On May 22nd, 2023, the Federal Trade Commission (FTC) issued a proposed order against Edmodo, LLC (“Edmodo”), a California-based education technology provider, for allegedly violating the FTC’s Children’s Online Privacy Protection Rule (“COPPA Rule") by illegally collecting the information of children and using that information for advertising, and for allegedly violating Section 5 of the FTC Act by unfairly burdening schools and teachers with COPPA-compliance responsibilities. In a first for an FTC order, Edmodo is prohibited from requiring students to hand over more personal data than is reasonably necessary to participate in online educational activities.
This follows the FTC’s May 2022 policy statement warning educational technology companies against requiring parents and schools to provide children’s personal information to participate in online education. Edmodo suspended their US operations in September 2022, but the terms of the proposed settlement, which include several injunctions, will bind the company should it choose to resume operations. A $6 million civil penalty was entered but suspended due to inability to pay.
Edmodo’s Alleged COPPA Violations
In its complaint against Edmodo, the FTC alleged that Edmodo committed numerous violations of the COPPA Rule. The FTC’s 1999 COPPA Rule Statement of Basis and Purpose (“COPPA SBP”) allows schools to obtain verifiable parental consent by either 1) consenting on behalf of parents or 2) acting as an intermediary in collecting consent from parents. The FTC found that Edmodo did not meet the requirements of the COPPA Rule for either scenario.
Failure to provide notice: Edmodo failed to provide the schools or teachers with direct notice of its information collection, use, and disclosure practices as required for schools and teachers to consent “on behalf of” parents. The FTC found while Edmodo included links to its Terms of Service and Privacy Policy during teacher sign up, it did not require teachers to open the links or review them prior to making an account. Additionally, the COPPA Rule requires both a direct and an online notice, and the direct notice must not contain “unrelated, confusing, or contradictory materials.” The FTC found that Edmodo’s Privacy Policy could not serve as both the direct and online notice and that it further violated the rule by including information unrelated to Edmodo’s children’s information practices.
Failure to obtain consent for use of children’s data in advertising: The FTC’s COPPA SBP states that schools or teachers can only act as a parent’s authorized agent for purposes of obtaining consent in an educational context. Edmodo used children’s personal information (including persistent identifiers such as device IDs, cookies, and IP addresses collected by Edmodo and third-party ad networks) for a non-educational purpose (contextual advertising) and therefore was unable to rely on schools or teachers to serve as a parent’s agent.
Failure to inform schools and teachers of COPPA requirements to act as intermediaries: The FTC found that Edmodo failed to inform schools and teachers of the requirements of their role as intermediaries in collecting parental consent. It found that Edmodo’s statement within its Terms of Service that schools and teachers were “solely responsible for complying with COPPA” was “nonsensical and misleading” given the COPPA Rule’s other requirements around security, notice, and retention. It also found that Edmodo failed to supervise or monitor whether schools were providing notice to parents or actually obtaining parental consent.
Failure to retain children’s personal information only as long as reasonably necessary: The FTC found Edmodo’s data retention policies violated the COPPA Rule. Prior to March 2020, Edmodo did not have a data retention or destruction policy and retained data indefinitely. The data retention policy implemented in March 2020 allowed Edmodo to retain data for a period of two years after the account became inactive, which it claimed was “reasonably necessary to fulfill the purpose for which [the personal information] was collected.” The FTC found this to be insufficient justification for retaining the data.
Edmodo’s Alleged Section 5 Violations
In addition to the COPPA Rule violations, the FTC also alleged that in outsourcing its legally-mandated responsibility for COPPA compliance onto schools and teachers, Edmodo violated Section 5 of the FTC Act. It found that by giving confusing and misleading information on COPPA compliance to schools and teachers that are often under-resourced and lacking knowledge of COPPA, Edmodo caused substantial injury to the schools, teachers, and children using its platform.
Permanent Injunction and Other Penalties
Pursuant to the proposed order, Edmodo, and its officers, agents, employees, and attorneys who receive notice of the order would be permanently enjoined from:
Failing to provide direct notice to parents (or school representatives, where personal information is used for an educational purpose) of Edmodo’s children’s personal information practices
Failing to provide a clear and conspicuous link to an online notice of its information practices on its homepage and every area where personal information is collected from children
Failing to obtain verifiable parental consent or school authorization prior to collecting, using, or disclosing children’s personal information
Conditioning participation on disclosing more personal information than reasonably necessary
Retaining children’s personal information longer than reasonably necessary to fulfill the purpose for which it was collected
Violating the COPPA Rule
In addition, Edmodo would be enjoined from relying on schools as intermediaries in collecting parental consent and from relying on school authorization unless a written agreement is entered into with schools providing direct and online notice of its information practices. The proposed order also includes a data minimization provision, forbidding Edmodo from collecting more information from children than reasonably necessary for participation, and a requirement to destroy all personal information collected without verifiable parental consent or school authorization within sixty (60) days and models and algorithms developed using children’s personal information within ninety (90) days. Edmodo must also implement a retention schedule for children’s personal information including a time frame for deletion not exceeding one year from the termination of the contract with the school or the generation of the data directly from the child.
Next Steps for Education Technology Providers
Understand your COPPA Compliance Obligations. The FTC makes it clear that responsibility for COPPA compliance lies with the ed tech provider in the school setting. Read the FTC’s policy statement on ed tech and COPPA, and regularly evaluate your information notices and practices against COPPA Rule requirements.
Ensure participation is not contingent on disclosing more information than reasonably necessary. Children cannot be required to disclose more personal information than necessary to participate in online education activities. For example, if the education platform does not send emails to students, student email addresses cannot be collected.
Ensure parents receive direct notice of children’s information practices. Direct notice to parents regarding the operator’s children’s information practices must be clearly written, separate from the online notice, and separate from unrelated materials. Providers are required to make reasonable efforts to ensure parents receive direct notice, including when relying on schools to provide direct notice.
Understand purpose limitations for “on behalf of” consent. When relying on school authorization for verifiable parental consent, ensure that children’s personal information is only used for educational purposes. Information collected for educational purposes under school authorization must not be reused, disclosed, or sold for commercial purposes.
Implement a COPPA-compliant retention policy. Children’s personal information must not be retained for longer than reasonably necessary to fulfill the purpose for which it was collected. In Edmodo’s case, the FTC found their retention policy of two years after contract termination to be excessive and ordered Edmodo to honor a one-year retention policy going forward. When setting a retention policy, ensure that information is kept for as short of a time as possible and be prepared to justify retention practices.