Safeguarding the Wired Schoolhouse

National Association of Secondary School Principals Logo

This project is made possible by an education grant from:
Verizon

Content provided by:


Brought to you by CoSN


Compliance with the Children's Internet Protection Act

NASSP Links

Internet Safety & CIPA

FAQ on CIPA

Compliance with CIPA

About this Document

This document is intended to help school administrators understand the requirements of the Children's Internet Protection Act (CIPA) as it applies to E-Rate recipients by updating the January 2001 "Filtering Compliance" memo provided to members of the Consortium on School Networking (CoSN). This is only a guide and should not be understood as the definitive interpretation of this law or as legal advice.

The earlier versions of this memo outlined COSN's understanding of the requirements Congress imposed on schools and libraries receiving certain types of E-Rate, Department of Education, and Institute for Museum and Library Services funding for computers with Internet access with the passage of the Children's Internet Protection Act (CIPA), which became law at the very end of 2000. It also attempted to help schools and libraries understand what kinds of rules might be promulgated by the federal agencies responsible for such funding.

On April 5, 2001, the Federal Communications Commission released a Report & Order (part of Docket Number 96-45), providing schools and libraries receiving E-Rate discounts with additional compliance guidance. The Department of Education and the Institute for Museum and Library Services have not promulgated any rules interpreting CIPA, nor have they indicated plans to do so. However, both the Department of Education and IMLS have indicated that CIPA does not impose any requirements on current grantees. The Department of Education has indicated that it expects to require grantees beginning October 1, 2001 to comply with CIPA, while the IMLS has suggested compliance will be required beginning in October 2002.

The memo will focus on compliance with CIPA for E-Rate recipients:

  • Who must comply with CIPA;
  • The time frame for compliance;
  • The compliance certification process;
  • Public meeting requirement;
  • The requirements with respect to filtering technology and "Internet Safety Policies";
  • When filters may be disabled and for whom;
  • Monitoring student Internet use;
  • Penalties for failure to comply; and
  • The implications of ALA and ACLU lawsuits challenging CIPA's library provisions.

Who Must Comply with CIPA

  • Any school that receives discounted rates for "Internet access, Internet service or internal connections" under the E-Rate program must comply with CIPA.
  • If a school receives only "telecommunications services" through E-Rate, it does not need to comply with CIPA.
  • If a school receives no E-Rate funding, it does not need to comply with these rules.[1]

Time Frame for Compliance

CIPA applies to funds received during E-Rate Program Year Four, which began July 1, 2001. In general, schools must complete the certification requirements above by October 28, 2001.[2] The FCC and Schools & Libraries Division have indicated that funds for Year 4 may be paid retroactively to the service start date if the entity certifies that is was "taking actions to comply with CIPA at the time that it actually receives these services." (Corrected Report and Order, para. 15.; emphasis in original.)

If a school has not received an E-Rate Funding Commitment Decision Letter by October 28, 2001, it has 120 days after receiving that letter to complete the certification requirement. This is also true for schools whose Year 4 Service Start Date is after October 28, 2001. However, if your Service Start Date for Year 4 is after July 1, 2002, you will want clarify with the SLD exactly when you must take action and become compliant. Schools have reported inconsistent answers from the SLD and FCC as to when they must become fully compliant under those circumstances.

During E-Rate Program Year Five, some one-year waivers will be available for schools that are legally restrained by state or local bidding requirements, if they cannot become CIPA compliant by the end of Program Year Four. By E-Rate Program Year 6 (July 1, 2003), all applicants receiving internal connections and Internet access discounts will need to comply with CIPA.

New applicants beginning in E-Rate Program Year 5 or later are subject to the certification requirements current applicants must meet this year. The language of the CIPA statute refers to requirements for "the first program year following passage [of CIPA]" and creates parallel requirements for new applicants in future years. This means, for example, that all new E-Rate applicants in Year 5 will have until October of their first year participating in the E-Rate program to certify compliance with CIPA.

School Certification Requirements

In order to ensure the flow of Program Year 4 funds, schools must make one of three possible CIPA compliance certification options on a revised FCC Form 486:

  1. The recipient(s) of service represented in the Funding Request Number(s) on this Form 486 has (have) complied with the requirements of the Children's Internet Protection Act, as codified at 47 U.S.C. § 254(h) and (l).
  2. Pursuant to the Children's Internet Protection Act, as codified at 47 U.S.C. § 254(h) and (l), the recipient(s) of service represented in the Funding Request Number(s) on this Form 486 is (are) undertaking such actions, including any necessary procurement procedures, to comply with the requirements of CIPA for the next funding year, but has (have) not completed all requirements of CIPA for this funding year.
  3. The Children's Internet Protection Act, as codified at 47 U.S.C. § 254(h) and (l), does not apply because the recipient(s) of service represented in the Funding Request Number(s) on this Form 486 is (are) receiving discount services only for telecommunications services.

We expect that most schools participating in the E-Rate will select the second certification option this year - that they are undertaking action towards compliance and will become compliant by E-Rate Program Year 5. The SLD has provided guidance on what constitutes "undertaking action," including straightforward items such as calling filtering or blocking service vendors to get estimates on the cost of such services, holding a staff meeting to begin planning compliance, or circulating a memo on the changes you need to make to your Acceptable Use Policy to meet the new Internet Safety Policy requirements. The SLD makes it very clear that their list is only intended to give schools a sense of what is required, not a limiting list of requirements. The key things for schools to remember is that these must be real steps towards compliance, and they should be documentable in the event of an audit. The complete list is available on the SLD web site: sl.universalservice.org.

Note: Schools are required to have begun undertaking action towards compliance by their Service Start Date. If your Service Start Date has already passed, you should undertake action towards compliance AS SOON AS POSSIBLE. Your funding between the time of your Service Start Date and the date you began undertaking action is at risk.

Consortium Certification Requirements

If a school receives E-Rate funding as part of a "consortium application" individual consortium members must complete the new Form 479. Instead of filing Form 479 with the Schools & Libraries Division, Forms 479 are filed with the Billed Entity, which files a Form 486 on behalf of members of the consortium. State network applicants will most likely be treated as consortia for the purposes of certification, although the FCC has not been completely clear about this. CoSN is seeking further guidance on the application of CIPA to state networks and will post that clarification as soon as possible. In the meantime, state network applicants should contact the USAC with questions about their specific circumstances.

The statements schools choose from on Form 479 are substantially similar to the certifications on Form 479. The Billed Entity then files a Form 486 on behalf of the consortium. The Billed Entity must make one of two additional certifications:

  1. I certify as the Billed Entity for the consortium that I have collected, duly completed and signed certifications from all eligible members of the consortium.
  2. I certify as the Billed Entity for the consortium that the only services received under the universal service support mechanism by eligible members of the consortium are telecommunications services, and therefore the requirements of the Children's Internet Protection Act, as codified at 47 U.S.C. § 254(h) and (l), do not apply.

The Billed Entity only certifies that it has received signed Forms 479 from all of its members; it is not liable for determining the actual compliance of those members.

The Billed Entity certification is still due on October 28, 2001 - so consortium members need to get their Forms 479 to the Billed Entity of their consortium before that date. (The same timeline exceptions outlined above apply to consortia.)

Public Meeting Requirement

CIPA also requires school authorities to hold a public meeting or hearing to discuss the adoption of an Internet Safety Policy that includes use of filtering technology. If a school's current Internet Safety Policy (more commonly known as an 'Acceptable Use Policy') covers all of the CIPA-required elements (described below), and was developed with at least one public meeting, no further action is necessary in order to comply. Specifically, the FCC indicated at para. 51 of the corrected Report and Order:

If an entity has already provided reasonable public notice and at least one public hearing or meeting related to an Internet safety policy and technology protection measure that meets the requirement[s] of [CIPA], then we conclude that the entity has already complied with the public notice and hearing requirements of CIPA. If an entity has not met those conditions, we conclude that the statute requires that the entity provide the required notice, and hearing or meeting.

Special note for private schools: The FCC found that all schools eligible for E-Rate funding must meet the public meetings and notice requirement. Congress appeared to limit the meeting and notice requirements for private schools to members of the public with a relationship to the school.

Requirements of the "Internet Safety Policy"

The CIPA statute requires schools to both install and use filtering & blocking technology and to implement a set of substantive policy decisions related to Internet access, known as Internet Safety Policies. This causes some confusion, particularly as the requirements are located in different parts of the statute.

CIPA requires that schools address all of the following specific elements:

  • Access by minors to inappropriate material on the Internet and World Wide Web;
  • The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (i.e. Instant Message services)
  • Unauthorized access, including so-called 'hacking' and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal identification information regarding minors; and
  • Measures designed to restrict minors' access to materials harmful to minors;
  • A plan to monitor minors' use of the Internet in school.

In addition, the Internet Safety Policy itself must require the installation and use of filtering software or services on all computers with access to the Internet. It must further require that when minors are using the Internet, access to visual depictions be blocked or filtered if they are:

  • obscene;
  • child pornography; or
  • "harmful to minors"

When adults are using the Internet, only material which is obscene or child pornography must be filtered or blocked.

Selecting and Disabling the Filters

The FCC declined to respond the request of several commenters to identify which filtering products, if any, complied with CIPA. Instead, it specifically held that local communities are the best authorities to make this decision.

Schools receiving covered E-Rate support cannot disable the computers when minors are using them, even with parental or teacher permission and supervision. For example, if your school uses the product Bess, teachers may not use the password filter-disabling feature to turn off the filtering service when a student is using the computer. Schools may select technologies that allow them to edit or adjust the filtering or blocking list, and may work with technology providers to customize those lists. But they may not unblock at the desktop at the request of a student.

Appropriate school staff may disable filters for adults using school computers for "bona fide research purposes."

Although many commenters sought a definition of bona fide research, the FCC declined to define the term. Rather it stated:

We decline to promulgate rules mandating how entities should implement these provisions. Federally-imposed rules directing school and library staff when to disable technology protection measures would likely be overbroad and imprecise, potentially chilling speech, or otherwise confusing schools and libraries about the requirements of the statute. We leave such determinations to the local communities, whom we believe to be most knowledgeable about the varying circumstances of schools and libraries in those communities. (Corrected Report & Order, para. 53, emphasis added.)

Monitoring Student Internet Use

The process for monitoring students' Internet use was also left to local decisionmaking. The final language of the CIPA law was very clear that electronic monitoring and data collection is not required for schools to comply with the monitoring requirement. Schools are free to use technology, but they may also choose less intrusive forms of monitoring such as teacher monitors.

Penalties for Noncompliance & Failure to Certify

Schools that knowingly fail to comply and certify compliance with CIPA lose eligibility for federal support and are responsible for paying the full price of applicable E-rate eligible services. Billed Entities that knowingly fail to certify will also render the entire consortium ineligible. Specifically, the FCC Rule (47 CFR § 54.520(d)(1)) indicates:

A school or library [or billed entity] that knowingly fails to submit certifications as required by this section, shall not be eligible for discount services under the federal universal service support mechanism for schools and libraries until such certifications are submitted.
47 CFR § 54.520(e)(1) further indicates:
A school or library [or consortium] that knowingly fails to ensure the use of computers in accordance with the certifications required by this section, must reimburse any funds and discounts received under the federal universal service support mechanism for schools and libraries for the period in which there was noncompliance.

Entities reestablishing compliance will become eligible for discounts when they certify compliance.

Lawsuit Challenging CIPA

There are no challenges at this time to the school-based requirements of CIPA.

Both the ACLU and the American Library Association (ALA) have filed lawsuits challenging CIPA's constitutionality. Both the ACLU and the ALA lawsuits focus on the impact of CIPA on public libraries. While is remotely possible that the court will decide to strike down the whole statute, we believe that it is highly unlikely.

Therefore, school entities should not assume that the ACLU and ALA challenges will have an impact on schools or school libraries receiving funding from sources covered by CIPA and should take the necessary steps to comply with the CIPA requirements.

[1] Schools may still have to comply with CIPA if they receive funds under ESEA. The Department of Education has not yet issued CIPA guidance. Please check www.cosn.org for additional information as it becomes available.

[2] Technically, the statutory deadline is October 28, 2001. However, that is a Sunday, and the FCC has indicated that certifications postmarked on October 29 will be considered untimely. This renders the effective date for compliance October 27, 2001.

©2003 Consortium for School Networking. All rights reserved.