FTC Publishes Proposed Order Against Ed Tech Provider Edmodo

On
May
22,
2023,
the
Federal
Trade
Commission

announced
a

proposed
order
against
education
technology
provider
Edmodo,
LLC
(“Edmodo”)
for
violations
of
the
Children’s
Online
Privacy
Protection
Rule
(“COPPA
Rule”)
and
Section
5
of
the
FTC
Act.

As
alleged
in
the
FTC’s

complaint,
until
approximately
September
2022,
Edmodo
offered
a
platform
for
virtual
classes
to
schools
and
teachers
in
the
United
States
and
collected
the
personal
information
of
students
(e.g.,
name,
email
address,
date
of
birth,
phone
number
and
persistent
identifiers),
including
to
provide
advertising.
Edmodo
allegedly
violated
the
COPPA
Rule
by:
(1)
failing
to
provide
direct
notice
to
parents
of
Edmodo’s
information
practices;
(2)
failing
to
obtain
parental
consent
prior
to
collection,
use
or
disclosure
of
personal
information
from
children;
and
(3)
retaining
children’s
personal
information
for
longer
than
reasonably
necessary
to
fulfill
the
purpose
for
which
the
information
was
collected.
In
addition,
the
complaint
claimed
that
Edmodo
unfairly
outsourced
its
COPPA
Rule
compliance
responsibilities
to
schools
and
teachers
in
violation
of
Section
5
of
the
FTC
Act
by
failing
to
provide
them
with
adequate
information
or
support
to
meet
the
COPPA
Rule’s
requirements.

As
part
of
the

proposed
order,
Edmodo
agreed
to
pay
a
penalty
of
$6
million,
currently
suspended
due
to
the
company’s
inability
to
pay.
If
Edmodo
resumes
its
operations
in
the
United
States,
the
proposed
order
would:
(1)
prohibit
the
company
from
conditioning
a
child’s
participation
in
an
activity
on
disclosing
more
information
than
reasonably
necessary
for
that
activity;
(2)
require
the
company
to
enter
into
a
written
agreement
with
a
school
subject
to
several
requirements
before
obtaining
the
school’s
authorization
to
collect
information
from
a
child;
(3)
prohibit
the
company
from
using
children’s
information
for
non-educational
purposes,
including
advertising;
(4)
prohibit
the
company
from
relying
on
schools
to
obtain
parental
consent;
(5)
require
the
company
to
implement
and
adhere
to
a
data
retention
schedule
for
children’s
personal
information
collected
through
the
company’s
platform;
and
(6)
require
the
company
to
delete
models
and
algorithms
developed
using
personal
information
collected
from
children
without
verifiable
parental
consent
or
school
authorization.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts