The US Federal Trade Commission (FTC) has issued a proposed consent order against edtech provider Edmodo, claiming that the company has violated the Children’s Online Privacy Protection Act (COPPA).
Children’s privacy is a stated FTC priority area, and Edmodo is not the only company to have been targeted by the FTC’s enforcement powers in 2023.
This article explains where Edmodo went wrong in the eyes of the FTC.
Edmodo and COPPA
Edmodo’s edtech platform provides “virtual classrooms”, enabling teachers to share materials, conduct assessments, and communicate with students.
There are premium and free versions of Edmodo’s services, which include student-facing mobile apps that collect children’s personal information from students and teachers.
COPPA was passed in 2000 and received an update in 2012 to cover edtech providers such as Edmodo.
At its core, COPPA requires certain entities to provide notice to parents and obtain their consent before collecting, using, or disclosing personal information about children under 13 (with some exceptions).
COPPA defines “personal information” as the following categories of data:
- First and last name
- Home or other physical address
- Online contact information
- Username (if it functions are online contact information)
- Phone number
- Social security number
- A persistent identifier that identifies a user over time and across websites or online services, e.g. cookie ID, IP address, device serial number, or unique device identifier
- Photograph, video, or audio file containing a child’s image or voice
- Geolocation information that identifies a street name and name of a city or town
- Information concerning the child or their parents, collected online by the operator and combined with one of the above identifiers
Edmodo is an “operator” under COPPA. The “operator” definition is complicated but effectively describes a company that collects children’s personal information in connection with providing online services to schools.
The FTC’s complaint concerns Edmodo’s activities until September 2022, when the company stopped providing its platform to US schools.
Failing to provide notice to schools
The FTC claims that Edmodo failed to provide parents or school representatives with appropriate notice before collecting, using, or disclosing children’s personal information.
Edmodo’s contracts with schools stated that the company relied on schools to provide notice to (and obtain consent from) parents, either:
- By acting on behalf of parents, or
- By acting as intermediaries between the operator and parents.
This practice is allowed under COPPA as an alternative to the operator providing notice to or obtaining consent from parents directly.
But, in order to rely on a school to provide notice to parents, an operator must provide the school with certain information about its practices.
As such, the company could not rely on schools to obtain consent from parents—either by acting on parents’ behalf or by acting as an intermediary between Edmodo and parents.