Ed Tech Privacy and Security Alert: FTC Obtains a New Consent Order against Edmodo

September 7, 2023

Privacy Plus+

Privacy, Technology and Perspective

Ed Tech Privacy and Security Alert: FTC Obtains a New Consent Order against Edmodo.  This week, let’s look at the latest consent order secured by the Federal Trade Commission (FTC) against education technology (Ed Tech) provider Edmodo for its collection and usage of personal data from minors.  The case highlights the FTC’s growing concern about privacy and security measures in the Ed Tech sector, and providers of Ed Tech platforms (and vigilant parents and educators) should pay close attention.

Background: Edmodo, a California-based education technology provider, previously offered an online platform and mobile app where schools and teachers could set up virtual classes to facilitate discussions, share materials, and other educational resources. Up until September 2022, the platform provided both free and subscription-based services to its users. However, it seems the company overstepped its boundaries, resulting in a serious violation of the Children's Online Privacy Protection Act (COPPA) Rule, as well as unlawfully delegating its COPPA compliance obligations to educational institutions. 

Violation of COPPA Rule: The Complaint charged Edmodo with violating the COPPA Rule by failing to obtain Verifiable Parental Consent prior to collecting, using and disclosing personal information of children, and retaining such personal information for longer than reasonably necessary to fulfill the purpose for which it was collected. This personal information included names, email addresses, dates of birth, and phone numbers, which were subsequently used for advertising purposes.

Unfair Delegation of COPPA Compliance: The Complaint also charged Edmodo with violating Section 5 of the FTC Act by unfairly requiring schools and teachers to comply with the COPPA Rule on its behalf without providing adequate information or support to meet the Rule’s requirements. Edmodo’s terms of service allegedly told schools and teachers, falsely, that they were “solely” responsible for complying with the COPPA Rule. Additionally, the terms of service allegedly failed to disclose adequately what personal information the company actually collects or indicate how schools or teachers should go about obtaining parental consent.  Consequently, this facilitated the unauthorized collection of children's personal information. 

A Close Look at the Consent Order: The consent order against Edmodo contains several significant stipulations:

  1. Financial Penalty: Edmodo faces a monetary penalty of $6 million, which, due to the company’s financial constraints, will be suspended.

  2. Protection of Children's Data: In 2022, Edmodo shut down its operations in the United States. Should the company resume its operations in the U.S., it will be mandated to ensure robust protection of children's data, including:

  • ·       Restricting the unnecessary collection of personal data as a prerequisite for children to partake in online activities;

  • ·       Implementing rigorous prerequisites (including specific contracts) before acquiring school authorization for data collection from minors;

  • ·       Prohibiting the use of minors' information for non-educational purposes, like advertising or creating user profiles;

  • ·       Eliminating the role of schools as intermediaries in the parental consent process;

  • ·       Implementing a detailed data retention schedule stipulating the nature of collected data, its usage, and a defined timeline for its deletion; and

  • ·       Obliging Edmodo to delete any models or algorithms developed utilizing personal data collected without proper parental consent or school authorization.

A link to the Consent Order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/Edmodo-Dkt15%28Order%20Signed%20by%20the%20Court%29.pdf

The FTC also wrote a great blog post on the Complaint in May, which you can read by clicking on the following link:

https://www.ftc.gov/business-guidance/blog/2023/05/oh-no-you-dont-edmodo-ftc-sues-ed-tech-company-violating-school-kids-privacy

Our Thoughts: This case serves as a warning to other Ed Tech providers, highlighting the FTC's intent to enforce data protection regulations rigorously in the Ed Tech sector. It underscores the need for companies to comply fully with the COPPA Rule, not only to avoid substantial penalties but also to safeguard the privacy and security of minors. Moreover, this enforcement action should cause those in the Ed Tech sector to prioritize the reassessment of their data collection and usage policies, ensuring alignment with legal requirements and the best practices described in this consent order.

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Previous
Previous

A Closer Look at the INFORM Consumers Act: Tackling Online Fraud in 2023

Next
Next

CFPB Spotlights the FCRA’s Next Regulatory Frontier: Data Brokers