GLORY, GLORY, HALLELUJAH!
Remember that old parody of the Battle Hymn of the Republic we used to sing before there was an Internet? There are apparently many versions, but they all generally involve children inflicting various types of mayhem on their school and its staff.
The kids of today are now equipped with the powerful COPPA Rule, 16 C.F.R. Part 312. And you can chalk one up for the kids when the FTC recently obtained a permanent injunction and $6 million penalty against an online education technology and virtual classroom provider in U.S. v. Edmodo, LLC, Case No. 3:23-cv-02495 (N.D. Cal. 2023). https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3129-edmodo-llc-us-v
We’re all familiar with, and frankly fearful of, COPPA, which was enacted in 1998 to protect the unauthorized or unnecessary collection of children’s personal information online. For a very brief review, the COPPA Rule requires operators of commercial websites or online services directed to children under 13 to have certain safeguards in place prior to collecting, using or disclosing personal information from children, such as their name, online contact information, telephone number, persistent identifier or image. These safeguards include:
- Providing clear, understandable and complete notice of its information practices;
- Making reasonable efforts to ensure parents receive direct notice;
- Obtaining verifiable parental consent prior to collecting, using or disclosing personal information from children; and
- Retaining personal information from children only as long as reasonably necessary to fulfill the purpose for which the information was collected.
According to the FTC, the Edmodo Platform was an online service that allowed teachers to create a virtual classroom to share materials, give assignments and quizzes, organize events, and allow direct messaging with students and teachers. The free version allowed students and teachers to create accounts and the subscription version allowed schools. Both versions collected personal information about the students including their names, emails, dates of birth and phone numbers.
The Edmodo Platform’s terms of service put the onus on the schools and teachers to obtain the requisite verifiable parental consent, which may be permissible in an educational context, but the FTC found fault in the following areas:
- Information was used for non-educational purposes. Edmodo could not rely upon the school/teacher acting as agent exception to the COPPA Rule because Edmodo used student information for non-education commercial uses, by collecting persistent identifiers such as device IDs, cookies and IP addresses in order to serve ads.
- Inadequate disclosure to schools/teachers. And Edmodo did not adequately inform teachers and schools that it was relying upon them to act as agents for obtaining parental consent. This information was “buried” in a paragraph on the bottom of the second page of the Terms of Service.
The lesson learned today is that COPPA is alive and well and on the FTC’s radar. Glory, glory, hallelujah!