On the first of July, public and private schools receiving eRate funding were to begin taking specific steps to comply with the newly enacted Children’s Internet Protection Act (CIPA). The effective date by which schools must certify compliance with CIPA is Saturday, Oct. 27, 2001. More than $2 billion is at stake. What follows is a careful examination of the new requirements by a noted Washington policy analyst working with the Consortium for School Networking (CoSN), a national nonprofit organization representing schools’ interests. The author reviews exactly what your schools must do to safeguard your funding under the new rules–the editors.

CIPA has numerous implications for schools and libraries that receive eRate funding from the federal government. The requirements this legislation imposes on administrators are broad and somewhat complex. This article is intended to bring some clarity to these requirements so that schools and libraries can comply with CIPA, maintain their eRate funding, and bring technology to more schools and communities.

Who must comply with CIPA’s eRate provisions?

Any school that receives discounted rates for “internet access, internet service, or internal connections” under the eRate program must comply with CIPA. If a school receives only “telecommunications services” through the eRate, it need not comply with CIPA, but in that case, it must certify that CIPA does not apply to it. If a school receives no eRate funding, it need not comply with these rules.

Time frame for compliance: Part 1

CIPA applies to funds received during eRate Program Year Four, which begins July 1, 2001. Schools do not have to complete the certification requirements until October 27, 2001, but their eRate funds will not be released until certification is complete. Funds will be paid retroactively as far back as July 1 if certification is made by October 27, as long as the entity began “undertaking action” toward compliance by the time it began receiving the service.

There is an important distinction between actually complying with CIPA and simply “undertaking actions” to comply before July 1, 2001, or the service start date. Here are a few examples of how a school might “undertake action”:

  • Hold a school or library board meeting with CIPA compliance listed as a topic on the agenda;
  • Request and receive a price quote about a filtering or blocking product or service;
  • Hold a school or library board meeting with procurement of internet filtering or blocking products or services listed as a topic on the agenda; or
  • Write and circulate a memo to an administrative authority of a school describing the differences between CIPA’s “internet safety policy” requirements and the school’s current acceptable-use policy.

CIPA also requires school authorities–even in private schools–to hold a public meeting or hearing to discuss the school’s internet safety policy. If a school’s current internet safety policy (also known as an “acceptable-use policy”) includes all of the CIPA-required elements (as will be described in a moment) and was developed with at least one public meeting, no further action is necessary in order to comply.

Time frame for compliance: Part 2

At press time, the Schools and Libraries Division of the Universal Service Administrative Company–the group that administers the eRate–was still considering how to manage the certification process for recipients of Year Four discounts. Schools likely will be eligible to make a certification shortly after funding commitment letters go out, and they should be able to do so by July 1, 2001.

Although schools must be “undertaking action” from the time they begin to receive eRate support for Year Four, they have until October 27, 2001 to certify compliance. During eRate Program Year Five, some one-year waivers will be available for schools that are legally restrained by state or local bidding requirements, and thus cannot become CIPA-compliant by the end of Program Year Four. By Program Year 6 (July 1, 2003), all applicants receiving discounts on internal connections and internet access will need to comply with CIPA.

School entity certification requirements

To ensure the flow of Program Year Four funds, schools must choose one of three possible CIPA-compliance certification options on a revised FCC Form 486: (1) Currently compliant with CIPA; (2) Undertaking action to become compliant with CIPA; or (3) Not required to comply with CIPA.

If a school receives eRate funding as part of a consortium application, individual consortium members complete the new Form 479, which is filed with the Billed Entity (the consortium). The Billed Entity only certifies that it has received signed Forms 479 from all of its members; it is not liable for determining the actual compliance of those members. State network applicants most likely will be treated as consortia for the purposes of certification. At press time, CoSN was seeking further guidance on the application of CIPA to state networks. CoSN will post that clarification on its web site as soon as possible.

What is an ‘internet safety policy’?

The CIPA statute requires schools to use filtering and blocking technology and to implement a set of substantive policy decisions related to internet access, calling both requirements an “internet safety policy.”

With regard to the policy elements of the internet safety policy, CIPA requires that schools address all of the following specific elements:

  • Access by minors to inappropriate material on the internet and world wide web;
  • The safety and security of minors when using eMail, chat rooms, and other forms of direct electronic communications (e.g., Instant Message services);
  • Unauthorized access, including so-called “hacking” and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal identification information regarding minors;
  • Measures designed to restrict minors’ access to materials deemed “harmful to minors”; and
  • A plan to monitor minors’ use of the internet in school.

In addition, the internet safety policy must require the use of filtering software or services on all computers with access to the internet. When minors are using the internet, access to visual depictions must be blocked or filtered if they are: (1) obscene, (2) child pornography, or (3) “harmful to minors.”

When adults are using the internet, only material that is obscene or child pornography must be filtered or blocked.

Selecting and disabling the ‘technology protection measures’

Under CIPA, a “technology protection measure” is narrowly defined as follows: “The term ‘technology protection measure’ means a specific technology that blocks or filters internet access to visual depictions that are: (a) obscene, as that term is defined in section 1460 of title 18, United States Code; (b) child pornography, as that term is defined in 2256 of title 18, United States Code; or (c) harmful to minors.”

The Federal Communications Commission (FCC) did not identify which filtering products, if any, complied with CIPA and instead ruled that local communities are the correct authorities to make this decision.

Schools receiving covered eRate support cannot disable the filters when minors are using them, even with parental or teacher permission and supervision.

Appropriate school staff may disable filters only for adults who are using school computers for “bona fide research purposes.” The FCC also declined to further define bona fide research, noting: “We leave such determinations to the local communities, whom we believe to be most knowledgeable about the varying circumstances of schools and libraries in those communities.”

The process for monitoring students’ internet use also was left to local decision-making. The rule makes clear that schools are not required to use electronic monitoring and data collection to satisfy the monitoring requirement.

Penalties for noncompliance and failure to certify

Schools that knowingly fail to certify compliance with CIPA lose eligibility for federal support and are responsible for paying the full price of eRate-eligible services. Billed Entities that knowingly fail to certify also will render the entire consortium ineligible. Most importantly, eRate recipients must return any funds spent during a period of noncompliance. Entities reestablishing compliance will be eligible for discounts only when they certify compliance.

At press time, no challenges were pending against the school-based requirements of CIPA. However, both the American Civil Liberties Union (ACLU) and the American Library Association (ALA) have filed lawsuits challenging CIPA’s constitutionality with regard to public libraries.

CIPA also applies to schools and libraries that receive funding under the Library Services Technology Act or Title III of the Elementary and Secondary Education Act, but this article focuses on the requirements for eRate recipients, because they are the ones who must be “undertaking action” to comply with CIPA by July 1, 2001 or risk part or all of their expected eRate support for Funding Year Four (July 1, 2001 to June 30, 2002).

Both the U.S. Department of Education (ED) and the Institute for Museum and Library Services (IMLS) have indicated that CIPA does not impose any requirements on current grantees. ED has suggested that it expects to require grantees in the next fiscal year (beginning October 1, 2001) to comply with CIPA, while IMLS has indicated that compliance will not be required until October 2002.