IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Federal Trade Commission (FTC) doesn’t shy away from enforcing actions against organizations that are violating laws put in place to protect the privacy of individuals.
On May 22, 2023, the Federal Trade Commission (FTC) announced a proposed order against Edmodo, an educational technology platform, for violations of the Children’s Online Privacy Protection Act (COPPA) Rule and Section 5 of the Federal Trade Commission Act (FTC Act). On June 28, 2023, Edmodo settled with the Department of Justice and the Federal Trade Commission, agreeing to a permanent injunction and a $6 million civil monetary penalty. However, the monetary penalty is suspended due to the company’s inability to pay as it shut down its operations on September 22, 2022.
As per the FTC’s complaint, until its closure of business in September 2022, Edmodo offered a platform for virtual classes to schools and teachers in the United States and collected the personal information of students (e.g., name, email address, date of birth, phone number and persistent identifiers), which it used to provide advertisements. The organization allegedly violated the COPPA Rule by:
Additionally, the organization violated the FTC Act by unfairly requiring schools to follow the COPPA Rule on its behalf without providing them with the necessary information or assistance to do so. Online businesses and websites targeting children under the age of 13 are required by the COPPA Rule to inform parents about the personal information they collect and to obtain verifiable parental consent before doing so.
Even though Edmodo has ceased operations, its settlement with the Department of Justice and the Federal Trade Commission enjoins it from the following, sending a clear message regarding the expectations from the organizations and the importance of ensuring compliance with applicable regulations:
Notably, the FTC also requires Edmodo to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization. With the increasing use of artificial intelligence by businesses, it is crucial for organizations to comply with the applicable laws while collecting and using data for training their algorithms.
To comply with COPPA and the FTC Act, organizations, particularly Edtech in this case, must adhere to a set of guidelines and best practices designed to protect the privacy and personal information of children under the age of 13. These consist of the following:
Be informed about any legal framework amendments that apply or may affect your organization. Doing this ensures you follow the COPPA rules or any other regulations and avoid enforcement actions and noncompliance penalties.
With a few exceptions, the general rule under COPPA is that organizations must directly notify parents/guardians of children and seek their verifiable consent "before" collecting children’s personal data on online platforms. The parental authorities should be allowed to approve the controller's collection of children's personal data for internal use but prohibited from disclosing that data to third parties unless the controller specifically notifies the parental authorities that the disclosure is absolutely necessary for the digital platform.
The COPPA Rule empowers schools to either act as parents' representatives and obtains consent on their behalf or to operate as an intermediary between operators and parents to directly obtain consent from parents. An organization can only utilize a child's personal information for educational purposes when the school acts as the parent's agent. An Edtech company may use the school as an intermediary to obtain consent if it intends to use a child's personal information for commercial (such as advertising) purposes, but only if it has provided the school with adequate information and monitors whether consent is obtained.
Edtech organizations, or other organizations in general, should only collect information that is necessary for the proper functioning of their services. Without the parents' explicit consent, they should refrain from collecting sensitive personal information such as social security numbers or addresses.
Children's personal information should only be kept by organizations for as long as is necessary to achieve the purposes for which it was collected. When the data is no longer required, it should be safely deleted.
To protect the personal information they collect from children, Edtech companies should implement the necessary security measures, including access controls, encryption, regular security audits, etc. Furthermore, only organizations qualified to uphold the security and confidentiality of the data should be given access to children’s personal information.
Edtech organizations should provide parents with options to limit the collection and use of their children's information and the access to evaluate the personal information collected on their children.
It is critical that organizations train their employees as well as third-party contractors about COPPA requirements and recommended procedures for safeguarding children's privacy, including training on data processing, security procedures, and the significance of upholding privacy standards.
Edtech companies should conduct regular audits, such as assessing data collection procedures, privacy policies, and security precautions, to find potential vulnerabilities or development opportunities.
Children should not be required to provide more personal information than necessary to participate in any online activity.
Here’s more on the FTC’s COPPA compliance plan.
Protecting consumers’ data, especially children's, has never been more crucial. With data being collected and processed at an alarming rate, automation is the only way to ensure swift compliance with the requirements and obligations of evolving laws.
Securiti’s DataControls Cloud framework enables organizations to identify and classify data, protect data systems, establish sensitive data intelligence, govern access to sensitive data, ensure consent management, analyze the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, analyze data lineage, and so much more.
Request a demo to witness Securiti in action.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.