Federal Trade Commission finalises order against Edmodo for unlawfully using children’s personal information for advertising and other purposes.

July 3, 2023 |

The protection of children’s privacy has been a focus of enforcement action in the United States. For good reason. There is a real problem with some companies collecting and using personal information of minors.

The Department of Justice and the Federal Trade Commission have entered into orders with Edmodo whereby Edmodo consented to a permanent injunction to prevent future violations of children’s privacy. In Edmodo’s case the claim was that it collected the personal information of children under 13 without any notice to the children’s parents or obtaining parental authorization. It used this personal information to enable third-parties to display targeted advertising to student users.

The press release provides:

The Department of Justice, together with the Federal Trade Commission (FTC), today announced that Edmodo, LLC (Edmodo) has agreed to a permanent injunction and a $6 million civil penalty in connection with its online educational platform, as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. The civil penalty is suspended due to Edmodo’s inability to pay.

The Edmodo educational platform, sold to schools throughout the United States, enabled teachers to interface with students, including children under 13 years old, to host virtual class spaces, conduct discussions, share materials, make assignments, and provide quizzes and grades, among other things. In a complaint filed in the U.S. District Court for the Northern District of California, the government alleges that, until approximately September 2022, Edmodo collected the personal information of children under 13, including their names, email addresses, phone numbers, device information, and IP addresses. Edmodo allegedly collected such information without providing notice to the children’s parents or obtaining parental authorization to collect such personal information, as required by the COPPA Rule, and used this personal information to enable third-parties to display targeted advertising to student users between 2018 and September 2022.

The complaint further asserts that Edmodo was retaining this personal information indefinitely. As of March 2020, Edmodo retained the personal information associated with approximately 36 million student accounts, of which only one million were actively using the platform. This indefinite retention violated COPPA’s requirement that an operator not retain personal information of children for longer than “reasonably necessary to fulfill the purpose for which [the information] was collected.” 

The stipulated order, entered by the federal district court yesterday, enjoins Edmodo from collecting personal information from children in a manner that violates the COPPA Rule and prohibits Edmodo from retaining children’s personal information for longer than reasonably necessary to fulfill the purpose for which it was collected. The order also enjoins Edmodo from collecting more personal information than reasonably necessary for a child to participate in any activity offered on its service. It also requires Edmodo to destroy personal information improperly collected from children under age 13 and to comply with reporting, monitoring, and recordkeeping requirements. Edmodo is also subject to a civil penalty judgment of $6 million dollars, which is suspended due to Edmodo’s inability to pay. 

“The Justice Department takes seriously its mission to protect the online privacy rights of children and their parents. This order spells out clearly to all online providers that it is unacceptable to collect children’s personal information without their parents’ consent,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Department of Justice’s Civil Division. “The department is committed to protecting against unauthorized online collection and retention of information, especially from children.” 

“This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education,” said Director Samuel Levine of the FTC’s Bureau of Consumer Protection. “Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”

“Children do not lose their privacy protections when they use the internet,” said U.S. Attorney Ismail J. Ramsey for the Northern District of California. “Congress and the FTC have established rules to govern websites and apps collecting and storing the personal information of children. The settlement being announced today demonstrates the Department of Justice’s resolve to enforce those rules. We will continue to work with our partners at the FTC to safeguard children’s online privacy.” 

At the commencement of the proceedings in May the FTC issues a press release titled  Oh no, you don’t, Edmodo: FTC sues ed tech company for violating school kids’ privacy which set out the complaint.  It provides:

Educational technology hasn’t totally overtaken chalk dust and penmanship, but ed tech certainly has found its way into schools. A proposed settlement with Edmodo, LLC, alleges the ed tech company violated the Children’s Online Privacy Protection Act Rule and the FTC Act by collecting personal information from school kids without their parents’ consent, using that data for advertising purposes, and unfairly requiring schools and teachers to comply with COPPA on its behalf. If you’ve been wondering who bears the bottom-line responsibility for complying with COPPA in the school setting, we’ll cut to the chase: It’s the ed tech company. The action against Edmodo illustrates that fundamental principle – and much more.

Edmodo operates platforms and related apps that let teachers create accounts and invite students and parents to join their virtual classroom. Using Edmodo, teachers can host discussions, share materials, give quizzes, and communicate privately with students and parents. Edmodo offers a free version, which any teacher can use, and a paid version, to which school districts can subscribe. To register, students had to provide their name and email address. At certain times, Edmodo also asked for their date of birth and phone number.

According to the complaint, both versions of the Edmodo platform collected additional personal information from kids – for example, their school, where they were located, and a profile picture. In addition, Edmodo automatically collected certain use and device information, including cookies, IP address, and geographic location based on the IP address. What’s more, the complaint alleges Edmodo collected persistent identifiers from students’ devices and used that information to serve up advertising on its free platform.

The FTC says kids as young as kindergarteners had Edmodo accounts and the company estimated that around 600,000 students under 13 used its platform in 2020 alone. In other words, according to the complaint, Edmodo gathered all that data without parental permission and without complying with the requirements of the COPPA Rule.

So who’s responsible for COPPA compliance? Under COPPA, schools can authorize  the collection of personal information from students on behalf of parents, but only in limited circumstances. A website operator like Edmodo first must notify the school of its collection, use, and disclosure practices. And schools can authorize collection, provided the personal information is used only for an educational purpose – and most certainly not to serve up ads, as Edmodo was doing.

According to the FTC, Edmodo illegally passed the COPPA compliance buck to teachers and schools. For example, when teachers opened an account, if they clicked on the Terms of Service link, if they scrolled down, and if they happened to find a paragraph buried on the bottom of the second page – all big ifs – here’s what Edmodo said:

If you are a school, district, or teacher, you represent and warrant that you are solely responsible for complying with COPPA, meaning that you must obtain advance written consent from all parents or guardians whose children under 13 will be accessing the Services. . . . When obtaining consent, you must provide parents and guardians with our Privacy Policy; you can find a sample permission slip here [NOTE: According to the complaint, the company website didn’t include a link]. You must keep all consents on file and provide them to us if we request them. For more information on COPPA, please click here [NOTE: No link here either, despite the “click here” prompt]. If you are a teacher, you represent and warrant that you have permission and authorization from your school and/or district to use the Services as part of your curriculum, and for purposes of COPPA compliance, you represent and warrant that you are entering into these Terms on behalf of your school and/or district.

The FTC alleges the company unfairly used that hard-to-find and hard-to-understand legalese to shift COPPA compliance responsibilities to teachers and schools. Oh no, you don’t, Edmodo.

In 2022, Edmodo shut down its operations in the United States. The terms of the proposed settlement, however, will still bind the company, including if it resumes U.S. operations in the future. Parts of the order should be familiar to those who follow the FTC’s two decades of COPPA enforcement. Other provisions track the May 2022 Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act. The following order provisions apply to Edmodo, but they merit the attention of others in the ed tech industry.

  • Edmodo can’t condition a kid’s participation in an activity on disclosing more information than is reasonably necessary.
  • To get a school’s authorization to collect information from a child, Edmodo must agree the data will be used just for educational purposes – and to be clear, that doesn’t include advertising or creating user profiles.
  • Edmodo must stick to a retention schedule for children’s personal information, including an explanation of why the company is collecting it in the first place, the specific business need for retaining it, and a time frame for deleting it, which has to be no more than a year.
  • Edmodo must delete models or algorithms it developed using information collected from kids without school authorization or their parents’ verifiable consent.

The proposed order included a $6 million civil penalty, which will be suspended based on the company’s inability to pay.

What can other companies take from the action against Edmodo?

Reread the FTC’s Ed Tech Policy Statement.  If you haven’t evaluated your company’s practices against the FTC’s Ed Tech Policy Statement, now is the time. Savvy industry members will conduct periodic reassessments as their products and practices change.

Ed tech companies can’t pass the COPPA compliance buck.  This is the first FTC action alleging that it’s an unfair practice for a company to require schools and teachers to comply with COPPA on its behalf. The message to the industry is unmistakable. In the final analysis, the legal responsibility for complying with COPPA remains with the ed tech operator.

Mixing ed tech and advertising can lead to serious legal consequences.  Ed tech providers may rely on schools to authorize data collection in lieu of parental consent if – and only if – the information collected from kids is used solely for educational purposes. Edmodo’s use of the data for commercial purposes is just one way in which the FTC says the company violated the law.

In a subsequent press release, FTC Says Ed Tech Provider Edmodo Unlawfully Used Children’s Personal Information for Advertising and Outsourced Compliance to School Districts, the FTC refers to the order it obtained, stating:

The Federal Trade Commission has obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. 

Under the proposed order, filed by the Department of Justice on behalf of the FTC, Edmodo, Inc. will be prohibited from requiring students to hand over more personal data than is necessary in order to participate in an online educational activity. This is a first for an FTC order and is in line with a policy statement the FTC issued in May 2022 that warned education technology companies about forcing parents and schools to provide personal data about children in order to participate in online education. During the course of the FTC’s investigation, Edmodo suspended operations in the United States. The order, if approved by the court, will bind the company, including if it resumes U.S. operations.

“This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”

In a complaint, also filed by DOJ, the FTC says Edmodo violated the COPPA Rule by failing to provide information about the company’s data collection practices to schools and teachers, and failing to obtain verifiable parental consent. The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and obtain verifiable parental consent for the collection and use of that information.

Until approximately September 2022, California-based Edmodo offered an online platform and mobile app with virtual class spaces to host discussions, share materials and other online resources for teachers and schools in the United States via a free and subscription-based service. The company collected personal information about students including their name, email address, date of birth and phone number as well as persistent identifiers, which it used to provide ads.

Under the COPPA Rule, schools can authorize collection of children’s personal information on behalf of parents. But a website operator must provide notice to the school of the operator’s collection, use and disclosure practices, and the school can only authorize collection and use of personal information for an educational purpose.

Edmodo required schools and teachers to authorize data collection on behalf of parents or to notify parents about Edmodo’s data collection practices and obtain their consent to that collection. Edmodo, however, failed to provide schools and teachers with the information they would need to comply in either scenario as required by the COPPA Rule, according to the complaint. For example, during the signup process for Edmodo’s free service, Edmodo provided minimal information about the COPPA Rule to teachers—providing only a link to the company’s terms of service and privacy policy, which teachers were not required to review before signing up for the company’s service.

Those teachers and schools that did read Edmodo’s terms of service were falsely told that they were “solely” responsible for complying with the COPPA Rule. The terms of service also failed to adequately disclose what personal information the company actually collects or indicate how schools or teachers should go about obtaining parental consent. These failures led to the illegal collection of personal information from children, according to the complaint.

In addition, Edmodo could not rely on schools to authorize collection on behalf of parents because the company used the personal information it collected from children for a non-educational purpose—to serve advertising. For such commercial uses, the COPPA Rule required Edmodo to obtain consent directly from parents. 

Edmodo also violated the COPPA Rule by retaining personal information indefinitely until at least 2020 when it put in place a policy to delete the data after two years, according to the complaint. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

In addition to violating the COPPA Rule, the FTC says Edmodo violated the FTC Act’s prohibition on unfair practices by relying on schools to obtain verifiable parental consent. Specifically, the FTC says that Edmodo outsourced its COPPA compliance responsibilities to schools and teachers while providing confusing and inaccurate information about obtaining consent. This is the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools.

Proposed Order

The proposed order with Edmodo includes a $6 million monetary penalty, which will be suspended due to the company’s inability to pay. Other order provisions, which will provide protections for children’s data should Edmodo resume operations in the United States, include:

  • prohibiting Edmodo from conditioning a child’s participation in an activity on the child disclosing more information than is reasonably necessary to participate in such activity;
  • requiring the company to complete several requirements before obtaining school authorization to collect information from a child;
  • prohibiting the company from using children’s information for non-educational purposes such as advertising or building user profiles;
  • banning the company from using schools as intermediaries in the parental consent process;
  • requiring the company to implement and adhere to a retention schedule that details what information it collects, what the data is used for and a time frame for deleting it; and
  • requiring Edmodo to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization.

The proposed order was 36 pages long.  Some of the relevant points were:

  • Edmodo Platform failed to:
    • make reasonable efforts, taking into account available technology, to ensure that a Parent of a Child, or a School Representative where any Personal Information Collection is for an Educational Purpose, received Direct Notice of Defendant’s practices with regard to the Collection, use, or Disclosure of Personal Information from Children, including notice of any material change in the Collection, use, or Disclosure practices to which the Parent or School has previously consented, unless the COPPA Rule provides an exception to providing such notice;
    •  to post a Clear and Conspicuous link to an online notice of its information practices with regard to Children on the home or landing page or screen of its website or online service, and at each area of the website or online service where Personal Information is Collected from Children, unless the COPPA Rule provides an exception to providing such notice;
    • C. Failing to obtain Verifiable Parental Consent or School Authorization (in accordance with Provision II), before any Collection, use, or Disclosure of Personal Information from Children, including consent to any material change in the Collection, use, or Disclosure practices to which the Parent or School has previously consented, unless the COPPA Rule provides an exception to obtaining Verifiable Parental Consent or School Authorization;
    • retaining Personal Information Collected online from a Child for longer than reasonably necessary
  • under the Proposed Order Edmodo must:
  1. refrain from Disclosing, using, or benefitting from Personal Information Collected from Children
  2. destroy all Personal Information Collected through the Edmodo Platform by Defendant from accounts that have not, by that date, provided Verifiable Parental Consent or School Authorization as described in Provisions I and II;
  3. delete or destroy any Affected Work Product. Any Affected Work Product, or Personal Information that Defendant is otherwise required to delete or destroy pursuant to this provision may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation.
  4. maintain and adhere to a retention schedule for Children’s Personal Information Collected through the Edmodo Platform email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Defendant is in compliance with each Section of this Order; (e) provide a copy of each different version of any privacy notice posted on each Website or Online Service Directed to Children operated by Defendant or sent to Parents of Children that register on each website or online service;

Leave a Reply





Verified by MonsterInsights