On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).

The complaint alleges that Edmodo violated COPPA by failing to provide notice and obtain verifiable parental consent before collecting personal information from children under the age of 13.  Specifically, the complaint alleges that Edmodo’s reliance on schools and teachers to provide verifiable parental consent as agents of parents was not permissible because (1) Edmodo did not provide the required direct notice of its practices as to the collection, use, or disclosure of personal information from children and (2) Edmodo’s used student’s personal information for contextual advertising which exceeds the limited educational context for which school and teachers may provide consent.  The complaint also alleges that Edmodo failed to inform teachers and sole of its reliance on them as intermediaries to provide notice and obtain authorization from parents and failed to make reasonable efforts to ensure parents received notice and provided authorization.

In addition to violating COPPA’s notice and consent provisions, the complaint alleges Edmodo collected more personal information from children than necessary to participate in educational activities and retained children’s personal information longer than reasonably necessary.

Beyond COPPA, the complaint includes allegations that Edmodo violated Section 5 by telling schools and teachers that they were “solely” responsible for COPPA compliance while providing allegedly “confusing and inaccurate information” about obtaining consent under COPPA, thus unfairly burdening teachers and schools with Edmodo’s own COPPA compliance responsibilities.  According to the FTC’s press release, this is the first time the FTC has used Section 5 to allege an unfair trade practice in the context of an ed tech operator’s interaction with schools.

The proposed order includes the following relief:

  • Edmodo is prohibited from (1) relying on schools to act as intermediaries to obtain verifiable parental consent on behalf of Edmodo, or (2) relying on school authorization for collecting personal information from children unless Edmodo enters into a written agreement with the school that includes the following: limits use of personal information to educational purposes only, describes all personal information collected from students and how it will be used and disclosed, provides the school a link to the online notice and recommends the school make it available on the school’s website, requires a school representative to acknowledge and agree that they have the authority to provide consent, and states that any personal information collected by Edmodo is under the direct control of the school with regard to use and maintenance.
  • Edmodo may not collect more personal information than reasonably necessary for the child to participate in the online service.
  • Edmodo must destroy all personal information collected prior to the entry of the order for which Edmodo does not receive verifiable parental consent or school authorization within 60 days.
  • Edmodo must maintain and adhere to a data retention schedule with a maximum retention period of one year.
  • Edmodo must destroy any models or algorithms developed in whole or in part using personal information collected from children without verifiable parental consent.

The order also defines an “educational purpose” to be “any use related to a child’s education including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents.”  Notably, the definition of an educational purpose does not include “commercial purposes unrelated to the provision of the online service requested by the school such as advertising or building user profiles.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.