In the education space, the Federal Trade Commission (FTC) announced an enforcement order against edtech company Edmodo, who it alleged to have violated the Children’s Online Privacy Protection Act (COPPA). Edmodo, a business-to-consumer (B2C) online learning platform, provides K-12 teachers with tools to connect with students and parents, such as virtual classroom spaces. COPPA primarily applies to operators of commercial websites/online services directed to children under 13 years old that collect, use, or disclose personal information from children; it also applies to operators of commercial websites/online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

In its complaint, the FTC alleged that Edmodo violated COPPA by collecting, using, and disclosing personal information from children without obtaining “verifiable parental consent” and by retaining the personal information collected for longer than the FTC asserted was reasonably necessary to fulfill the purpose for which it was collected. The FTC alleged that Edmodo could not rely on schools as agents for providing parental consent when using students’ personal information for a commercial—not educational—purpose (i.e., contextual advertising). It also alleged that Edmodo failed to provide a direct notice to the school, as required under COPPA. In addition, the FTC alleged that Edmodo had illegally delegated its COPPA compliance obligations to schools under its terms of use in violation of Section 5 of the FTC Act. This case contains a few notable firsts in an edtech context, including the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools. Through this enforcement action, the FTC continues to reinforce its position that edtech providers cannot offboard their privacy obligations to the schools they service.

This Update discusses the key points of the enforcement order.

• Edtech providers bear the bottom-line responsibility of complying with COPPA. Edmodo’s terms of use attempted to shift their responsibility for COPPA compliance to schools by stating, “If you are a school, district, or teacher, you represent and warrant that you are solely responsible for complying with COPPA, meaning that you must obtain advance written consent from all parents or guardians whose children under 13 will be accessing the Services ...” The FTC alleged that this shifting of responsibility violated the FTC Act’s prohibition on unfair practices, noting in its complaint, “operators alone, and not schools, teachers, or any other third party, are ultimately responsible for complying with the COPPA Rule.”
• Edtech providers who wish to rely on school authorization for collecting, using, and/or disclosing children’s personal information must ensure they meet all applicable requirements. Although edtech providers can’t shift responsibility for COPPA compliance to schools, they can rely on schools to provide authorization on behalf of parents instead of obtaining consent directly from parents, but only if certain requirements are met (these requirements are described in Section N of the FTC’s COPPA FAQs and in the FTC’s May 2022 Policy Statement of the Federal Trade Commission on Education Technology and the Children’s Online Privacy Protection Act):
  • First, edtech providers must make reasonable efforts, taking into account available technology, to ensure that the school receives a “direct notice” of the provider’s collection, use, and disclosure of children’s personal information. The FTC’s COPPA FAQ says that the direct notice provided to schools should be of the same type as what would be given to the parent under COPPA, and the case against Edmodo bears this out. The complaint stated that the hyperlinks to Edmodo’s terms of service and privacy policy were not sufficient to meet the direct notice requirement, both because teachers were not required to click on or review the linked documents and because the documents included a host of information unrelated to Edmodo’s privacy practices with respect to children. The complaint also noted that the privacy policy could not serve a dual function as the direct notice, as COPPA requires both a direct notice and a privacy policy.
  • Second, FTC’s COPPA FAQ provides that edtech providers can rely on authorization from schools (acting as agents for parents) only when the use of children’s personal information is solely for the use and benefit of the school and for no commercial purpose. The FTC Policy Statement further specifies that such use may be only to provide the school-requested online service. This case makes clear that the FTC takes the position that any use of such information for a commercial purpose unrelated to the provision of the school-requested online service, including contextual advertising, eliminates the ability to rely on the school for parental consent. Without that option, edtech providers subject to COPPA must obtain consent directly from parents.
• Edtech providers should not retain children’s data for longer than is reasonably necessary and must be prepared to justify their retention periods. COPPA requires operators to retain children’s personal information only as long as is reasonably necessary to fulfill the purpose for which it was collected. Until at least March 2020, Edmodo retained personal information indefinitely. After that, it implemented a practice of retaining data for two years after accounts became inactive, but the FTC alleged that Edmodo had failed to justify why this two-year period was reasonably necessary, so their retention practices violated COPPA.

Takeaway

This case, along with the FTC’s Policy Statement issued last year, offers helpful guidance to edtech providers regarding the FTC’s views on COPPA compliance in the school context. Edtech providers who are relying on school authorization should do the following:

• Limit their use of personal information to educational purposes.
• Provide a direct notice to the school (and make reasonable efforts to ensure the school receives such direct notice).
• Avoid language in their terms that tries to shift responsibility for COPPA compliance to the schools.

Edtech providers should also consider whether they are retaining children’s data for longer than is reasonably necessary to fulfill the purpose for which it was collected and whether they can justify their retention periods.

*The authors would like to acknowledge Summer Associate Nithya Kiron for her contributions to this Update.

© 2023 Perkins Coie LLP