What EdTech Companies Can Learn From the FTC'S Action Against Edmodo

What Can Edtech Companies Learn From the Edmodo Case? - Key Takeaways 

1. Understand the role schools play in obtaining COPPA consent. The COPPA Rule allows schools to (1) serve as the parents’ agents and provide consent on a parent’s behalf or (2) act as an intermediary between operators and parents to obtain consent directly from parents. When the school acts as a parent’s agent, a company can use the child’s personal information only for educational purposes. If an edtech company wants to use a child’s personal information for commercial purposes (such as advertising), it can use the school as an intermediary to obtain consent, but only if it has given the school sufficient information and monitors whether consent is obtained. 
2. Remember that COPPA obligations go beyond providing notice and obtaining consent. All other obligations still apply, including data minimization and purpose limitation requirements, which involve creating a data retention schedule with enough detail for consumers to understand how long and why data is being kept. The Edmodo settlement requires Edmodo to delete personal information one year after the termination of the agreement with the school or to delete data collected directly from students one year after the data is collected (unless the parent objects to the deletion).
3. Be aware of how much liability/responsibility can be shifted. Edmodo attempted to shift liability and responsibility for COPPA compliance to the schools and teachers, stating that they were “solely” responsible for compliance with its terms and conditions. The FTC found this statement to be “nonsensical” and “misleading” and explained that “[s]chools or teachers could never be solely responsible for complying with the COPPA Rule given the Rule’s other requirements, including data security, online notice, and data retention limitations.”

In this alert:

• How Does COPPA Apply in the School Setting? – A Review of What’s Required
• Where Did Edmodo Go Wrong?
• What are the FTC’s Expectations?

How Does COPPA Apply in the School Setting? – A Review of What’s Required

COPPA applies to operators of commercial websites and online services, including educational technology companies, that are directed to or have actual knowledge that they are collecting personal information from children under 13. COPPA is designed to protect the privacy of children by giving parents and guardians control over the online collection, use and disclosure of personal information from children. Providing notice and obtaining verifiable consent from parents, among other things, are key requirements under COPPA. When the FTC issued the original COPPA Rule in 1999 (only a year after COPPA was enacted, in 1998), it addressed how COPPA applies in the school setting by making it clear that:

• Schools may serve as an intermediary between operators and parents in the notice and consent process.

• Schools also have limited authority to consent on parents’ behalf.

When schools consent on behalf of parents, it is important to note that their ability to consent is limited to the educational context. Consent must be obtained from the parent if an operator collects personal information for a noneducational purpose.

In both scenarios—when schools are consenting on a parent’s behalf and when schools are acting as intermediaries—operators must continue to meet all other COPPA requirements, including the requirement to “make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice” of the operator’s information practices as they relate to children. 

Note that direct notice is separate from an online notice, such as a privacy policy.

Where Did Edmodo Go Wrong?

Edmodo’s biggest mistake was using personal information collected from children for advertising purposes without confirming that its practices met the COPPA Rule’s standards. By placing the responsibility on the school or the teachers to obtain consent without providing sufficient information and confirming that consent was in fact obtained, Edmodo failed to meet COPPA’s requirements. According to the FTC’s complaint against Edmodo, Edmodo violated COPPA in a number of ways:

• Edmodo failed to provide teachers and schools with the information they needed in order to obtain consent for the use of children’s personal information. When teachers and schools signed up for Edmodo, they didn’t receive any information about their role or expected duties other than a short paragraph buried at the bottom of the Terms of Service stating that they must obtain advance written consent from all parents or guardians and that they must keep all consents on file and provide those consents to Edmodo upon request. The FTC found this language to be insufficient, given the lack of instructions on how teachers and schools could accomplish this task. The only information provided regarding Edmodo’s data practices was the following consent language in small font on the registration page: “By signing up, you agree to our Terms of Service and Privacy Policy.” The FTC explained in its complaint that neither document could serve as the direct notice. The Terms of Service did not meet the requirement that direct notice be “clearly and understandably written [and] complete, and [contain] no unrelated, confusing, or contradictory materials” because it contained extraneous information (e.g., information about intellectual property, publishers of third-party content). As COPPA requires a direct notice and an online notice, the Privacy Policy could not serve as both. Finally, even if either document satisfied the direct notice requirement under COPPA, Edmodo still failed to make reasonable efforts to ensure that the teachers actually received the notice, because Edmodo did not require teachers to click on the link to the documents or review them before creating an Edmodo account. All of this was compounded by the fact that Edmodo did not follow up with schools to assist with COPPA compliance or to determine whether, in fact, they provided the necessary notice and obtained verifiable consent.

• Edmodo inappropriately relied on the schools to authorize collection on behalf of parents because Edmodo used the information for noneducational purposes. While relying on teachers and schools to authorize data collection on a parent’s behalf is permissible under COPPA, teachers’ and schools’ authorization powers are limited. Regardless of how and from whom consent was being obtained, Edmodo used students’ information to serve contextual advertising—an activity that falls squarely in the category of commercial purposes unrelated to an educational service. The FTC’s complaint makes it clear that “[w]here an operator engages in such noneducational commercial purposes, it must obtain consent directly from parents.”

• In their Terms of Service, Edmodo told teachers and schools that they were solely responsible for complying with COPPA. Specifically, in the Terms of Service that teachers and schools had to agree to use, Edmodo stated that “[i]f you are a school, district, or teacher, you represent and warrant that you are solely responsible for complying with COPPA … .” The FTC also found that this attempt to outsource COPPA compliance obligations to teachers and schools was a violation of Section 5 of the FTC Act’s “unfairness prong.” Section 5 defines “unfair” practices as those that “cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” In this case, Edmodo caused substantial injury to the schools, teachers and students that used the Edmodo platform because Edmodo failed to provide them with essential information about its data practices for proper notice and verifiable parental consent to be obtained, and as a result, students’ personal information was either illegally collected or unnecessary resources (which could have been used for other educational purposes) were expended by teachers and schools so that they could try to understand and comply with COPPA, when that was not their responsibility. 

• Edmodo kept personal information indefinitely and did not have a data retention policy. Before March 2020, Edmodo indefinitely retained personal information collected online from children. Only 1 million of the 36 million student accounts that Edmodo had amassed were actively using the platform in 2020. When Edmodo did institute a policy that required it to delete student accounts that had been inactive for two years, it still failed to justify why the accounts should be kept that long and was therefore still found to violate COPPA’s provisions related to data minimization.

What are the FTC’s Expectations?

Edmodo is no longer operating in the U.S., but the prescriptive nature of the order suggests that the FTC is using this opportunity to signal their expectations to companies, reinforcing their “Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act.”

Data Collection Requirements 

Edmodo is required to:

• Post a clear and conspicuous link to an online notice of its data practices on the homepage of its website or the landing screen of its online service as well as in each area of the website or online service where personal information is collected.
• Before relying on a school to act as an agent and provide consent on behalf of parents, enter into an agreement with the school. The agreement must (i) provide that personal information can be used only for educational purposes; (ii) describe all personal information that is collected and how it will be used and disclosed; (iii) provide the school a link to its online notice of information practices, and recommend the school make it available on the school’s website; (iv) require a school representative to acknowledge and agree that they have authority to collect personal information from children on behalf of the school and to provide their name and title at the school; and (v) confirm that any personal information collected by Edmodo is under the direct control of the school with regard to its use and maintenance.
• Obtain verifiable parental consent or school authorization before collecting information from children that will be used for commercial purposes. A child’s participation with the service cannot be conditioned on the child disclosing more personal information than reasonably necessary to fulfill the purpose for which the information was collected.
• Apply a one-year retention window on personal information collected from children unless a longer window is determined to be reasonably necessary.