What EdTech Companies Can Learn From FTC’s Recent Enforcement Action

Introduction

The Federal Trade Commission (FTC) doesn’t shy away from enforcing actions against organizations that are violating laws put in place to protect the privacy of individuals.

On May 22, 2023, the Federal Trade Commission (FTC) announced a proposed order against Edmodo, an educational technology platform, for violations of the Children’s Online Privacy Protection Act (COPPA) Rule and Section 5 of the Federal Trade Commission Act (FTC Act). On June 28, 2023, Edmodo settled with the Department of Justice and the Federal Trade Commission, agreeing to a permanent injunction and a $6 million civil monetary penalty. However, the monetary penalty is suspended due to the company’s inability to pay as it shut down its operations on September 22, 2022.

Background

As per the FTC’s complaint, until its closure of business in September 2022, Edmodo offered a platform for virtual classes to schools and teachers in the United States and collected the personal information of students (e.g., name, email address, date of birth, phone number and persistent identifiers), which it used to provide advertisements. The organization allegedly violated the COPPA Rule by:

1. failing to provide direct notice to parents of its information practices;
2. failing to obtain verifiable parental consent prior to collecting, using, or disclosing children's personal information;
3. retaining personal information collected online from children for longer than reasonably necessary to fulfill the purpose for which the information was collected. (COPPA prohibits storing children's personal information for any longer than is reasonably required to achieve the intended goal);
4. failing to adequately disclose to the schools or the teachers what information the company collected and how they could go about obtaining parental consent; and
5. relying on the consent of the schools or teachers for the collection of personal information which was used for non-educational purposes.

Additionally, the organization violated the FTC Act by unfairly requiring schools to follow the COPPA Rule on its behalf without providing them with the necessary information or assistance to do so. Online businesses and websites targeting children under the age of 13 are required by the COPPA Rule to inform parents about the personal information they collect and to obtain verifiable parental consent before doing so.

Enjoinments Issued to Edmodo

Even though Edmodo has ceased operations, its settlement with the Department of Justice and the Federal Trade Commission enjoins it from the following, sending a clear message regarding the expectations from the organizations and the importance of ensuring compliance with applicable regulations:

• Collection of personal information from children in a manner that violates the COPPA Rule;
• Retention of children’s personal information for longer than reasonably necessary to fulfill the purpose for which it was collected;
• Collection of more personal information than reasonably necessary for a child to participate in any activity; and
• Deletion of personal information improperly collected from children under age 13.

Notably, the FTC also requires Edmodo to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization. With the increasing use of artificial intelligence by businesses, it is crucial for organizations to comply with the applicable laws while collecting and using data for training their algorithms.

How to Become COPPA Compliant

To comply with COPPA and the FTC Act, organizations, particularly Edtech in this case, must adhere to a set of guidelines and best practices designed to protect the privacy and personal information of children under the age of 13. These consist of the following:

Stay Informed about Relevant Laws and Regulations

Be informed about any legal framework amendments that apply or may affect your organization. Doing this ensures you follow the COPPA rules or any other regulations and avoid enforcement actions and noncompliance penalties.

Obtain Parental Consent

With a few exceptions, the general rule under COPPA is that organizations must directly notify parents/guardians of children and seek their verifiable consent "before" collecting children’s personal data on online platforms. The parental authorities should be allowed to approve the controller's collection of children's personal data for internal use but prohibited from disclosing that data to third parties unless the controller specifically notifies the parental authorities that the disclosure is absolutely necessary for the digital platform.

Recognize the Role of Education Platforms in Obtaining COPPA Consent

The COPPA Rule empowers schools to either act as parents' representatives and obtains consent on their behalf or to operate as an intermediary between operators and parents to directly obtain consent from parents. An organization can only utilize a child's personal information for educational purposes when the school acts as the parent's agent. An Edtech company may use the school as an intermediary to obtain consent if it intends to use a child's personal information for commercial (such as advertising) purposes, but only if it has provided the school with adequate information and monitors whether consent is obtained.

Publish Clear and Comprehensive Privacy Policies

Ensure that the organization's activities regarding the collecting and processing of children's personal data are clearly outlined in the privacy policy. The privacy policy should outline the data controllers, the categories of data collected, how that data is used and disclosed, and the parents' rights to review, update, or delete their child's personal data and prohibit further data collection and use. The privacy policy should not contain any irrelevant, contradicting, or confusing information.

Limit Data Collection

Edtech organizations, or other organizations in general, should only collect information that is necessary for the proper functioning of their services. Without the parents' explicit consent, they should refrain from collecting sensitive personal information such as social security numbers or addresses.

Limit Data Retention

Children's personal information should only be kept by organizations for as long as is necessary to achieve the purposes for which it was collected. When the data is no longer required, it should be safely deleted.

Secure Data Storage

To protect the personal information they collect from children, Edtech companies should implement the necessary security measures, including access controls, encryption, regular security audits, etc. Furthermore, only organizations qualified to uphold the security and confidentiality of the data should be given access to children’s personal information.

Empower Parents with Access and Control

Edtech organizations should provide parents with options to limit the collection and use of their children's information and the access to evaluate the personal information collected on their children.

Train Employees and Contractors

It is critical that organizations train their employees as well as third-party contractors about COPPA requirements and recommended procedures for safeguarding children's privacy, including training on data processing, security procedures, and the significance of upholding privacy standards.

Regularly Audit and Assess Compliance

Edtech companies should conduct regular audits, such as assessing data collection procedures, privacy policies, and security precautions, to find potential vulnerabilities or development opportunities.

Don’t Use Coercion to Obtain Children’s Personal Information

Children should not be required to provide more personal information than necessary to participate in any online activity.

Here’s more on the FTC’s COPPA compliance plan.

How Can Securiti Help

Protecting consumers’ data, especially children's, has never been more crucial. With data being collected and processed at an alarming rate, automation is the only way to ensure swift compliance with the requirements and obligations of evolving laws.

Securiti’s DataControls Cloud framework enables organizations to identify and classify data, protect data systems, establish sensitive data intelligence, govern access to sensitive data, ensure consent management, analyze the impact of data breaches and respond promptly, automate individual data requests, automate data privacy obligations, analyze data lineage, and so much more.

Request a demo to witness Securiti in action.