If you are building a web application to be used by US schools, you will probably have to worry about COPPA compliance.
Children's Online Privacy Protection or COPPA is new to me, probably because it was passed in 1998 and then quickly forgotten. However, it has a number of very strict rules about storing identifying information of children under the age of 13 and the penalty is $11,000 per violation, so this is not something to ignore.
Here is quick summary of requirements:
- Post a clear and comprehensive privacy policy on their website describing their information practices for children’s personal information;
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children.
Some of these are easy to satisfy. Add a note in your privacy policy, make sure you store the information securely. But #4 makes me the most worried. Are they expecting a backdoor such that a parent will be able to access this information? How do you obtain verifiable parental consent? Is any of this really possible in the context of a web application?