Quick Summary

The FTC started December off with a “bang” by announcing its proposed order resolving allegations that Illuminate Education failed to adequately safeguard children’s personal information and misled schools about its security practices. The Commission accused the company of storing large amounts of kids’ data without adequate safeguards, retaining it far longer than necessary, and taking far too long to notify affected parties after a breach. The order requires the company to delete unnecessary data, implement a comprehensive security program, avoid misleading privacy claims, notify partners and regulators promptly after breaches, and ensure these obligations carry forward to successors and future product versions.

Although this case arose in an education setting, the FTC’s expectations reflect a broader approach to children’s privacy across industries.

The FTC’s Broader Message

The Commission has been increasingly clear: companies handling children’s data must meet heightened standards. The FTC expects transparent disclosures, limited data retention, and security practices that reflect the sensitivity of the information. Aspirational statements about privacy are not enough — regulators are looking for verifiable protections.

What the Order Signals for All Companies Handling Kids’ Data

The requirements in the Illuminate order offer a high-level blueprint for current regulatory expectations:

• Collect and retain less data; delete what you no longer need.

• Ensure privacy statements and marketing claims match actual practices.

• Maintain reasonable safeguards such as encryption, access controls, and credential hygiene.

• Respond to breaches quickly and transparently.

• Apply obligations across product lines and business changes.

These expectations apply to any company whose products or services reach children or families, not just education-focused businesses.

State AGs Are Focused on Similar Issues

This isn't the first privacy settlement involving Illuminate's data security practices. Early last month, the California, Connecticut and New York Attorneys General announced their $5.1 million settlement with the company. You can read more about that announcement in my colleague Maria Nava's post here:
https://technologylaw.fkks.com/post/102ltvl/settlement-against-illuminate-education-highlights-expanding-enforcement-of-stude.

While the state and federal actions proceeded separately, the alignment in priorities suggests companies should anticipate ongoing attention — and potentially more coordination — from multiple regulators.

Bottom Line

These settlements reinforce that children’s privacy is a priority for regulators. Companies collecting or using kids’ data should ensure their practices — from data retention to security to public disclosures — meet the elevated expectations now taking shape.