Edmodo, LLC allegedly collected names, email addresses, phone numbers, device information, and IP addresses of approximately 36 million children under 13 for advertising purposes until approximately September 2022 and “retaining this personal information indefinitely”
The Department of Justice, together with the Federal Trade Commission (FTC), today announced that Edmodo, LLC (Edmodo) has agreed to a permanent injunction and a $6 million civil penalty in connection with its online educational platform, as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. The civil penalty is suspended due to Edmodo’s inability to pay.
The Edmodo educational platform, sold to schools throughout the United States, enabled teachers to interface with students, including children under 13 years old, to host virtual class spaces, conduct discussions, share materials, make assignments, and provide quizzes and grades, among other things. In a complaint filed in the U.S. District Court for the Northern District of California, the government alleges that, until approximately September 2022, Edmodo collected the personal information of children under 13, including their names, email addresses, phone numbers, device information, and IP addresses. Edmodo allegedly collected such information without providing notice to the children’s parents or obtaining parental authorization to collect such personal information, as required by the COPPA Rule, and used this personal information to enable third parties to display targeted advertising to student users between 2018 and September 2022.
According to a May 2023 article by Human Rights Watch, “Edmodo was a website and app widely used by children in kindergarten, elementary, and middle schools across the US until September 2022, when the company pivoted to only selling its product to governments. The company benefited from explosive demand in 2020, reporting a 1,500 percent increase in users in the first five months of the pandemic as governments and schools rushed to connect children to online learning.
An investigation by Human Rights Watch in May 2022 found that Edmodo was designed with the capacity to surveil children and harvest their personal data for advertising. Our technical analysis found that Edmodo could not only invisibly tag children and identify their devices for the sole purpose of advertising to them, but also enabled other advertisers to do the same by embedding ad-specific third-party code on its platform. After multiple requests for comment, Edmodo told Human Rights Watch in July 2022 that it did ‘not share [its students’] personal data with any Edmodo business partners or third parties.’”
The complaint further asserts that Edmodo was retaining this personal information indefinitely. As of March 2020, Edmodo retained the personal information associated with approximately 36 million student accounts, of which only one million were actively using the platform. This indefinite retention violated COPPA’s requirement that an operator not retain personal information of children for longer than “reasonably necessary to fulfill the purpose for which [the information] was collected.”
The stipulated order, entered by the federal district court yesterday, enjoins Edmodo from collecting personal information from children in a manner that violates the COPPA Rule and prohibits Edmodo from retaining children’s personal information for longer than reasonably necessary to fulfill the purpose for which it was collected. The order also enjoins Edmodo from collecting more personal information than reasonably necessary for a child to participate in any activity offered on its service. It also requires Edmodo to destroy personal information improperly collected from children under age 13 and to comply with reporting, monitoring, and recordkeeping requirements. Edmodo is also subject to a civil penalty judgment of $6 million dollars, which is suspended due to Edmodo’s inability to pay.
“Children do not lose their privacy protections when they use the internet,” said U.S. Attorney Ismail J. Ramsey for the Northern District of California. “Congress and the FTC have established rules to govern websites and apps collecting and storing the personal information of children. The settlement being announced today demonstrates the Department of Justice’s resolve to enforce those rules. We will continue to work with our partners at the FTC to safeguard children’s online privacy.”
“The Justice Department takes seriously its mission to protect the online privacy rights of children and their parents. This order spells out clearly to all online providers that it is unacceptable to collect children’s personal information without their parents’ consent,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Department of Justice’s Civil Division. “The department is committed to protecting against unauthorized online collection and retention of information, especially from children.”
“This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education,” said Director Samuel Levine of the FTC’s Bureau of Consumer Protection. “Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”
This matter was handled by Assistant U.S. Attorney Vivian Wang for the Northern District of California, Senior Trial Attorney James T. Nelson and Assistant Director Lisa Hsiao of the Civil Division’s Consumer Protection Branch, and Gorana Neskovic and Peder Magee of the FTC.
For more information about the Consumer Protection Branch and its enforcement efforts, visit its website at www.justice.gov/civil/consumer-protection-branch. For more information about the FTC, visit its website at www.FTC.gov.
Allen D. Payton contributed to this report.