FTC Cracks Down on Edmodo: $6 Million Penalty for Illegally Collecting Children’s Data Sparks Renewed Focus on Online Education Platforms

By Elliot Brake and Kevan Lee Deckelmann

The start of the pandemic over three years ago led to a rise in online learning and created a need for online education platforms that could facilitate remote learning. Many companies rose to the challenge and developed educational platforms to meet that urgent need. However, despite the advantages and conveniences of remote learning, vendors of online education platforms may not be complying with the stringent notice and consent requirements for children under 13 years of age found in the Children’s Online Privacy Protection Act (“COPPA”). Moreover, schools themselves are often hard-pressed to monitor their vendors’ compliance with COPPA and other relevant laws.

Last week, the Federal Trade Commission (“FTC”) made good on a 2022 policy statement in which it declared a renewed focus on the collection of children’s personal data with a particular emphasis on educational technology providers.  On May 22, the FTC filed a federal lawsuit and proposed stipulation against Edmodo LLC, a now-defunct online education provider, alleging that Edmodo collected and disclosed the personal data of hundreds of thousands of children without first obtaining the parents’ permission, in violation of COPPA. As part of the stipulation, Edmodo has agreed to $6 Million in civil penalties and an injunction.  At the crux of the FTC’s complaint is Edmodo’s collection of children’s device IDs, cookies, and IP addresses from teachers and schools, which the company then disclosed for advertising purposes. COPPA generally requires businesses to obtain verifiable parental consent prior to collecting the personal information of children under the age of 13.

The Edmodo action makes it clear that:

1. Vendors cannot shift the burden of COPPA compliance onto schools.
2. Vendors must provide parents with a clear and conspicuous notice about a platform’s data collection practices. (It is important to note that even though Edmodo did have terms and conditions that provided some of the required information, they were so confusingly written that they failed to meet COPPA’s requirement that such terms be “clearly and understandably written”).
3. Above all, vendors must obtain a parent’s verifiable consent prior to collecting the personal data of children under 13. COPPA penalties can be significant and include FTC enforcement actions, injunctive relief, and penalties of up to $50,120 per violation.

In the absence of federal privacy legislation, an increasing number of states have passed privacy laws granting consumers new rights over their personal data. These consumer rights may place significant obligations on companies that control and process personal data.