FTC Adds Requirements Following EdTech Firm's $5.1M Settlement with States

The conditions come just less than a month after Connecticut, California and New York announced a $5.1 million settlement with Illuminate for failure to use basic security measures to protect student data, which led to a breach (see 2511060032).

The FTC also said Illuminate must follow a publicly available data retention schedule, notify the agency if it has alerted another government department about a data breach, and is prohibited from misrepresenting data security and privacy practices.

The Commission accepted the proposed complaint and order for public comment by a 2-0 vote. It said it would publish a description of the consent agreement package “soon” in the Federal Register.

The FTC’s complaint contains counts of unfair information security practices, data security misrepresentations and misrepresentations to school districts regarding notice.

“Illuminate pledged to secure and protect personal information about children and failed to do so,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection in a release Monday. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”

The states' joint state settlement Nov. 6 was the first action under Connecticut’s 2016 Student Data Privacy Law and California’s 2014 K-12 Pupil Online Personal Information Protection Act (see 2511060055). In a statement following the settlement, Illuminate said it implemented “robust” security measures to protect student data in a statement following the settlement (see 2511070033).

The settlement demonstrated regulators' focus on protecting kids data, privacy pros and an attorney said (see 2511250020).