must have a existing e-mail account plus the email account created.

    If anyone can give an answer to these questions – I would be a great help, since my school district is thinking of going down this path !

    P.S – Total users 15,000

  20. College News and Articles » Around the Corner-MGuhlin.org: FERPA This, GoogleApps! Says:

    [...] in Mark Wagner’s blog about GoogleAPps and FERPA is mentioned in comments:http://edtechlife.com/?p=2236Fascinating reading…The question of Family Educational Rights and Privacy Act (FERPA) [...]

  21. Mark Wagner, Ph.D. Says:

    Welcome, new readers of this post. Please don’t miss the page of “little known facts about CIPA, COPPA, and FERPA” I’ve put together for my administrator workshops – it makes a good compliment to this post: http://principals.wikispaces.com/legal

  22. links for 2011-04-26 | Raider Tags Says:

    [...] Educational Technology and Life » Blog Archive » Google Docs Does Not Violate CIPA (or COPPA*) Annotated link http://www.diigo.com/bookmark/http://edtechlife.com/?p=2236 This entry was posted in Uncategorized. Bookmark the permalink. ← links for 2011-04-25 LikeBe the first to like this post. [...]