On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.
As alleged in the FTC’s complaint, until approximately September 2022, Edmodo offered a platform for virtual classes to schools and teachers in the United States and collected the personal information of students (e.g., name, email address, date of birth, phone number and persistent identifiers), including to provide advertising. Edmodo allegedly violated the COPPA Rule by: (1) failing to provide direct notice to parents of Edmodo’s information practices; (2) failing to obtain parental consent prior to collection, use or disclosure of personal information from children; and (3) retaining children’s personal information for longer than reasonably necessary to fulfill the purpose for which the information was collected. In addition, the complaint claimed that Edmodo unfairly outsourced its COPPA Rule compliance responsibilities to schools and teachers in violation of Section 5 of the FTC Act by failing to provide them with adequate information or support to meet the COPPA Rule’s requirements.
As part of the proposed order, Edmodo agreed to pay a penalty of $6 million, currently suspended due to the company’s inability to pay. If Edmodo resumes its operations in the United States, the proposed order would: (1) prohibit the company from conditioning a child’s participation in an activity on disclosing more information than reasonably necessary for that activity; (2) require the company to enter into a written agreement with a school subject to several requirements before obtaining the school’s authorization to collect information from a child; (3) prohibit the company from using children’s information for non-educational purposes, including advertising; (4) prohibit the company from relying on schools to obtain parental consent; (5) require the company to implement and adhere to a data retention schedule for children’s personal information collected through the company’s platform; and (6) require the company to delete models and algorithms developed using personal information collected from children without verifiable parental consent or school authorization.