What Can Edtech Companies Learn From the Edmodo Case? - Key Takeaways
- Understand the role schools play in obtaining COPPA consent. The COPPA Rule allows schools to (1) serve as the parents’ agents and provide consent on a parent’s behalf or (2) act as an intermediary between operators and parents to obtain consent directly from parents. When the school acts as a parent’s agent, a company can use the child’s personal information only for educational purposes. If an edtech company wants to use a child’s personal information for commercial purposes (such as advertising), it can use the school as an intermediary to obtain consent, but only if it has given the school sufficient information and monitors whether consent is obtained.
- Remember that COPPA obligations go beyond providing notice and obtaining consent. All other obligations still apply, including data minimization and purpose limitation requirements, which involve creating a data retention schedule with enough detail for consumers to understand how long and why data is being kept. The Edmodo settlement requires Edmodo to delete personal information one year after the termination of the agreement with the school or to delete data collected directly from students one year after the data is collected (unless the parent objects to the deletion).
- Be aware of how much liability/responsibility can be shifted. Edmodo attempted to shift liability and responsibility for COPPA compliance to the schools and teachers, stating that they were “solely” responsible for compliance with its terms and conditions. The FTC found this statement to be “nonsensical” and “misleading” and explained that “[s]chools or teachers could never be solely responsible for complying with the COPPA Rule given the Rule’s other requirements, including data security, online notice, and data retention limitations.”
In this alert:
- How Does COPPA Apply in the School Setting? – A Review of What’s Required
- Where Did Edmodo Go Wrong?
- What are the FTC’s Expectations?
COPPA applies to operators of commercial websites and online services, including educational technology companies, that are directed to or have actual knowledge that they are collecting personal information from children under 13. COPPA is designed to protect the privacy of children by giving parents and guardians control over the online collection, use and disclosure of personal information from children. Providing notice and obtaining verifiable consent from parents, among other things, are key requirements under COPPA. When the FTC issued the original COPPA Rule in 1999 (only a year after COPPA was enacted, in 1998), it addressed how COPPA applies in the school setting by making it clear that:
- Schools may serve as an intermediary between operators and parents in the notice and consent process.
- Schools also have limited authority to consent on parents’ behalf.
When schools consent on behalf of parents, it is important to note that their ability to consent is limited to the educational context. Consent must be obtained from the parent if an operator collects personal information for a noneducational purpose.
In both scenarios—when schools are consenting on a parent’s behalf and when schools are acting as intermediaries—operators must continue to meet all other COPPA requirements, including the requirement to “make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice” of the operator’s information practices as they relate to children.
Edmodo’s biggest mistake was using personal information collected from children for advertising purposes without confirming that its practices met the COPPA Rule’s standards. By placing the responsibility on the school or the teachers to obtain consent without providing sufficient information and confirming that consent was in fact obtained, Edmodo failed to meet COPPA’s requirements. According to the FTC’s complaint against Edmodo, Edmodo violated COPPA in a number of ways:
- Edmodo inappropriately relied on the schools to authorize collection on behalf of parents because Edmodo used the information for noneducational purposes. While relying on teachers and schools to authorize data collection on a parent’s behalf is permissible under COPPA, teachers’ and schools’ authorization powers are limited. Regardless of how and from whom consent was being obtained, Edmodo used students’ information to serve contextual advertising—an activity that falls squarely in the category of commercial purposes unrelated to an educational service. The FTC’s complaint makes it clear that “[w]here an operator engages in such noneducational commercial purposes, it must obtain consent directly from parents.”
- In their Terms of Service, Edmodo told teachers and schools that they were solely responsible for complying with COPPA. Specifically, in the Terms of Service that teachers and schools had to agree to use, Edmodo stated that “[i]f you are a school, district, or teacher, you represent and warrant that you are solely responsible for complying with COPPA … .” The FTC also found that this attempt to outsource COPPA compliance obligations to teachers and schools was a violation of Section 5 of the FTC Act’s “unfairness prong.” Section 5 defines “unfair” practices as those that “cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” In this case, Edmodo caused substantial injury to the schools, teachers and students that used the Edmodo platform because Edmodo failed to provide them with essential information about its data practices for proper notice and verifiable parental consent to be obtained, and as a result, students’ personal information was either illegally collected or unnecessary resources (which could have been used for other educational purposes) were expended by teachers and schools so that they could try to understand and comply with COPPA, when that was not their responsibility.
- Edmodo kept personal information indefinitely and did not have a data retention policy. Before March 2020, Edmodo indefinitely retained personal information collected online from children. Only 1 million of the 36 million student accounts that Edmodo had amassed were actively using the platform in 2020. When Edmodo did institute a policy that required it to delete student accounts that had been inactive for two years, it still failed to justify why the accounts should be kept that long and was therefore still found to violate COPPA’s provisions related to data minimization.
Edmodo is no longer operating in the U.S., but the prescriptive nature of the order suggests that the FTC is using this opportunity to signal their expectations to companies, reinforcing their “Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act.”
Data Collection Requirements
Edmodo is required to:
- Post a clear and conspicuous link to an online notice of its data practices on the homepage of its website or the landing screen of its online service as well as in each area of the website or online service where personal information is collected.
- Before relying on a school to act as an agent and provide consent on behalf of parents, enter into an agreement with the school. The agreement must (i) provide that personal information can be used only for educational purposes; (ii) describe all personal information that is collected and how it will be used and disclosed; (iii) provide the school a link to its online notice of information practices, and recommend the school make it available on the school’s website; (iv) require a school representative to acknowledge and agree that they have authority to collect personal information from children on behalf of the school and to provide their name and title at the school; and (v) confirm that any personal information collected by Edmodo is under the direct control of the school with regard to its use and maintenance.
- Obtain verifiable parental consent or school authorization before collecting information from children that will be used for commercial purposes. A child’s participation with the service cannot be conditioned on the child disclosing more personal information than reasonably necessary to fulfill the purpose for which the information was collected.
- Apply a one-year retention window on personal information collected from children unless a longer window is determined to be reasonably necessary.