FTC announces a complaint and consent agreement against Chegg

FTC announces a complaint and consent agreement against Chegg

Since May 2022, education technology (edtech) companies have been on notice that the Federal Trade Commission (FTC) is closely monitoring the industry to ensure privacy protections for students in digital environments. The first of such enforcement actions arrived on October 31 when the FTC announced a complaint and consent agreement against  Chegg, a company that provides educational products and services for high school and college students. The Commission alleges that Chegg “failed to protect the personal information it has collected from its users and employees,” including students’ medical and financial data, as well as employees’ direct deposit information. The FTC’s May policy statement lists four focus areas for the Commission’s investigations n of edtech companies, including “Security Requirements,” noting that ed tech providers “must have procedures to maintain the confidentiality, security, and integrity of children’s personal information.” In this case, the Commission cited Chegg’s insufficient security practices as the basis for the complaint, noting the harms that resulted from the unauthorized disclosure of sensitive student and employee information. Notably, this is the second enforcement action focused on data security that the Commission has taken in the last month.

The Children’s Online Privacy Protection Act (COPPA) was not the basis for this enforcement action, so any consumer website that collects users’ personal information should take notice. Nonetheless, COPPA-covered edtech vendors do have heightened responsibilities, and the FTC cautioned in its policy statement that these companies may be found liable for unreasonable security practices even absent a breach. Accordingly, it is a good time to revisit the three other focus areas provided in the statement: (1) COPPA covered companies may not collect information from students beyond what is reasonably necessary to allow student participation, (2) they may only use the information to provide the online education service, and (3) they may not retain the information for longer than reasonably necessary to fulfill the purpose for which it was collected. 

While we do not yet know whether COPPA will form the basis for future actions, we do know that “the action against Chegg is part of the FTC’s aggressive efforts to ensure education technology companies protect and secure personal data they collect and do not collect more information than is necessary.”

 

Related Resources

  • Advocate Perspectives, Educator Perspectives, FPF Perspectives

    Let Teachers Be: Concerns About the Online Harassment of Teachers and Practical Tips For Self-Protection

    Oct 31, 2022Nick Matera, Intern with FPF’s Youth and Education Team and Chloe Altieri, Policy Counsel

    The digital age has introduced powerful tools to harass K-12 teachers online. While there are many forms of harassment, this blog will focus on the doxing (or …

    Learn More
  • FPF Perspectives

    FPF Responds to the FTC’s COPPA Policy Statement

    May 19, 2022

    On May 19, 2022, the Federal Trade Commission (FTC) held an open meeting where it approved a policy statement prioritizing enforcement of the Children’s Online…

    Learn More
  • Higher Ed Perspectives

    The Datafication of Student Life and the Consequences for Student Data Privacy

    Apr 11, 2022Kyle M. L. Jones (MLIS, PhD) Indiana University-Indianapolis (IUPUI)

    The COVID-19 pandemic changed American higher education in more ways than many people realize: beyond forcing schools to transition overnight to fully online l…

    Learn More