On May 22, 2023, the Federal Trade Commission (FTC) issued a proposed settlement order in a first-of-its-kind case against an education technology (ed tech) company for violating the Children’s Online Privacy Protection Act (COPPA) Rule. The settlement order contains valuable guidance for ed tech companies and school districts that work with them.
Congress enacted COPPA in 1998 with the goal of protecting the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children’s personal information online by ed tech companies. The FTC is in charge of enforcing the law. To implement COPPA, the FTC passed the COPPA Rule which went into effect in April 2000 and was amended in July 2013. The rule requires online service providers and websites directed at children under 13 to notify parents about personally identifiable information the company intends to collect from their children and to obtain verifiable parental consent for the collection and use of that information.
According to the complaint, until September 2022, EdModo operated an online platform and mobile app which allowed teachers to provide virtual classes for students. The company provided a free version of the service, called EdModo Platform, and a subscription version called EdModo Enterprise. Individual teachers could register for accounts independently on the free version. EdModo Enterprise required a school or district contract.
Both EdModo Platform and EdModo Enterprise collected personal information from students without parental consent, including students’ first and last names, email addresses, birthdates (between July-September 2020), and phone numbers (prior to July 2020). Students were permitted to provide additional information, including their school name and a profile picture. EdModo automatically collected personally identifiable usage and device information, such as cookies, IP address, device type, operating system, browser type and ID, and geographic location based on the IP address. EdModo’s Terms of Service suggested that schools and teachers were responsible for obtaining verifiable parental consent, as required by the COPPA Rule.
Furthermore, the company and its third-party advertising partners used the collected data to target ads to students, including students under 13, on the EdModo Platform.
The FTC’s complaint alleges that EdModo violated the COPPA Rule by:
(1) failing to obtain verifiable parental consent prior to collecting, using, or disclosing personally identifiable information of children,
(2) retaining personal information collected online from children for longer than reasonably necessary to fulfill the purpose for which the information was collected, and
(3) unfairly requiring schools and teachers to comply with the COPPA Rule on the company’s behalf without providing adequate information or support to meet the Rule’s requirements.
Those allegations in the complaint are consistent with the FTC’s May 2022 policy statement which warned that the Commission would specifically focus on the following provisions of the COPPA Rule when investigating potential violations by ed tech providers:
- Prohibitions Against Mandatory Collection: Companies cannot require children to provide more information than is reasonably needed for participation in the intended online activity. The guidance states, “Students must not be required to submit to unnecessary data collection in order to do their schoolwork.”
- Use Prohibitions: Ed tech providers that collect personal information from a child with the school’s authorization may use that information only to provide the requested online education service. The guidance states, “In this context, ed tech companies are prohibited from using such information for any commercial purpose, including marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service.”
- Retention Limitations: Ed tech providers are prohibited from retaining children’s personal information for longer than is necessary to fulfill the purpose for which it was collected. The guidance states, “It is unreasonable, for example, for an ed tech provider to retain children’s data for speculative future potential uses.”
- Security Requirements: Ed tech providers must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. The guidance states, “[E]ven absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.”
The policy statement also makes clear that “The responsibility for COPPA compliance is on businesses, not schools or parents – and agreements must reflect that.” Companies that fail to follow the COPPA Rule face potential civil penalties, new requirements, and limitations on their business practices to stop unlawful conduct.
The proposed settlement order in this case fines EdModo $6 million and prohibits the company from
- Conditioning a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate in such activity
- Using children’s information for non-educational purposes such as advertising or building profiles
- Using schools as intermediaries in the parental consent process.
The proposed settlement order also requires EdModo to
- Complete several requirements before obtaining school authorization to collect information a child
- Implement and adhere to a retention schedule that details what information it collects, what the data is used for, and a time frame for deleting it
- Delete models or algorithms developed using personally identifiable information collected from children without verifiable parental consent or school authorization.
EdModo ceased operations in the United States during the FTC’s investigation, so the fine was suspended due to the company’s inability to pay. But, if the proposed settlement order is approved by the court, EdModo will be bound by this order if it ever resumes. its U.S. operations. The significance of this case, however, is the guidance it provides for ed tech companies and educators about the FTC’s enforcement of the COPPA Rule. More information about COPPA’s application to ed tech companies can be found here.