The FTC Order Against Education Technology Provider For COPPA Rule Violation
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
UNITED STATES OF AMERICA, Plaintiff, v. EDMODO, LLC, a limited liability corporation, Defendant.
Case No. 23-cv-2495 TSH
COMPLAINT FOR PERMANENT INJUNCTION, CIVIL PENALTIES, AND OTHER EQUITABLE RELIEF
Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission ("FTC" or "Commission"), for its Complaint alleges:
- Plaintiff brings this action under Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a)(1) of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)(1), and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 ("COPPA"), 15 U.S.C. §§ 6502(c) and 6505(d), to obtain monetary civil penalties, a permanent injunction, and other relief for Defendant's violations of Section 5 of the FTC Act and the Commission's Children's Online Privacy Protection Rule ("Rule" or "COPPA Rule"), 16 C.F.R. Part 312.
Case Summary
- This matter involves Defendant's numerous violations of the COPPA Rule. Until 2022, Defendant illegally collected the personal information of students in the United States under the age of 13 covered by the Rule. Defendant did not provide direct notice of its information practices to parents, did not obtain parental authorization prior to collecting students' personal information, and did not retain children's personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. In addition, by unfairly burdening schools and teachers in the United States with its COPPA-compliance responsibilities, Defendant also engaged in unfair practices in violation of Section 5 of the FTC Act.
Jurisdiction, Venue, and Divisional Assignment:
- This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355, and 15 U.S.C. §§ 45(m)(1)(A) and 56(a).
- Venue in the Northern District of California is proper under 15 U.S.C. § 53(b) and 28 U.S.C. §§ 1391(b)(2), (c)(2), and 1395(a) because Defendant has its principal place of business in this District, because Defendant transacted business in this District, and because a substantial part of the events or omissions giving rise to the claims occurred in this District.
- Divisional assignment is proper in the San Francisco Division or the Oakland Division under N.D. Cal. Civil L.R. 3-2(d) because this action arises in San Mateo County.
Section 5 of the FTC Act
- Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits unfair and deceptive acts or practices in or affecting commerce.
The Children's Online Privacy Protection Act Rule
-
Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of Internet websites and online services. COPPA directed the Commission to promulgate a rule implementing COPPA. The Commission promulgated the COPPA Rule on November 3, 1999, under Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The Rule went into effect on April 21, 2000. The Commission promulgated revisions to the Rule that went into effect on July 1, 2013. Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
-
The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children, and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. The term "personal information" means "individually identifiable information about an individual collected online," and includes, among other things, "first and last name," "online contact information," a "telephone number," a "persistent identifier that can be used to recognize a user over time and across different Web sites and online services," and a "photograph, video, or audio file where such file contains a child's image or voice."
-
The Rule requires operators to meet specific requirements prior to collecting, using, or disclosing personal information from children, including but not limited to:
- Providing clear, understandable, and complete notice of its information practices, including specific disclosures directly to parents.
- Making reasonable efforts, taking into account available technology, to ensure that parents receive the direct notice.
- Obtaining verifiable parental consent prior to collecting, using, and/or disclosing personal information from children.
- Retaining personal information collected from children online only as long as is reasonably necessary to fulfill the purpose for which the information was collected.
-
For purposes of this Complaint, the terms "child," "collects," "collection," "disclosure," "Internet," "obtaining verifiable consent," "online contact information," "operator," "parent," "personal information," and "Web site or online service directed to children" are defined as those terms are defined in Section 312.2 of the COPPA Rule, 16 C.F.R. § 312.2.
Defendant
- Defendant Edmodo, LLC ("Edmodo") is a Delaware corporation with its principal place of business at 777 Mariners Island Boulevard, San Mateo, California 94404. Until approximately September 2022, Edmodo transacted business in this District and throughout the United States, and Edmodo currently transacts business in this District relating to its customers in other countries.
Commerce
- At all times material to this Complaint, Defendant has maintained a substantial course of trade in or affecting commerce, as "commerce" is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.
Defendant's Business Practices
-
Until approximately September 2022, Defendant operated and provided the Edmodo platform and related mobile applications ("Edmodo Platform") to teachers, students, and parents throughout the United States. Defendant continues to provide the Edmodo Platform in countries outside the United States. The Edmodo Platform allows individual teachers to create an account, and then invite students and parents to join their "virtual" classroom. Edmodo features available to teachers include virtual class spaces to host discussions and share materials, student assessment tools such as assignments, quizzes, educational games, and gradebooks, direct messaging to communicate privately with students and parents, and a calendar to organize tasks and events. Teachers can create classes and groups to which they can invite their students, other teachers, or parents. When creating a class, teachers indicate the grade level of the class.
-
In the United States, Defendant offered two versions of the Edmodo Platform to students, teachers, and parents: a free version (the "Free Platform") and a subscription version (Edmodo Enterprise).
-
Students could access the Free Platform either by downloading the free "Edmodo: Your Online Classroom" mobile application from Apple's App Store or Google Play, or they could register for the service through Defendant's website, www.edmodo.com.
-
Access to the Free Platform did not require any contractual arrangement on a school or district level. Any individual teacher could register independently. Once a teacher registered for an account, the teacher could create a class and invite students to join Edmodo by (a) creating student accounts in advance, (b) inviting students to join by email, (c) sharing a unique class URL, or (d) sharing a unique class code. To generate the student accounts in advance, a teacher entered the student's first name, last name, and email address. If invited to join by email, class URL, or class code, students registered by providing first name, last name, and email address. Defendant also asked students to provide a date of birth (between July-September 2020) and phone number (prior to July 2020).
-
Once an account was created on the Free Platform, Defendant allowed students to provide additional information such as school name, phone number, location, and a profile picture. Defendant also automatically collected certain usage and device information, including cookies, IP address, device type, operating system, browser type and ID, and geographic location based on IP address.
-
In contrast to the Free Platform, the Edmodo Enterprise was available to schools and school districts that first entered into a contractual arrangement with Edmodo and paid a subscription fee based on the number of users expected to use the platform in that school or district. Teachers then created student accounts in a manner similar to the Free Platform, and Edmodo collected the same personal information from students.
-
As described in further detail below, until approximately September 2022, both the Free Platform and Edmodo Enterprise collected personal information from student users in the United States without informed parental consent. Additionally, between at least 2018 and September 2022, Defendant collected personal information from users in the form of persistent identifiers from students' devices and used that personal information to serve contextual advertising to students via the Free Platform, including students under 13. Between at least 2018 and September 2022, Defendant allowed its third-party advertising partners to collect persistent identifiers in the form of IP addresses from student users, enabling advertisers to identify the device on which to serve the contextual ad.
Defendant Is Subject to the COPPA Rule
-
Defendant is subject to the COPPA Rule because both the free and enterprise versions of the Edmodo Platform are directed to children under 13, and Defendant has actual knowledge that children under 13 used both versions of the platform, including children under 13 in the United States.
-
First, the Edmodo Platform is an online service directed to children that was available in the United States until approximately September 2022. Defendant directed and actively marketed the Edmodo Platform to elementary and middle schools, including schools that teach children under the age of 13. Students as young as kindergarten age could be invited to create accounts on Defendant's platform. Defendant itself estimated that around 600,000 students under the age of 13 used the Edmodo Platform in 2020 alone. Defendant intended that children under 13 use its Edmodo Platform, and such children did, in fact, use these services.
-
Second, Defendant had actual knowledge that children under 13 used the Edmodo Platform. Defendant collected dates of birth from students during the sign-up process and was therefore able to identify students under the age of 13. Moreover, when creating a class on the Edmodo Platform, teachers provided the grade level of the class, allowing Defendant to identify which classes contained children under the age of 13. Therefore, under the Rule, Defendant had actual knowledge that children under 13 used the Edmodo Platform.
Defendant Violated COPPA by Failing to Obtain Verifiable Parental Consent
-
The COPPA Rule requires covered operators, such as Defendant, to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Obtaining verifiable parental consent includes making "any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child: (1) receives notice of the operator's personal information collection, use, and disclosure practices; and (2) authorizes any collection, use, and/or disclosure of the personal information." 16 C.F.R. § 312.2.
-
The Commission's 1999 COPPA Rule Statement of Basis and Purpose (COPPA SBP) explains that the Rule allows schools to (1) serve as the parents' agents in the notice and consent process by consenting on behalf of parents, or (2) act as intermediaries between operators and parents to obtain consent directly from parents. 64 Fed. Reg. 59888, 59903 (Nov. 3, 1999).
-
However, the COPPA SBP also states that before an operator may rely on school-facilitated authorization to collect personal information from children, it must first "provide notice to the school of the operator's collection, use, and disclosure practices." 64 Fed. Reg. 59888, 59903 (Nov. 3, 1999).
-
In this case, Defendant's terms of service ("Terms of Service") suggested that schools and teachers were responsible for obtaining the verifiable parental consent required by the COPPA Rule. Defendant's purported reliance on teachers and schools to obtain parental consent, whether by regarding the teachers and schools as (1) agents authorizing collection on behalf of parents, or (2) intermediaries to obtain consent from parents, violated the COPPA Rule.
-
In the first scenario, Defendant could not rely on schools and teachers to provide authorization as agents of parents for two reasons. First, Defendant never provided the schools or teachers with direct notice of its practices, thereby preventing the schools from providing authorization on behalf of parents. Second, a school's or teacher's ability to serve as the parent's agent is limited to the educational context. Defendant could not rely on schools or teachers to serve as a parent's agent because Defendant used children's personal information for a non-educational purpose (advertising).
-
In the second scenario, Defendant could not rely on schools and teachers to be intermediaries to obtain consent from parents because Defendant failed to adequately inform schools and teachers of their role as intermediaries, failed to provide them with the information necessary for them to act as intermediaries, and failed to monitor whether parents ultimately actually provided verifiable consent.
Scenario I: Defendant Improperly Relied on Schools or Teachers as Agents Consenting on Behalf of Parents
- In order to obtain verifiable parental consent in this scenario, an operator must (1) provide a direct notice of its information practices to the school or teacher, and (2) use "reasonable efforts" to obtain authorization from the school on behalf of the parent. Defendant failed to provide schools and teachers the required direct notice and also failed to obtain authorization from the school on behalf of the parent for both the Free Platform and Edmodo Enterprise. As a result, Defendant collected children's personal information in violation of the COPPA Rule.
A. Defendant Failed to Provide Direct Notice of its Information Practices or Obtain Authorization from Schools and Teachers on Behalf of Parents
-
The COPPA Rule requirement to provide a direct notice of information practices means specifying the collection, use, and disclosure practices prior to collecting information from children. Such notice must be clearly and understandably written, must be complete, and must contain no unrelated, confusing, or contradictory materials. Further, the operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child (or school in appropriate circumstances) receives the direct notice.
-
On the Free Platform, Defendant did not provide direct notice of Defendant's information collection, use, and disclosure practices, as required by the COPPA Rule, during the user sign-up process or by another means. The limited documents Defendant included during the user sign-up process do not satisfy the COPPA Rule's direct notice requirements.
-
Specifically, during the sign-up process for the teacher account on the Free Platform, the registration screen was silent with respect to Defendant's personal information collection, use, and disclosure practices and instead merely stated in small print at the bottom, "By signing up, you agree to our Terms of Service and Privacy Policy."
-
Further, neither the Terms of Service nor Defendant's privacy policy ("Privacy Policy") satisfied the COPPA Rule's direct notice requirements. Teachers were not required to click on the linked documents or review them before creating an account and using Edmodo. Therefore, Defendant failed to make reasonable efforts to ensure the teacher actually received the notice.
-
Moreover, even if such a review were required, these documents contained a host of information unrelated to Defendant's collection, use, or disclosure of personal information of children using the Edmodo Platform, including information about international legal agreements, intellectual property, and publishers of third-party content, among others. This was a clear violation of 16 C.F.R. § 312.4(a), which requires that the direct notice be "clearly and understandably written and complete, and [contain] no unrelated, confusing, or contradictory materials." By including such extraneous information, Defendant failed to provide proper direct notice under the COPPA Rule.
-
Further, Defendant's Privacy Policy could not serve dual functions as direct notice and online notice. The COPPA Rule requires both a direct notice and an online notice. The Rule distinguishes between the two required notices and elaborates on the requirements for each. To the extent Defendant relied on its Privacy Policy to comply with the requirements of a 312.4(d) online notice, the same document could not also serve as a direct notice under 312.4(b).
-
Defendant also did not provide direct notice of its information collection, use, and disclosure practices with respect to the Edmodo Enterprise service as required by the COPPA Rule. At no point in the contract process for schools to gain access to Edmodo Enterprise did Defendant provide schools in the United States with a direct notice.
-
In addition, as with the Free Platform, the online sign-up process for Edmodo Enterprise also failed to inform schools of Defendant's data collection, use, and disclosure practices, and therefore failed to satisfy the COPPA Rule's direct notice requirement.
-
Because Defendant did not provide teachers or schools in the United States direct notice of its information collection, use, and disclosure practices as required by the COPPA Rule, teachers and schools did not have the information necessary to provide authorization on behalf of students' parents.
B. Schools and Teachers Could Not Act as Agents for Parents to Authorize Defendant's Use of Children's Personal Information for Non-Educational Commercial Purposes
-
Even if Defendant had given proper notice to teachers and schools, Defendant could not rely on schools or teachers as agents to provide authorization on behalf of parents, because Defendant used students' information to serve contextual advertising, a commercial purpose unrelated to an educational service. Where an operator engages in such non-educational commercial uses, it must obtain consent directly from the parents.
-
Defendant collected personal information in the form of persistent identifiers such as device IDs, cookies, and IP addresses from users of the Free Platform, including children under the age of 13, in order to serve them ads. In addition to collecting personal information and serving ads itself, Defendant also enabled third-party ad networks to collect persistent identifiers on its behalf in order to serve advertising to Defendant's users on the Free Platform.
-
The Commission's COPPA SBP does not contemplate the use of students' information for a commercial purpose because schools and teachers do not have the authority to consent in such a circumstance—the school's authority to provide consent on behalf of parents for the collection of children's personal information is limited to the educational context, which the Commission's guidance has made clear to operators for many years.
-
Therefore, given that Defendant used students' personal information for non-educational commercial purposes (i.e., to serve contextual advertising), it could not rely on schools or teachers to authorize collection on behalf of parents.
Scenario II: Defendant Unreasonably Relied on Schools or Teachers to Act as Intermediaries to Provide Notice to, and Obtain Consent from, Parents
-
In addition to relying on teachers and schools to provide authorization on behalf of parents, Defendant also claims that it relied on teachers and schools to act as intermediaries to obtain consent from parents for both the Free Platform and Edmodo Enterprise.
-
The Rule provides that an operator must "make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice" of Defendant's information collection, use, and disclosure practices. 16 C.F.R. § 312.4(b). In any event, where an operator relies on an intermediary, the sole responsibility for COPPA compliance remains with the operator.
-
Defendant's purported use of schools and teachers as intermediaries for the notice and authorization mechanism under the Rule fails to satisfy this standard because Defendant failed to inform teachers and schools about their role and expected duties as intermediaries. Because of its failure to provide such information, Defendant necessarily failed to take reasonable steps to ensure that parents, through schools and teachers, would receive notice of Edmodo's information collection practices, and authorize them. Further, Defendant failed to supervise or even monitor whether schools were in fact providing parents with notice and obtaining parents' authorization.
A. Defendant Failed to Inform Teachers and Schools about Their Role as Intermediaries
-
First, Defendant failed to adequately inform teachers and schools of Defendant's reliance on them to provide notice to and obtain authorization from parents of children using the Edmodo Platform. As stated above, any teacher in the United States was able to sign up for the Free Platform independently and without prior approval of the teacher's school or school district. Throughout the sign-up process, Defendant failed to explain that teachers or schools were required to undertake the responsibility for ensuring that parents receive the required notice of the platform's information practices and authorize the collection of their children's personal information. Indeed, Defendant did not provide the teacher or school with the requisite information needed to provide the notice of its information practices, as required by the COPPA Rule.
-
As discussed above, the sign-up process for a teacher account on the Free Platform provided minimal information to the teacher, and merely included a small link to Defendant's Privacy Policy and Terms of Service. The teacher was not required to click on the Terms of Service or Privacy Policy in order to sign up. Defendant's Privacy Policy said nothing about the expectation that teachers would provide notice to and obtain authorization from parents, and the Terms of Service language purporting to convey to teachers and schools their responsibility to provide notice and obtain authorization from parents did not satisfy the Rule's requirements.
-
It is only if a teacher or school clicked on the Terms of Service link and scrolled down to a paragraph buried on the bottom of the second page that she would learn that Defendant intended for the teacher or school to be solely responsible for complying with the COPPA Rule. Specifically, Defendant's Terms of Service stated:
"If you are a school, district, or teacher, you represent and warrant that you are solely responsible for complying with COPPA, meaning that you must obtain advance written consent from all parents or guardians whose children under 13 will be accessing the Services... When obtaining consent, you must provide parents and guardians with our Privacy Policy; you can find a sample permission slip here [NO LINK PROVIDED]. You must keep all consents on file and provide them to us if we request them. For more information on COPPA, please click here [NO LINK PROVIDED]. If you are a teacher, you represent and warrant that you have permission and authorization from your school and/or district to use the Services as part of your curriculum, and for purposes of COPPA compliance, you represent and warrant that you are entering into these Terms on behalf of your school and/or district."
-
As an initial matter, the statement in Defendant's Terms of Service is nonsensical and misleading. Schools or teachers could never be "solely responsible" for complying with the COPPA Rule given the Rule's other requirements, including data security, online notice, and data retention limitations.
-
Moreover, the applicable statement in Defendant's Terms of Service failed to provide the necessary information for teachers and schools to comply with the Rule. For example, it failed to inform teachers and schools that, as part of complying with the Rule, operators must provide parents with direct notice of their information collection, use, and disclosure practices related to children. The provision tells teachers and schools to share Defendant's Privacy Policy, but this Privacy Policy is insufficient to meet the Rule's notice requirement for the reasons set forth in earlier sections. The Terms of Service provision also did not provide information about appropriate mechanisms for obtaining parental authorization that would meet the Rule's requirements. And although the above Terms of Service provision claimed to link to something that would provide additional information about the Rule, no such link actually existed.
-
Similarly, Defendant also burdened schools using Edmodo Enterprise with COPPA compliance while failing to provide sufficient information on how to comply. For example, the contractual arrangement through which a school purchased access to Edmodo Enterprise only briefly mentioned consent in an exhibit attached to the contract, which merely stated that "Customer represents and warrants that it has the authority and consent (if required) to authorize Edmodo [to] receive, process, load and use personal data from [users]." Another section referenced Defendant's Terms of Service and Privacy Policy and stated "Customer acknowledges that Edmodo shall require individual users to agree to and accept Edmodo Terms of Service ... and Edmodo's Privacy Policy." As with the Free Platform, a school or teacher was not required to review the Terms of Service or Privacy Policy prior to using Edmodo Enterprise, and those documents do not comply with the Rule in any event.
B. Defendant Failed to Make Reasonable Efforts to Ensure That Parents Received Notice and Provided Authorization
-
In addition to failing to adequately inform schools and teachers about the COPPA Rule's notice and consent process, Defendant's purported reliance on schools and teachers to obtain consent from parents was not reasonable because Defendant did nothing to follow up with the school or teachers to determine whether they, in fact, provided the necessary notice and obtained verifiable parental consent.
-
Given the inadequate instructions and lack of compliance assistance from Defendant, even when schools or teachers did understand they were to provide notice to and obtain authorization from parents, some schools and teachers failed to provide parents with accurate information about Defendant's practices, thereby preventing parents from granting valid authorization under the Rule. For example, some schools incorrectly asserted to parents that the Edmodo Platform contained no advertisements, and some failed to identify what personal information Defendant collected and how that personal information was used, while other schools did not mention anything about Defendant's data collection practices and merely directed the parents to the company's Terms of Service and Privacy Policy, neither of which, as noted above, meet the Rule's requirements.
-
As a result of these deficiencies, Defendant failed to ensure its reliance on schools to obtain consent from parents met the requirements of the Rule. Indeed, Defendant ignored an essential aspect of COPPA compliance: operators alone, and not schools, teachers, or any other third party, are ultimately responsible for complying with the COPPA Rule. Defendant made no reasonable effort, as required by the Rule, to ensure that the schools or teachers to which it attempted to delegate its COPPA compliance responsibilities instituted a parental consent mechanism that complied with the Rule. Defendant's failure to provide compliance assistance to schools and teachers, and its further failure to verify that schools and teachers actually obtained verifiable parental consent, were unreasonable, violated the Rule, and led to illegal information collection from children.
Defendant's Personal Information Retention Practices Violated the COPPA Rule
-
In addition to requiring Defendant to provide direct notice and obtain parental authorization, the COPPA Rule also requires that operators retain children's personal information only as long as is reasonably necessary to fulfill the purpose for which it was collected. Defendant’s data retention policies violated the Rule.
-
Defendant did not develop a data retention and destruction policy before March 2020. Until then, Defendant retained personal information collected online from children indefinitely, amassing approximately 36 million student accounts, of which only one million were active users in 2020.
-
In March 2020, Defendant instituted a policy to delete student accounts that had been inactive for two years. However, Defendant failed to justify maintaining student information for two years after the account became inactive as reasonably necessary to fulfill the purpose for which it was collected. This violated the COPPA Rule’s provisions related to data retention.
Defendant Unfairly Burdened Teachers and Schools with Its COPPA Compliance Responsibilities
-
Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves, and that is not outweighed by countervailing benefits to consumers or competition.
-
Defendant’s attempts to outsource its legally-mandated COPPA compliance responsibilities onto schools and teachers, many of which are under-resourced and lack knowledge about the COPPA Rule, while giving them confusing and inaccurate information about providing notice and obtaining verifiable parental consent, caused substantial injury to consumers, including schools, teachers, and children using the Edmodo platform.
-
To the extent that schools and teachers were even aware of Defendant's attempt to rely on them for COPPA compliance, they had to expend valuable resources trying to comply with the Rule, instead of focusing on educational purposes. Children were also injured because their personal information was collected illegally.
-
Schools, teachers, and children could not avoid this harm because Defendant did not provide them with essential information about the Edmodo Platform's information collection practices.
-
Finally, Defendant’s actions provided no countervailing benefits to consumers or competition. By shifting COPPA responsibilities to schools and teachers, Defendant prevented schools and parents from making informed choices about children’s and students' privacy.
VIOLATION OF THE COPPA RULE
COUNT I
-
The allegations in paragraphs 1 through 60 are incorporated as if set forth herein.
-
Defendant has been an operator of a website or online service directed to children as defined by the COPPA Rule, 16 C.F.R. § 312.2.
-
Defendant knowingly collected and used personal information from children under the age of 13.
-
Defendant collected or used personal information from children younger than 13 in violation of the Rule, including:
- Failing to provide direct notice to parents of Defendant's practices with regard to the collection, use, or disclosure of personal information from children, in violation of Section 312.4(a) and (c) of the Rule, 16 C.F.R. § 312.4(a);
- Failing to make reasonable efforts, taking into account available technology, to ensure that a parent receives the direct notice and can provide informed consent, in violation of Section 312.4(b)-(c) of the Rule, 16 C.F.R. § 312.4(b)-(c);
- Failing to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, in violation of Section 312.5(a)(1) of the Rule, 16 C.F.R. § 312.5(a)(1); and
- Retaining personal information collected online from children longer than reasonably necessary to fulfill the purpose for which the information was collected, in violation of Section 312.10 of the Rule, 16 C.F.R. § 312.10.
-
Pursuant to Section 1303(c) of COPPA, 15 U.S.C. § 6502(c), and Section 18(d)(3) of the FTC Act, 15 U.S.C. § 57a(d)(3), a violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
-
Defendant violated the COPPA Rule as described above with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).
-
Each collection, use, or disclosure of a child’s personal information in which Defendant has violated the Rule in one or more ways described above constitutes a separate violation of the COPPA Rule for the purpose of assessing monetary civil penalties.
-
Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), authorizes this Court to award monetary civil penalties of not more than $50,120 for each such violation of the Rule assessed after January 11, 2023.
VIOLATION OF THE FTC ACT
COUNT II
-
The allegations in paragraphs 1 through 60 are incorporated as if set forth herein.
-
In numerous instances, Defendant outsourced its duty to comply with the COPPA Rule to schools or teachers without providing the schools or teachers with adequate information or support to meet the Rule's requirements.
-
Defendant's actions cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.
-
Therefore, Defendant's acts or practices as set forth in Paragraphs 59-60 constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), (n).
PRAYER FOR RELIEF
WHEREFORE, Plaintiff requests that the Court:
- Enter a permanent injunction to prevent future violations of the FTC Act and the COPPA Rule by Defendant;
- Award Plaintiff monetary civil penalties from Defendant for each violation of the COPPA Rule alleged in this Complaint; and
- Award any additional relief as the Court determines to be just and proper.
Dated: May 22, 2023
FOR THE UNITED STATES OF AMERICA: ISMAIL J. RAMSEY VIVAN F. WANG |
BRIAN M. BOYNTON ARUN G. RAO AMANDA N. LISKAMM LISA K. HSIAO JAMES T. NELSON Of Counsel: BENJAMIN WISEMAN TIFFANY GEORGE GORANA NESKOVIC PEDER MAGEE |
STIPULATED ORDER FOR PERMANENT INJUNCTION AND CIVIL PENALTY JUDGMENT
Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission ("Commission"), filed its Complaint for Permanent Injunction, Civil Penalties, and Other Equitable Relief ("Complaint") in this matter, pursuant to Sections 13(b) and 16(a)(1) of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. §§ 53(b) and 56(a)(1), Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission's Children's Online Privacy Protection Rule ("COPPA Rule"), 16 C.F.R. Part 312 (attached as Appendix A). Defendant has waived service of the summons and the Complaint. The parties have been represented by the attorneys whose names appear hereafter. Plaintiff and Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil Penalty Judgment ("Order") to resolve all matters in dispute in this action between them.
THEREFORE, IT IS ORDERED as follows:
FINDINGS
-
This Court has jurisdiction over this matter.
-
The Complaint charges that Defendant violated the COPPA Rule by failing to obtain Verifiable Parental Consent prior to Collecting, using, or Disclosing Personal Information of Children, and retaining Personal Information Collected online from Children for longer than reasonably necessary to fulfill the purpose for which the information was Collected. The Complaint also charges that Defendant violated the FTC Act by unfairly requiring Schools and teachers to comply with the COPPA Rule on its behalf without providing adequate information or support to meet the Rule's requirements.
-
Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.
-
Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorney fees.
-
Defendant and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order.
DEFINITIONS
For the purpose of this Order, the following definitions apply:
-
Affected Work Product means any models or algorithms developed in whole or in part using Personal Information Collected from Children through the Edmodo Platform without Verifiable Parental Consent or School Authorization.
-
Child means an individual under the age of 13.
-
Clear and Conspicuous means that a required disclosure is difficult to miss (i.e., is easily noticeable) and is easily understandable by ordinary consumers, including in all of the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure is made through only one means.
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
- An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
- In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
- The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.
- The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
- The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
- When the representation or sales practice targets a specific audience, such as Children, the elderly, or the terminally ill, "ordinary consumers" includes reasonable members of that group.
-
Collects or Collection means the gathering of any Personal Information from a Child by any means, including but not limited to:
- Requesting, prompting, or encouraging a Child to submit Personal Information online;
- Enabling a Child to make Personal Information publicly available in identifiable form; or
- Passive tracking of a Child online.
-
Defendant means Edmodo, LLC ("Edmodo"), a Delaware limited liability company, its successors and assigns.
-
Direct Control means the School has a means to review the Personal Information Collected from a Child, prevent further use or future Collection from that Child, and direct the Operator to delete a Child's Personal Information.
-
Direct Notice means making a reasonable effort (taking into consideration available technology) to ensure that a Parent or School receives notice of the Operator's practices with regard to the Collection, use, or Disclosure of Personal Information Collected from a Child, including notice of any material change in the Collection, use, or Disclosure practices to which the Parent or School has previously consented.
-
Disclose or Disclosure means, with respect to Personal Information:
- The Release of Personal Information Collected by an Operator from a Child in identifiable form for any purpose, except where an Operator provides such information to a person who provides Support for the Internal Operations of the Website or Online Service; and
- Making Personal Information Collected by an Operator from a Child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.
-
Edmodo Platform means any online or mobile education-related website, online service, or application, or another Website or Online Service Directed to Children, operated, offered, or controlled by Defendant, provided that the Edmodo Platform does not include any such education-related website or online service provided to foreign government customers.
-
Educational Purpose means any use related to a Child's education including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, School personnel, or Parents. Educational Purpose does not include commercial purposes unrelated to the provision of the online service requested by the School such as advertising or building user profiles.
-
Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
-
Online Contact Information means an e-mail address or any other substantially similar identifier that permits direct contact with a Person online, including but not limited to, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat user identifier.
-
Operator means any Person who operates a website located on the Internet or an online service and who Collects or maintains Personal Information from or about the users of or visitors to such website or online service, or on whose behalf such information is Collected or maintained, or offers products or services for sale through that website or online service.
-
Parent includes a legal guardian.
-
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
-
Personal Information means individually identifiable information about an individual Collected online, including:
- A first and last name;
- A home or other physical address including street name and name of a city or town;
- Online Contact Information;
- A screen or user name where it functions in the same manner as Online Contact Information;
- A telephone number;
- A Social Security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services, such as a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
- A photograph, video, or audio file where such file contains a Child's image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the Child or the Parents of that Child that the Operator Collects online from the Child and combines with an identifier described in this definition.
-
Release of Personal Information means the sharing, selling, renting, or transfer of Personal Information to any Third Party.
-
School means an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined by State law.
-
School Authorization means a School Representative authorizes an Operator to Collect Personal Information from a Child, on the condition that Personal Information is Collected only for an Educational Purpose and follows the School Representative's receipt of Direct Notice from the Operator.
-
School Representative means a School employee who has the authority to authorize the Collection of Personal Information from a Child on behalf of the School.
-
Support for the Internal Operations of the Website or Online Service means activities necessary to:
- Maintain or analyze the functioning of the website or online service;
- Perform network communications;
- Authenticate users of, or personalize the content on, the website or online service;
- Serve contextual advertising on the website or online service or cap the frequency of advertising;
- Protect the security or integrity of the user, website, or online service;
- Ensure legal or regulatory compliance; or
- Fulfill a request of a Child as permitted by Section 312.5(c)(3) and (4) of the COPPA Rule (attached as Appendix A).
-
Third Party means any Person who is not:
- An Operator with respect to the Collection or maintenance of Personal Information on the website or online service; or
- A Person who provides Support for the Internal Operations of the Website or Online Service and who does not use or Disclose information protected under this part for any other purpose.
-
Verifiable Parental Consent means making a reasonable effort (taking into consideration available technology) to ensure that before Personal Information is Collected from a Child, a Parent of the Child:
- Receives notice of the Operator's Personal Information Collection, use, and Disclosure practices; and
- Authorizes any Collection, use, and/or Disclosure of the Personal Information, using a method reasonably calculated, in light of available technology, to ensure that the Person providing consent is the Child's Parent.
-
Website or Online Service Directed to Children means a commercial website or online service, or portion thereof, that is targeted to Children.
-
In determining whether a website or online service, or a portion thereof, is directed to Children, the Commission will consider its subject matter, visual content, use of animated characters or Child-oriented activities and incentives, music or other audio content, age of models, presence of Child celebrities or celebrities who appeal to Children, language, or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to Children. The Commission will also consider competent and reliable empirical evidence regarding audience composition and evidence regarding the intended audience.
-
A website or online service shall be deemed directed to Children when it has actual knowledge that it is Collecting Personal Information directly from users of another Website or Online Service Directed to Children.
- Does not Collect Personal Information from any visitor prior to Collecting age information; and
- Prevents the Collection, use, or Disclosure of Personal Information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of 16 C.F.R. Part 312.
A website or online service that is directed to Children under the criteria set forth above, but that does not target Children as its primary audience, shall not be deemed directed to Children if it:
-
A website or online service shall not be deemed directed to Children solely because it refers or links to a commercial Website or Online Service Directed to Children by using information location tools, including a directory, index, reference, pointer, or hypertext link.
-
ORDER
I. INJUNCTION CONCERNING COLLECTION OF PERSONAL INFORMATION FROM CHILDREN
IT IS ORDERED that Defendant, and Defendant's officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with operating the Edmodo Platform, are hereby permanently restrained and enjoined from:
-
Failing to make reasonable efforts, taking into account available technology, to ensure that a Parent of a Child, or a School Representative where any Personal Information Collection is for an Educational Purpose, receives Direct Notice of Defendant's practices with regard to the Collection, use, or Disclosure of Personal Information from Children, including notice of any material change in the Collection, use, or Disclosure practices to which the Parent or School has previously consented, unless the COPPA Rule provides an exception to providing such notice.
-
Failing to post a Clear and Conspicuous link to an online notice of its information practices with regard to Children on the home or landing page or screen of its website or online service, and at each area of the website or online service where Personal Information is Collected from Children, unless the COPPA Rule provides an exception to providing such notice.
-
Failing to obtain Verifiable Parental Consent or School Authorization (in accordance with Provision II), before any Collection, use, or Disclosure of Personal Information from Children, including consent to any material change in the Collection, use, or Disclosure practices to which the Parent or School has previously consented, unless the COPPA Rule provides an exception to obtaining Verifiable Parental Consent or School Authorization.
-
Conditioning a Child's participation in an activity on the Child Disclosing more Personal Information than is reasonably necessary to participate in such activity.
-
Retaining Personal Information Collected online from a Child for longer than reasonably necessary to fulfill the purpose for which the information was Collected.
-
Violating the COPPA Rule.
II. INJUNCTION CONCERNING USING SCHOOLS TO PROVIDE DIRECT NOTICE TO PARENTS OR OBTAIN VERIFIABLE PARENTAL CONSENT
IT IS FURTHER ORDERED that Defendant, and Defendant's officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with providing the Edmodo Platform to Schools, are hereby permanently restrained and enjoined from:
-
Relying on Schools to act as intermediaries to obtain Verifiable Parental Consent on behalf of Defendant.
-
Relying on School Authorization for the Collection of Personal Information from Children unless they enter into a written agreement with the School or School Representative that:
- Provides that Personal Information can only be used for Educational Purposes.
- Describes all Personal Information that is Collected and how it will be used and Disclosed.
- Provides the School a link to its online notice of information practices and recommends the School make it available on the School's website.
- Requires a School Representative to acknowledge and agree that they have the authority to authorize the Collection of Personal Information from Children on behalf of the School, along with their name and title at the School.
- Provides that any Personal Information Collected by Defendant is under the Direct Control of the School with regard to its use and maintenance.
Provided, however, Defendant may Collect Personal Information from Children if Defendant provides Direct Notice to Parents and Parents provide Verifiable Parental Consent.
III. DATA MINIMIZATION REQUIREMENT
IT IS FURTHER ORDERED that Defendant, and Defendant's officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with offering the Edmodo Platform, are hereby permanently restrained and enjoined from collecting more Personal Information than is reasonably necessary for the Child to participate in any activity offered on any such website or online service.
IV. INJUNCTION CONCERNING USE OF PREVIOUSLY COLLECTED PERSONAL INFORMATION
IT IS FURTHER ORDERED that Defendant, Defendant's officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with providing the Edmodo Platform to Schools, are ordered to:
-
Refrain from Disclosing, using, or benefitting from Personal Information Collected from Children that Defendant collected through the Edmodo Platform prior to entry of this Order unless Verifiable Parental Consent or School Authorization is obtained as outlined in Provisions I and II.
-
Within sixty (60) days of entry of this Order, destroy all Personal Information Collected through the Edmodo Platform by Defendant from accounts that have not, by that date, provided Verifiable Parental Consent or School Authorization as described in Provisions I and II.
-
Within ninety (90) days of entry of this Order, provide a written statement to the Commission, sworn under penalty of perjury, that:
- Describes the process through which Defendant provided Direct Notice and sought Verifiable Parental Consent or School Authorization for the accounts through which Personal Information is Collected through the Edmodo Platform.
- Identifies the total number of accounts for which Direct Notice was provided, as well as the number of accounts that:
- Provided Verifiable Parental Consent.
- Provided School Authorization.
- Affirmatively declined to provide Verifiable Parental Consent or School Authorization.
- Did not respond.
- Parents or Schools requested be deleted after receiving the Direct Notice provided under sub-provision IV.B.
- Were the subject of additional questions to Defendant by Parents or Schools.
- Confirms all Personal Information Collected from Children through the Edmodo Platform related to accounts for which Verifiable Parental Consent or School Authorization was not received has been destroyed.
-
Within ninety (90) days of entry of this Order, delete or destroy any Affected Work Product, and provide a written statement to the Commission, sworn under penalty of perjury, confirming such deletion or destruction. Any Affected Work Product, or Personal Information that Defendant is otherwise required to delete or destroy pursuant to this provision may be retained and may be disclosed as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation. In each written statement to the Commission required by this provision, Defendant shall describe in detail any relevant information that Defendant retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Defendant from deleting or destroying such information. Within thirty (30) days after the obligation to retain the information has ended, Defendant shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Defendant has deleted or destroyed such information.
-
Maintain and adhere to a retention schedule for Children's Personal Information Collected through the Edmodo Platform, setting forth the purpose for which the information is Collected, the specific business need for retaining such Personal Information, and a set time frame and set of criteria for deletion of such information which may not exceed one (1) year after the termination of the agreement with the School (unless the School affirmatively requests a different time period), or, with respect to Children's Personal Information that is not Collected under the Direct Control of a School, may not exceed one (1) year after the generation of the data (unless the Parent, after receiving notice of the impending deletion from Defendant, affirmatively requests that Defendant retain a Child's data for longer), and make such information about the retention schedule publicly available on Defendant's website and in the Direct Notice.
V. MONETARY JUDGMENT FOR CIVIL PENALTY
IT IS FURTHER ORDERED that:
-
Judgment in the amount of $6 million ($6,000,000) is entered in favor of Plaintiff against Defendant, as a civil penalty.
-
The judgment is suspended subject to the Subsections below.
-
The Plaintiff's agreement to the suspension of the judgment is expressly premised upon the truthfulness, accuracy, and completeness of Defendant's sworn financial statements and related documents (collectively, "Financial Attestations") submitted to the Commission, namely:
- the Financial Statement of Corporate Defendant, Edmodo, LLC, signed by General Counsel, Susan Shinoff.
-
The suspension of the judgment will be lifted as to Defendant if, upon motion by Plaintiff, the Court finds that Defendant failed to disclose any material asset, materially misstated the value of any asset, or made any other material misstatement or omission in the Financial Attestations.
-
If the suspension of the judgment is lifted, the judgment becomes immediately due as to Defendant in the amount specified in Subsection A of this Section (which the parties stipulate only for purposes of this Section represents the amount of civil penalty for the violations alleged in the Complaint), less any payment previously made pursuant to this Section, plus interest computed from the date of entry of this Order.
VI. ADDITIONAL MONETARY PROVISIONS
IT IS FURTHER ORDERED that:
-
Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
-
The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission, including in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.
-
Defendant acknowledges that its Taxpayer Identification Numbers, which Defendant must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.
VII. ORDER ACKNOWLEDGMENTS
IT IS FURTHER ORDERED that Defendant obtains acknowledgments of receipt of this Order:
-
Defendant, within seven (7) days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
-
For five (5) years after entry of this Order, Defendant, for any business that Defendant is the majority owner of, or controls directly or indirectly, must deliver a copy of this Order to: (1) all principals, officers, directors, managers, and members; (2) all employees having managerial responsibilities relating to the subject matter of the Order, and all agents and representatives who participate in conduct related to the subject matter of the Order; and (3) any business entity resulting from any change in structure as set forth in Section VIII (Compliance Reporting). Delivery must occur within seven (7) days of entry of this Order for current personnel and entities. To all others, delivery must occur before they assume their responsibilities.
-
From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.
VIII. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Defendant makes timely submissions to the Commission:
- One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury, in which Defendant must: (a) identify the primary physical, postal, email address, and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant; (b) identify all businesses owned or controlled by Defendant by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Defendant is in compliance with each Section of this Order; (e) provide a copy of each different version of any privacy notice posted on each Website or Online Service Directed to Children operated by Defendant or sent to Parents of Children that register on each website or online service; (f) provide a statement setting forth in detail the methods used to obtain Verifiable Parental Consent or School Authorization prior to any Collection, use, and/or Disclosure of Personal Information from Children by the Edmodo Platform; (g) provide a statement setting forth in detail the means provided for Parents to review the Personal Information Collected from their Children and to refuse to permit its further use or maintenance by the Edmodo Platform; and (h) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.
- For ten (10) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or control directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
-
Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within fourteen (14) days of its filing.
-
Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: "I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ___" and supplying the date, signatory's full name, title (if applicable), and signature.
-
Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: United States v. Edmodo, LLC.
IX. RECORDKEEPING
IT IS FURTHER ORDERED that Defendant must create certain records for ten (10) years after entry of the Order, and retain each such record for five (5) years. Specifically, for any business that Defendant is a majority owner of, or controls directly or indirectly, other than those providing products or services solely to foreign government customers, Defendant must create and retain the following records:
- Accounting records showing the revenues from all goods or services sold.
- All personnel records showing, for each person providing services, whether as an employee or otherwise, that person's name, addresses, telephone numbers, job title or position, dates of service, and (if applicable) the reason for termination.
- All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.
- Copies of all consumer complaints relating to Defendant's Collection of Personal Information, whether received directly or indirectly, such as through a Third Party, and any response.
- All records demonstrating the steps Defendant has taken to obtain Verifiable Parental Consent or School Authorization, as applicable, for each Child user.
- A copy of each materially different form, page, or screen created, maintained, or otherwise provided by Defendant through which Defendant Collects Personal Information, and a copy of each materially different document containing any representation regarding Defendant's Collection, use, and Disclosure practices pertaining to Personal Information. Each webpage copy shall be accompanied by the URL of the webpage where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting information on the Internet.
X. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant's compliance with this Order, including the Financial Attestations upon which the judgment was suspended:
- Within fourteen (14) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
-
For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview any employee or other Person affiliated with Defendant who has agreed to such an interview. The Person interviewed may have counsel present.
-
The Commission and Plaintiff may use all other lawful means, including posing, through its representatives, as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49 and 57b-1.
XI. RETENTION OF JURISDICTION
IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.
SO ORDERED this 27th day of June, 2023.
UNITED STATES DISTRICT MAGISTRATE JUDGE |
|
SO STIPULATED AND AGREED: ISMAIL J. RAMSEY
OF COUNSEL PEDER MAGEE FOR DEFENDANT: Vincent P. Riera |
|
Appendix A
The average firm-wide billing rate (partners and associates) in 2011 was $403, the average partner rate was $482, and the average associate rate was $303.
The Commission believes it reasonable to assume that the workload among law firm partners and associates for COPPA compliance questions could be competently addressed and efficiently distributed among attorneys at varying levels of seniority but would be weighted most heavily to more junior attorneys. Thus, assuming an apportionment of two-thirds of such work is done by associates, and one-third by partners, a weighted average tied to the average firm-wide associate and average firm-wide partner rates, respectively, in the National Law Journal 2011 survey would be about $365 per hour. The Commission believes that this rate — which is very near the mean of TIA's stated range of purported hourly rates that its members typically pay to engage counsel for COPPA compliance questions — is an appropriate measure to calculate the cost of legal assistance for operators to comply with the final Rule amendments.
TIA also states that the 2012 SNPRM estimate of $42 per hour for technical support is too low, and that engaging expert technical personnel can, on average, involve hourly costs that range from $72 to $108. Similar to TIA's hours estimate, discussed above, the Commission believes that TIA's estimate may have been based on implementing requirements that, ultimately, the Commission has determined not to adopt. For example, technical personnel will not need to "ensure" the security procedures of third parties; operators that have been eligible to use email plus for parental consents will not be required to implement new systems to replace it. It is unclear whether TIA's estimate for technical support is based on the types of disclosure-related tasks that the final Rule amendments would actually require, other tasks that the final Rule amendments would not require, or non-disclosure tasks not covered by the PRA. Moreover, unlike its estimate for lawyer assistance, TIA's estimates for technical labor are not accompanied by an adequate explanation of why estimates for technical support drawn from BLS statistics are not an appropriate basis for the FTC's PRA analysis. Accordingly, the Commission believes it is reasonable to retain the 2012 SNPRM estimate of $42 per hour for technical assistance based on BLS data.
Thus, for the 180 new operators per year not previously accounted for under the FTC's currently cleared estimates, 10,800 cumulative disclosure hours would be composed of 9,000 hours of legal assistance and 1,800 hours of technical support. Applied to hourly rates of $365 and $42, respectively, associated labor costs for the 180 new operators potentially subject to the proposed amendments would be $3,360,600 (i.e., $3,285,000 for legal support plus $75,600 for technical support).
Similarly, for the estimated 2,910 existing operators covered by the final Rule amendments, 58,200 cumulative disclosure hours would consist of 48,500 hours of legal assistance and 9,700 hours for technical support. Applied at hourly rates of $365 and $42, respectively, associated labor costs would total $18,109,900 (i.e., $17,702,500 for legal support plus $407,400 for technical support). Cumulatively, estimated labor costs for new and existing operators subject to the final Rule amendments is $21,470,500.
Reporting
The Commission staff assumes that the tasks to prepare augmented safe harbor program applications occasioned by the final Rule amendments will be performed primarily by lawyers, at a mean labor rate of $180 an hour.Thus, applied to an assumed industry total of 120 hours per year for this task, incremental associated yearly labor costs would total $21,600.
The Commission staff assumes periodic reports will be prepared by compliance officers, at a labor rate of $28 per hour. Applied to an assumed industry total of 600 hours per year for this task, associated yearly labor costs would be $16,800.
Cumulatively, labor costs for the above-noted reporting requirements total approximately $38,400 per year.
Non-Labor/Capital Costs
Because both operators and safe harbor programs will already be equipped with the computer equipment and software necessary to comply with the Rule's new notice requirements, the final Rule amendments should not impose any additional capital or other non-labor costs.
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer protection, Electronic mail, Email, Internet, Online service, Privacy, Record retention, Safety, Science and Technology, Trade practices, Website, Youth.
- Accordingly, for the reasons stated above, the Federal Trade Commission revises part 312 of Title 16 of the Code of Federal Regulations to read as follows:
PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Sec.
- 312.1 Scope of regulations in this part.
- 312.2 Definitions.
- 312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
- 312.4 Notice.
- 312.5 Parental consent.
- 312.6 Right of parent to review personal information provided by a child.
- 312.7 Prohibition against conditioning a child's participation on collection of personal information.
- 312.8 Confidentiality, security, and integrity of personal information collected from children.
- 312.9 Enforcement.
- 312.10 Data retention and deletion requirements.
- 312.11 Safe harbor programs.
- 312.12 Voluntary Commission Approval Processes.
- 312.13 Severability.
Authority: 15 U.S.C. 6501-6508.
§312.1 Scope of regulations in this part.
This part implements the Children's Online Privacy Protection Act of 1998, (15 U.S.C. 6501, et seq.), which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
§312.2 Definitions.
-
Child means an individual under the age of 13.
-
Collects or collection means the gathering of any personal information from a child by any means, including but not limited to:
- Requesting, prompting, or encouraging a child to submit personal information online;
- Enabling a child to make personal information publicly available in identifiable form. An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child's postings before they are made public and also to delete such information from its records; or
- Passive tracking of a child online.
-
Commission means the Federal Trade Commission.
-
Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.
-
Disclose or disclosure means, with respect to personal information:
- The release of personal information collected by an operator from a child in identifiable form for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service; and
- Making personal information collected by an operator from a child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.
-
Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United States Code.
-
Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.
-
Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:
- Receives notice of the operator's personal information collection, use, and disclosure practices; and
- Authorizes any collection, use, and/or disclosure of the personal information.
-
Online contact information means an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over Internet Protocol (VoIP) identifier, or a video chat user identifier.
-
Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that website or online service, where such website or online service is operated for commercial purposes involving commerce among the several States or with one or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45). Personal information is collected or maintained on behalf of an operator when:
- It is collected or maintained by an agent or service provider of the operator; or
- The operator benefits by allowing another person to collect personal information directly from users of such website or online service.
-
Parent includes a legal guardian.
-
Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
-
Personal information means individually identifiable information about an individual collected online, including:
- A first and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information as defined in this section;
- A screen or user name where it functions in the same manner as online contact information, as defined in this section;
- A telephone number;
- A Social Security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
- A photograph, video, or audio file where such file contains a child's image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
-
Release of personal information means the sharing, selling, renting, or transfer of personal information to any third party.
-
Support for the internal operations of the website or online service means:
- Those activities necessary to:
- Maintain or analyze the functioning of the website or online service;
- Perform network communications;
- Authenticate users of, or personalize the content on, the website or online service;
- Serve contextual advertising on the website or online service or cap the frequency of advertising;
- Protect the security or integrity of the user, website, or online service;
- Ensure legal or regulatory compliance; or
- Fulfill a request of a child as permitted by §312.5(c)(3) and (4).
- Those activities necessary to:
(2) So long as the information collected for the activities listed in the paragraphs (1)(i)—(vii) of this definition is not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.
-
Third party means any person who is not:
- An operator with respect to the collection or maintenance of personal information on the website or online service; or
- A person who provides support for the internal operations of the website or online service and who does not use or disclose information protected under this part for any other purpose.
-
Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children.
- In determining whether a website or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.
- A website or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children.
- A website or online service that is directed to children under the criteria set forth in paragraph (1) of this definition, but that does not target children as its primary audience, shall not be deemed directed to children if it:
- Does not collect personal information from any visitor prior to collecting age information; and
- Prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of this part.
- A website or online service shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.
§312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
General requirements: It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must:
- Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§312.4(b));
- Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§ 312.5);
- Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§ 312.6);
- Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§ 312.7); and
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§ 312.8).
§312.4 Notice
-
General principles of notice:
It shall be the obligation of the operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children. Such notice must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials. -
Direct notice to the parent:
An operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of the operator's practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material change in the collection, use, or disclosure practices to which the parent has previously consented. -
Content of the direct notice to the parent:
- That the operator has collected the parent's online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent's consent.
- That the parent's consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent.
- The additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent.
- A hyperlink to the operator's online notice of its information practices required under paragraph (d) of this section.
- The means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information.
- That if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent's online contact information from its records.
-
Voluntary Notice to Parent of a Child's Online Activities Not Involving the Collection, Use, or Disclosure of Personal Information:
- That the operator has collected the parent's online contact information from the child in order to provide notice to, and subsequently update the parent about, a child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information.
- That the parent's online contact information will not be used or disclosed for any other purpose.
- That the parent may refuse to permit the child's participation in the website or online service and may require the deletion of the parent's online contact information, and how the parent can do so.
- A hyperlink to the operator's online notice of its information practices required under paragraph (d) of this section.
-
Notice to a Parent of Operator's Intent to Communicate with the Child Multiple Times:
- That the operator has collected the child's online contact information from the child in order to provide multiple online communications to the child.
- That the operator has collected the parent's online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator.
- That the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child.
- That the parent may refuse to permit further contact with the child and require the deletion of the parent's and child's online contact information, and how the parent can do so.
- That if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice.
- A hyperlink to the operator's online notice of its information practices required under paragraph (d) of this section.
-
Notice to a Parent In Order to Protect a Child's Safety:
- That the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child.
- That the information will not be used or disclosed for any purpose unrelated to the child's safety.
- That the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so.
- That if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice.
- A hyperlink to the operator's online notice of its information practices required under paragraph (d) of this section.
-
Notice on the website or online service:
In addition to the direct notice to the parent, an operator must post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its website or online service, and at each area of the website or online service where personal information is collected from children. The link must be in close proximity to the requests for information in each such area. An operator of a general audience website or online service that has a separate children's area must post a link to a notice of its information practices with regard to children on the home or landing page or screen of the children's area. To be complete, the online notice of the website or online service's information practices must state the following:- The name, address, telephone number, and email address of all operators collecting or maintaining personal information from children through the website or online service.
- A description of what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available; how the operator uses such information; and the operator's disclosure practices for such information.
- That the parent can review or have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so.
§312.5 Parental consent
-
General requirements:
- An operator is required to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented.
- An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties.
-
Methods for verifiable parental consent:
- An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
- Existing methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include:
- Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan.
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder.
- Having a parent call a toll-free telephone number staffed by trained personnel.
- Having a parent connect to trained personnel via video conference.
- Verifying a parent's identity by checking a form of government-issued identification against databases of such information, where the parent's identification is deleted by the operator from its records promptly after such verification is complete.
- Provided that an operator that does not "disclose" (as defined by §312.2) children's personal information may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include:
- Sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.
- An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email.
-
Safe harbor approval of parental consent methods:
- A safe harbor program approved by the Commission under §312.11 may approve its member operators' use of a parental consent method not currently enumerated in the paragraph above, where the safe harbor program determines that such parental consent method meets the requirements.
-
Exceptions to prior parental consent:
- Verifiable parental consent is required prior to any collection, use, or disclosure of personal information from a child except as set forth below:
- Where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent under §312.4(c)(1). If the operator has not obtained parental consent after a reasonable time, the operator must delete such information from its records.
- Where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about, the child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. In such cases, the parent's online contact information may not be used or disclosed for any other purpose.
- Where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, and where such information is not used to re-contact the child or for any other purpose, is not disclosed, and is deleted by the operator promptly after responding.
- Where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child.
- Where the purpose of collecting a child's and a parent's name and online contact information is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child's safety.
- Where the purpose of collecting a child's name and online contact information is to:
- Protect the security or integrity of its website or online service.
- Take precautions against liability.
- Respond to judicial process.
- Provide information to law enforcement agencies or for an investigation on a matter related to public safety.
- Where an operator collects a persistent identifier and no other personal information, and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service.
- Where an operator collects a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration indicates that such user is not a child.
- Verifiable parental consent is required prior to any collection, use, or disclosure of personal information from a child except as set forth below:
§312.6 Right of parent to review personal information provided by a child
-
Upon request of a parent whose child has provided personal information to a website or online service, the operator is required to provide to that parent the following:
- A description of the specific types or categories of personal information collected from children by the operator, such as name, address, telephone number, email address, hobbies, and extracurricular activities.
- The opportunity at any time to refuse to permit the operator's further use or future online collection of personal information from that child, and to direct the operator to delete the child's personal information.
- A means of reviewing any personal information collected from the child. The means employed must:
- Ensure that the requestor is a parent of that child, taking into account available technology.
- Not be unduly burdensome to the parent.
-
Neither an operator nor the operator's agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section.
-
Subject to the limitations set forth in §312.7, an operator may terminate any service provided to a child whose parent has refused to permit the operator's further use or collection of personal information from the child or has directed the operator to delete the child's personal information.
§312.7 Prohibition against conditioning a child's participation on collection of personal information
- An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.
§312.8 Confidentiality, security, and integrity of personal information collected from children
- The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
- The operator must also take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and who provide assurances that they will maintain the information in such a manner.
§312.9 Enforcement
- Subject to sections 6503 and 6505 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under section 6502 (a) of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
§312.10 Data retention and deletion requirements
- An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.
- The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.
§312.11 Safe harbor programs
-
In general, industry groups or other persons may apply to the Commission for approval of self-regulatory program guidelines ("safe harbor programs"). The application shall be filed with the Commission's Office of the Secretary. The Commission will publish in the Federal Register a document seeking public comment on the application. The Commission shall issue a written determination within 180 days of the filing of the application.
-
Criteria for approval of self-regulatory program guidelines:
- Proposed safe harbor programs must demonstrate that they meet the following performance standards:
- Program requirements that ensure operators subject to the self-regulatory program guidelines provide substantially the same or greater protections for children as those contained in §§ 312.2 through 312.8, and 312.10.
- An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the self-regulatory program guidelines. At a minimum, this mechanism must include a comprehensive review by the safe harbor program, to be conducted not less than annually, of each subject operator's information policies, practices, and representations.
- Disciplinary actions for subject operators' non-compliance with self-regulatory program guidelines. This performance standard may be satisfied by:
- Mandatory, public reporting of any action taken against subject operators by the industry group issuing the self-regulatory guidelines.
- Consumer redress.
- Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the self-regulatory guidelines.
- Referral to the Commission of operators who engage in a pattern or practice of violating the self-regulatory guidelines.
- Any other equally effective action.
- Proposed safe harbor programs must demonstrate that they meet the following performance standards:
-
Request for Commission approval of self-regulatory program guidelines:
- A proposed safe harbor program's request for approval shall be accompanied by the following:
- A detailed explanation of the applicant's business model, and the technological capabilities and mechanisms that will be used for initial and continuing assessment of subject operators' fitness for membership in the safe harbor program.
- A copy of the full text of the guidelines for which approval is sought and any accompanying commentary.
- A comparison of each provision of §§ 312.2 through 312.8, and 312.10 with the corresponding provisions of the guidelines.
- A statement explaining:
- How the self-regulatory program guidelines, including the applicable assessment mechanisms, meet the requirements of this part.
- How the assessment mechanisms and compliance consequences provide effective enforcement of the requirements of this part.
- A proposed safe harbor program's request for approval shall be accompanied by the following:
-
Reporting and recordkeeping requirements:
- Approved safe harbor programs shall:
- By July 1, 2014, and annually thereafter, submit a report to the Commission containing, at a minimum:
- An aggregated summary of the results of the independent assessments.
- A description of any disciplinary action taken against any subject operator.
- A description of any approvals of member operators' use of a parental consent mechanism.
- Promptly respond to Commission requests for additional information.
- Maintain for a period not less than three years, and upon request make available to the Commission for inspection and copying:
- Consumer complaints alleging violations of the guidelines by subject operators.
- Records of disciplinary actions taken against subject operators.
- Results of the independent assessments of subject operators' compliance.
- By July 1, 2014, and annually thereafter, submit a report to the Commission containing, at a minimum:
- Approved safe harbor programs shall:
-
Post-approval modifications to self-regulatory program guidelines:
- Approved safe harbor programs must submit proposed changes to their guidelines for review and approval by the Commission in the manner required for initial approval of guidelines.
-
Revocation of approval of self-regulatory program guidelines:
- The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self-regulatory program guidelines or their implementation do not meet the requirements of this part.
-
Operators' participation in a safe harbor program:
- An operator will be deemed to be in compliance with the requirements of §§ 312.2 through 312.8, and 312.10 if that operator complies with Commission-approved safe harbor program guidelines.
§312.12 Voluntary Commission Approval Processes
-
Parental consent methods:
- An interested party may file a written request for Commission approval of parental consent methods not currently enumerated in §312.5(b). To be considered for approval, a party must provide a detailed description of the proposed parental consent methods, together with an analysis of how the methods meet §312.5(b)(1).
-
Support for internal operations of the website or online service:
- An interested party may file a written request for Commission approval of additional activities to be included within the definition of support for internal operations. To be considered for approval, a party must provide a detailed justification why such activities should be deemed support for internal operations.
§312.7 Prohibition against conditioning a child's participation on collection of personal information
- An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity.
§312.8 Confidentiality, security, and integrity of personal information collected from children
- The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
- The operator must also take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and who provide assurances that they will maintain the information in such a manner.
§312.9 Enforcement
- Subject to sections 6503 and 6505 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under section 6502 (a) of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
§312.10 Data retention and deletion requirements
- An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.
- The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.
§312.11 Safe harbor programs
-
In general, industry groups or other persons may apply to the Commission for approval of self-regulatory program guidelines ("safe harbor programs"). The application shall be filed with the Commission's Office of the Secretary. The Commission will publish in the Federal Register a document seeking public comment on the application. The Commission shall issue a written determination within 180 days of the filing of the application.
-
Criteria for approval of self-regulatory program guidelines:
- Proposed safe harbor programs must demonstrate that they meet the following performance standards:
- Program requirements that ensure operators subject to the self-regulatory program guidelines provide substantially the same or greater protections for children as those contained in §§ 312.2 through 312.8, and 312.10.
- An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the self-regulatory program guidelines. At a minimum, this mechanism must include a comprehensive review by the safe harbor program, to be conducted not less than annually, of each subject operator's information policies, practices, and representations.
- Disciplinary actions for subject operators' non-compliance with self-regulatory program guidelines. This performance standard may be satisfied by:
- Mandatory, public reporting of any action taken against subject operators by the industry group issuing the self-regulatory guidelines.
- Consumer redress.
- Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the self-regulatory guidelines.
- Referral to the Commission of operators who engage in a pattern or practice of violating the self-regulatory guidelines.
- Any other equally effective action.
- Proposed safe harbor programs must demonstrate that they meet the following performance standards:
-
Request for Commission approval of self-regulatory program guidelines:
- A proposed safe harbor program's request for approval shall be accompanied by the following:
- A detailed explanation of the applicant's business model, and the technological capabilities and mechanisms that will be used for initial and continuing assessment of subject operators' fitness for membership in the safe harbor program.
- A copy of the full text of the guidelines for which approval is sought and any accompanying commentary.
- A comparison of each provision of §§ 312.2 through 312.8, and 312.10 with the corresponding provisions of the guidelines.
- A statement explaining:
- How the self-regulatory program guidelines, including the applicable assessment mechanisms, meet the requirements of this part.
- How the assessment mechanisms and compliance consequences provide effective enforcement of the requirements of this part.
- A proposed safe harbor program's request for approval shall be accompanied by the following:
-
Reporting and recordkeeping requirements:
- Approved safe harbor programs shall:
- By July 1, 2014, and annually thereafter, submit a report to the Commission containing, at a minimum:
- An aggregated summary of the results of the independent assessments.
- A description of any disciplinary action taken against any subject operator.
- A description of any approvals of member operators' use of a parental consent mechanism.
- Promptly respond to Commission requests for additional information.
- Maintain for a period not less than three years, and upon request make available to the Commission for inspection and copying:
- Consumer complaints alleging violations of the guidelines by subject operators.
- Records of disciplinary actions taken against subject operators.
- Results of the independent assessments of subject operators' compliance.
- By July 1, 2014, and annually thereafter, submit a report to the Commission containing, at a minimum:
- Approved safe harbor programs shall:
-
Post-approval modifications to self-regulatory program guidelines:
- Approved safe harbor programs must submit proposed changes to their guidelines for review and approval by the Commission in the manner required for initial approval of guidelines.
-
Revocation of approval of self-regulatory program guidelines:
- The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self-regulatory program guidelines or their implementation do not meet the requirements of this part.
-
Operators' participation in a safe harbor program:
- An operator will be deemed to be in compliance with the requirements of §§ 312.2 through 312.8, and 312.10 if that operator complies with Commission-approved safe harbor program guidelines.
§312.12 Voluntary Commission Approval Processes
-
Parental consent methods:
- An interested party may file a written request for Commission approval of parental consent methods not currently enumerated in §312.5(b). To be considered for approval, a party must provide a detailed description of the proposed parental consent methods, together with an analysis of how the methods meet §312.5(b)(1).
-
Support for internal operations of the website or online service:
- An interested party may file a written request for Commission approval of additional activities to be included within the definition of support for internal operations. To be considered for approval, a party must provide a detailed justification why such activities should be deemed support for internal operations.
§312.13 Severability
- The provisions of this part are separate and severable from one another.
- If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect.
By direction of the Commission, Commissioner Rosch abstaining, and Commissioner Ohlhausen dissenting.
Donald S. Clark, Secretary
Dissenting Statement of Commissioner Maureen K. Ohlhausen
I voted against adopting the amendments to the Children’s Online Privacy Protection Act (COPPA) Rule because I believe a core provision of the amendments exceeds the scope of the authority granted us by Congress in COPPA, the statute that underlies and authorizes the Rule. Before I explain my concerns, I wish to commend the Commission staff for their careful consideration of the multitude of issues raised by the numerous comments in this proceeding. Much of the language of the amendments is designed to preserve flexibility for the industry while striving to protect children’s privacy, a goal I support strongly. The final proposed amendments largely strike the right balance between protecting children’s privacy online and avoiding undue burdens on providers of children’s online content and services. The staff's great expertise in the area of children’s privacy and deep understanding of the values at stake in this matter have been invaluable in my consideration of these important issues.
In COPPA, Congress defined who is an operator and thereby set the outer boundary for the statute’s and the COPPA Rule’s reach. It is undisputed that COPPA places obligations on operators of websites or online services directed to children or operators with actual knowledge that they are collecting personal information from children. The statute provides, "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed [by the FTC]."
The Statement of Basis and Purpose for the amendments (SBP) discusses concerns that the current COPPA Rule may not cover child-directed websites or services that do not themselves collect children's personal information but may incorporate third-party plug-ins that collect such information for the plug-ins' use but do not collect or maintain the information for, or share it with, the child-directed site or service. To address these concerns, the amendments add a new proviso to the definition of "operator" in the COPPA Rule: "Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service."
The proposed amendments construe the term "on whose behalf such information is collected and maintained" to reach child-directed websites or services that merely derive from a third-party plug-in some kind of benefit, which may well be unrelated to the collection and use of children’s information (e.g., content, functionality, or advertising revenue). I find that this proviso—which would extend COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party—does not comport with the plain meaning of the statutory definition of an operator in COPPA, which covers only entities "on whose behalf such information is collected and maintained." In other words, I do not believe that the fact that a child-directed site or online service receives any kind of benefit from using a plug-in is equivalent to the collection of personal information by the third-party plug-in on behalf of the child-directed site or online service.
As the Supreme Court has directed, an agency "must give effect to the unambiguously expressed intent of Congress." Thus, regardless of the policy justifications offered, I cannot support expanding the definition of the term "operator" beyond the statutory parameters set by Congress in COPPA. I, therefore, respectfully dissent.
Exhibit B
REASONS FOR SETTLEMENT
This statement accompanies the Stipulated Order for Permanent Injunction and Civil Penalty Judgment (“Stipulated Order”) executed by Edmodo, LLC (“Defendant”) in settlement of an action brought to obtain penalties and equitable relief for engaging in acts or practices in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6502(c) and 6505(d), and the Children’s Online Privacy Protection Rule (“Rule”), 16 C.F.R. Part 312, and §§ 5(a)(1), 5(m)(l)(A), 13(b), and 16(a) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a), 45(m)(l)(A), 53(b), and 56(a). The settlement requires Defendant to pay a civil penalty in the amount of $6 million dollars ($6,000,000), which has been suspended due to inability to pay. The settlement also imposes robust injunctive relief. Pursuant to Section 5(m)(3) of the FTC Act, as amended, 15 U.S.C. § 45(m)(3), the Commission hereby sets forth its reasons for settlement by entry of the Stipulated Order: On the basis of the allegations contained in the attached complaint, the Commission believes that the $6 million civil penalty, suspended due to inability to pay, constitutes an appropriate amount on which to base settlement. The full penalty amount will become immediately due if Defendant is found to have misrepresented its finances. The civil penalty and provisions enjoining Defendant from violating the Rule constitute effective means to assure its future compliance and deter others who might violate these laws. Additionally, with the entry of such a Stipulated Order, the time and expense of litigation will be avoided. For the foregoing reasons, the Commission believes that the settlement by entry of the attached Stipulated Order with Defendant is justified and well within the public interest.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message