Data Privacy

FTC Suit Against Edmodo is a Warning Shot for Ed Tech, Data Privacy Attorneys Say

First-of-its-Kind Data Privacy Lawsuit Against Edmodo Offers Warnings, Lessons for Ed Tech Providers and Schools

Data privacy attorneys have spent the past few weeks analyzing a first-of-its-kind FTC lawsuit against an ed tech provider — and some see it as a warning for ed tech companies and K–12 educators who prefer to avoid running afoul of the Federal Trade Commission.

In late May, attorneys from the FTC and the Department of Justice filed a complaint and a proposed settlement agreement in U.S. District Court for the Northern District of California; the court actions followed a year-long investigation of Edmodo, an online learning platform founded in 2008 that boasted 100 million users around the world before it shuttered its U.S. operations last September. 

In its complaint, FTC and DOJ attorneys charge Edmodo with collecting personal data unrelated to educational purposes from at least 36 million U.S. children without parents’ consent and using that data for advertising, and for unlawfully outsourcing its data privacy compliance responsibilities to schools, in violation of the Children’s Online Privacy Protection Act Rule.

Edmodo announced last August that it would cease U.S. operations three weeks later, offering no explanation on the Edmodo website, and stating that all students’ and teachers’ data would be permanently deleted after Sept. 22, 2022. 

The recent court filing of the FTC complaint and settlement, though, make clear that Edmodo ceased operating in the United States only after it became the target of the feds’ investigation for data privacy violations. 

The proposed settlement order — agreed to by Edmodo CEO Vincent P. Riera and its attorneys at Orrick, Herrington & Sutcliffe of Washington, D.C. — demands that Edmodo pay a penalty of $6 million, and it spells out a number of actions the company must take to rectify its illegal data collection and retention practices, if it resumes operations in the United States.

Meanwhile, attorneys who specialize in data privacy law and education technology say the detailed complaint should be closely reviewed by both ed tech providers and educators, particularly those who oversee ed tech procurement, implementation, and data privacy compliance.

Attorney Harris S. Freier, partner at Genova Burns LLC and head of the firm’s Privacy and Cybersecurity Practice, told THE Journal that Edmodo’s data collection practices were “more extreme” — and more blatantly outside the law — than those of most ed tech providers, but the FTC complaint offers a number of lessons for ed tech vendors and schools, as some of Edmodo’s practices are not uncommon.

“This should serve as a wake-up call to school districts and educators who have to understand what the business model is of whatever free virtual service they're using as a vital first step in determining whether or not that product or platform will bring privacy implications,” Freier said. “Another lesson is that educators must actually read the fine print, the privacy and data policies. School districts and educators must consider how any of these providers who provide virtual learning — how they are actually making money. Prudence requires some investigation to try to figure that out before signing on, because otherwise, schools are more likely to end up with something like Edmodo, where children's data is being used for non-educational purposes without the required parental consent.” 

Data privacy attorneys Chanda Marlowe and Jessica B. Lee of Loeb & Loeb said the FTC complaint and accompanying settlement order offer several warnings for other ed tech companies. 

“Edmodo’s biggest mistake was using personal information collected from children for advertising purposes without confirming that its practices met the COPPA Rule’s standards,” they said. “By placing the responsibility on the school or the teachers to obtain consent without providing sufficient information and confirming that consent was in fact obtained, Edmodo failed to meet COPPA’s requirements.”

Edmodo’s Missteps Detailed in FTC Complaint

1) Collecting Data Not Necessary for Education Without Parental Consent 

According to the complaint filed with the court, both the free and premium versions of the Edmodo platform collected far more personal information from students than was needed for educational purposes, and it did so without informed parental consent. 

After students created an account on both the free and premium versions of Edmodo, “Defendant allowed students to provide additional information to Defendant such as school name, phone number, location, and a profile picture,” the FTC said in its complaint. “Defendant also automatically collected certain usage and device information, including cookies, IP address, device type, operating system, browser type and ID, and geographic location based on IP address.

“Additionally, between at least 2018 and September 2022, Defendant collected personal information from users in the United States in the form of persistent identifiers from students’ devices and used that personal information to serve contextual advertising to students via the Free Platform, including students under 13. Between at least 2018 and September 2022, Defendant allowed its third-party advertising partners to collect persistent identifiers in the form of IP addresses from student users in the United States, enabling advertisers to identify the device on which to serve the contextual ad.

The FTC said that children as young as kindergarteners had Edmodo accounts, and that about 600,000 students under 13 used the Edmodo platform in 2020 alone. 

This constitutes multiple violations of COPPA, according to a statement by the FTC accompanying the court filings. 

“Edmodo violated the COPPA Rule by failing to provide information about the company’s data collection practices to schools and teachers, and failing to obtain verifiable parental consent,” said the FTC. “The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and obtain verifiable parental consent for the collection and use of that information.”

2) Problems with Putting Compliance Solely on Educators 

The FTC also said Edmodo’s attempt to “outsource” COPPA compliance to the teachers and schools using its platform was illegal — and in a number of ways.

“Defendant could not rely on schools and teachers to provide authorization as agents of parents for two reasons,” the agency said in the complaint. “First, Defendant never provided the schools or teachers with direct notice of its practices, thereby preventing the schools from providing authorization on behalf of parents. Second, a school’s or teacher’s ability to serve as the parent’s agent is limited to the educational context: Defendant could not rely on schools or teachers to serve as a parent’s agent because Defendant used children’s personal information for a non-educational purpose (advertising).”

The only “notice” provided during the sign-up process for teachers, the FTC noted, was a line in small print at the bottom that read: “By signing up, you agree to our Terms of Service and Privacy Policy.” 

Neither the Terms of Service nor the Privacy Policy meets COPPA’s direct notice requirements, the agency said, because teachers were not required to click on those documents nor review them before creating an account and using the platform. 

And even if they had been required to review the documents in order to create their account, add students, and use the Edmodo platform, both documents “contained a host of information unrelated to Defendant’s collection, use, or disclosure of personal information of children using the Edmodo Platform, including information about international legal agreements, intellectual property, and publishers of third-party content, among others,” the FTC said in its complaint. “This was a clear violation of 16 C.F.R. § 312.4(a), which requires that the direct notice be ‘clearly and understandably written [and] complete, and [contain] no unrelated, confusing, or contradictory materials.’ By including such extraneous information, Defendant failed to provide proper direct notice under the COPPA Rule.”

The complaint also noted that an online Privacy Policy cannot serve “dual functions as direct notice and online notice,” both of which are required by COPPA.

Additionally, the FTC said that even if the data collection notices had been delivered as required by COPPA, both in an online form and a direct form, Edmodo was still violating COPPA.

“Even if Defendant had given proper notice to teachers and schools, Defendant could not rely on schools or teachers as agents to provide authorization on behalf of parents, because Defendant used students’ information to serve contextual advertising, a commercial purpose unrelated to an educational service,” the agency said in the complaint. “Where an operator engages in such non-educational commercial uses, it must obtain consent directly from the parents.”

3) Faulty Data Retention Practices

Edmodo had no data retention policy prior to March 2020, and it kept students’ personal information indefinitely, the FTC said. In 2020, Edmodo retained PII from 36 million student accounts, while only about 1 million of those were still active, according to the complaint. 

When Edmodo changed its retention practices to delete student accounts after a two-year period of inactivity, the FTC said it failed to justify the retaining of students’ personal information for even that long and remained in violation of COPPA.

What the FTC Order Demands of Edmodo 

The proposed settlement order prohibits Edmodo from asking students for any personal data that isn’t necessary for them to participate in online educational activities; the order also levies a penalty of $6 million on Edmodo but suspends the fine due to “inability to pay.”

The settlement also includes the following additional injunctions:

  • Prohibiting Edmodo from conditioning a child’s participation in an activity on the child disclosing more information than is reasonably necessary to participate in such activity;

  • Requiring the company to complete several requirements before obtaining school authorization to collect information from a child;

  • Prohibiting the company from using children’s information for non-educational purposes such as advertising or building user profiles;

  • Banning the company from using schools as intermediaries in the parental consent process;

  • Requiring the company to implement and adhere to a retention schedule that details what information it collects, what the data is used for and a time frame for deleting it; and

  • Requiring Edmodo to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization.

Significance for All Ed Tech Providers

The complaint and proposed settlement order are “a first” for the FTC and are closely aligned with a policy statement the FTC issued in May 2022, which warned education technology companies about forcing parents and schools to provide personal data about children in order to participate in online education. 

“This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”

Freier said he hopes ed tech companies will heed the agency’s warning in the Edmodo actions and find other ways besides data-trafficking to make their profits.

“If education technology companies are not going to be able to make profit without selling the private data of children, then it's not a business they should be in — because eventually, they're going to get caught,” he said. “There is a way under COPPA for parents to consent for this information to be used for such non-educational purposes as advertising, but it requires very explicit parental consent.

“And what parent is ever going to actually consent to say, ‘Yes, use my child's data’? Very few parents would actually sign that. This action against Edmodo sends a message that the FTC is not going to allow ed tech companies to profit off children’s data without explicit parental consent, which they're never actually going to get.”