ICYMI: On May 22, the FTC announced that it obtained a $6 million order against edtech company Edmodo for violations of the Children’s Online Privacy Protection Act Rule (COPPA Rule) and the FTC Act.

COPPA requires operators of an online service (companies) to obtain parental consent prior to collecting or maintaining personal information from children who are under age 13. Schools can provide consent, acting as the parent’s agent, only to collect data that is exclusively used for educational purposes. 

Edmodo’s terms of services, however, exceeded that narrow exception:

  • Edmodo violated COPPA by stating that schools and teachers were solely responsible for obtaining verifiable parental consent.

  • According to the FTC, Edmodo used the data for non-educational purposes, namely advertising, violating  Section 312.3 of COPPA

  • The FTC also said Edmodo violated Section 5 of the FTC Act, which prohibits “unfair or deceptive practices.” This is the first time the FTC has alleged an unfair trade practice in relation to a vendor’s interaction with a school.

The FTC also found that Edmodo retained student data for longer than reasonably necessary, a violation of Section 312.10 of COPPA.

The order originally included a monetary penalty of $6 million, which was suspended due to Edmodo’s inability to pay. 

Why it matters

In recent years, FTC orders have become a critical source to guide interpretation and compliance with COPPA. So while this is an Edmodo-specific order, it has broader edtech implications:

  • Putting a(nother) flag in the ground: A year ago, the FTC announced that they planned to take a harder look at edtech company policies around data collection. 

The 2022 statement gives reasonably clear guidelines for avoiding Edmodo’s fate: don’t collect more student information than you need to for your product to work; don’t use it for commercial purposes; don’t keep it longer than you need to; and keep the data you do collect safe, secure, and confidential.

  • School-Level Authorization Required: The order narrows the meaning of “School Authorization” down to the “School” level. Today, district officials and even education service agencies act as “school” officials to authorize the collection and use of student data. As written, the order whittles this down to an authorized “School” employee, with “School” being “an institutional day or residential school, including a public school, charter school, or private school [all singular], that provides elementary and secondary education, as determined by state law.” How this will shake out remains to be seen, but the new definitions could require companies to work with each individual school to obtain COPPA-compliant consent.

  • Algorithmic Watch-Out: Edtech companies using student data to train AI should take note. The order would also require Edmodo to delete “models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization.”

What’s next: The order is not final until the U.S. District Court for the Northern District of California approves it. Congress is also considering legislation that would expand COPPA, so stay tuned!

Interested in learning more? Please reach out to us.