Educational technology hasn’t totally overtaken chalk dust and penmanship, but ed tech certainly has found its way into schools. A proposed settlement with Edmodo, LLC, alleges the ed tech company violated the Children’s Online Privacy Protection Act Rule and the FTC Act by collecting personal information from school kids without their parents’ consent, using that data for advertising purposes, and unfairly requiring schools and teachers to comply with COPPA on its behalf. If you’ve been wondering who bears the bottom-line responsibility for complying with COPPA in the school setting, we’ll cut to the chase: It’s the ed tech company. The action against Edmodo illustrates that fundamental principle – and much more.
Edmodo operates platforms and related apps that let teachers create accounts and invite students and parents to join their virtual classroom. Using Edmodo, teachers can host discussions, share materials, give quizzes, and communicate privately with students and parents. Edmodo offers a free version, which any teacher can use, and a paid version, to which school districts can subscribe. To register, students had to provide their name and email address. At certain times, Edmodo also asked for their date of birth and phone number.
According to the complaint, both versions of the Edmodo platform collected additional personal information from kids – for example, their school, where they were located, and a profile picture. In addition, Edmodo automatically collected certain use and device information, including cookies, IP address, and geographic location based on the IP address. What’s more, the complaint alleges Edmodo collected persistent identifiers from students’ devices and used that information to serve up advertising on its free platform.
The FTC says kids as young as kindergarteners had Edmodo accounts and the company estimated that around 600,000 students under 13 used its platform in 2020 alone. In other words, according to the complaint, Edmodo gathered all that data without parental permission and without complying with the requirements of the COPPA Rule.
So who’s responsible for COPPA compliance? Under COPPA, schools can authorize the collection of personal information from students on behalf of parents, but only in limited circumstances. A website operator like Edmodo first must notify the school of its collection, use, and disclosure practices. And schools can authorize collection, provided the personal information is used only for an educational purpose – and most certainly not to serve up ads, as Edmodo was doing.
According to the FTC, Edmodo illegally passed the COPPA compliance buck to teachers and schools. For example, when teachers opened an account, if they clicked on the Terms of Service link, if they scrolled down, and if they happened to find a paragraph buried on the bottom of the second page – all big ifs – here’s what Edmodo said:
The FTC alleges the company unfairly used that hard-to-find and hard-to-understand legalese to shift COPPA compliance responsibilities to teachers and schools. Oh no, you don’t, Edmodo.
In 2022, Edmodo shut down its operations in the United States. The terms of the proposed settlement, however, will still bind the company, including if it resumes U.S. operations in the future. Parts of the order should be familiar to those who follow the FTC’s two decades of COPPA enforcement. Other provisions track the May 2022 Policy Statement of the Federal Trade Commission on Education Technology and the Children's Online Privacy Protection Act. The following order provisions apply to Edmodo, but they merit the attention of others in the ed tech industry.
- Edmodo can’t condition a kid’s participation in an activity on disclosing more information than is reasonably necessary.
- To get a school’s authorization to collect information from a child, Edmodo must agree the data will be used just for educational purposes – and to be clear, that doesn’t include advertising or creating user profiles.
- Edmodo must stick to a retention schedule for children’s personal information, including an explanation of why the company is collecting it in the first place, the specific business need for retaining it, and a time frame for deleting it, which has to be no more than a year.
- Edmodo must delete models or algorithms it developed using information collected from kids without school authorization or their parents’ verifiable consent.
The proposed order includes a $6 million civil penalty, which will be suspended based on the company’s inability to pay.
What can other companies take from the action against Edmodo?
Reread the FTC’s Ed Tech Policy Statement. If you haven’t evaluated your company’s practices against the FTC’s Ed Tech Policy Statement, now is the time. Savvy industry members will conduct periodic reassessments as their products and practices change.
Ed tech companies can’t pass the COPPA compliance buck. This is the first FTC action alleging that it’s an unfair practice for a company to require schools and teachers to comply with COPPA on its behalf. The message to the industry is unmistakable. In the final analysis, the legal responsibility for complying with COPPA remains with the ed tech operator.
Mixing ed tech and advertising can lead to serious legal consequences. Ed tech providers may rely on schools to authorize data collection in lieu of parental consent if – and only if – the information collected from kids is used solely for educational purposes. Edmodo’s use of the data for commercial purposes is just one way in which the FTC says the company violated the law.
Consult the FTC’s Children’s Privacy page for more information about complying with COPPA.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
First, your agency is appreciated.
Thank you for fighting for what is right.
I strongly feel that when companies are negligent, their lawyers should send out letters verses a little index card.
The reason, so many are lost in the mail. Millons can't even file if they don't receive this little index card.
I learned early in the pandemic, someone sent a post card and it didn't reach its destination until 120 years later.
Very sad, but also very true.
Again Thank You
This article is another powerful example of how the FTC is working to protect the privacy of children and to hold accountable businesses that attempt to circumvent COPPA. Many thanks to all of the hard working and dedicated FTC employees.