Consumers Affected
10,100,000
The FTC proposed a consent order against Illuminate Education, Inc. for failing to secure student data, leading to a breach affecting over 10 million students. The company allegedly had security failures and delayed breach notifications. The order requires a data security program, data deletion, and a retention schedule.
The proposed consent order prohibits misrepresentations about data security and breach notifications, requires deletion of unnecessary data, implementation of an information security program, adherence to a public data retention schedule, and reporting of data breaches to the FTC if reported elsewhere.
In-house legal teams should review all agreements where the company acts as a data processor or service provider for educational institutions, including student information system (SIS) contracts, cloud services agreements, and data processing addendums (DPAs). Specific clauses to scrutinize are data security obligations (e.g., requiring industry-standard safeguards like encryption and access controls), breach notification timelines and procedures (ensuring prompt reporting to the company and affected schools), data retention and deletion policies (mandating secure disposal of unnecessary student data), and representations/warranties regarding compliance with student privacy laws (like FERPA). Changes may be needed to mandate a comprehensive, written information security program, require regular security audits by independent third parties, impose stricter data minimization practices, and clarify liability and indemnification for data breaches involving children's sensitive information, including medical diagnoses.
Entity
Illuminate Education, Inc.
Also known as: Illuminate Education
Industry
EducationOfficial Press Release
https://www.ftc.gov/news-events/news/press-releases/2025/12/ftc-takes-action-against-education-technology-provider-failing-secure-students-personal-data
2223105illuminatecomplaint
https://www.ftc.gov/system/files/ftc_gov/pdf/2223105illuminatecomplaint.pdf
2223105illuminateacco
https://www.ftc.gov/system/files/ftc_gov/pdf/2223105illuminateacco.pdf
Federal Trade Commission Enforcement Page
https://www.ftc.gov/enforcement
"Illuminate Education, Inc. (Illuminate)"
"failed to deploy reasonable security measures"
"waited nearly two years to notify some school districts"
"personal data of more than 10 million students"
"children’s medical diagnoses"
"health-related information"
$5.1M
Connecticut Attorney General William Tong, along with California and New York Attorneys General, settled with Illuminate Education, Inc. for failing to protect student data in a breach that exposed personal information of millions of students. The settlement, the first under Connecticut's Student Data Privacy Law, requires Illuminate to pay $5.1 million and implement enhanced cybersecurity measures.
$5.1M
New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.
$5.1M
California Attorney General Rob Bonta, joined by Connecticut and New York Attorneys General, secured a $5.1 million multistate settlement with edtech company Illuminate Education, Inc. over a 2021 data breach that exposed sensitive personal and medical information of millions of students, including over 434,000 California students. The investigation found Illuminate failed to implement basic security measures, including failing to terminate former employee credentials, lacking suspicious activity monitoring, and unsecured backup databases, as well as making false statements in its privacy policy. Illuminate must pay $3.25 million to California, implement enhanced security practices, and notify the CA DOJ of future student data breaches.
The FTC sent warning letters to 12 companies offering 'nudify' tools that generate nonconsensual intimate images, for failing to comply with the TAKE IT DOWN Act (TIDA) by not providing a mechanism for victims to request removal of such content. The letters urge immediate compliance with TIDA, which requires platforms to remove nonconsensual intimate images within 48 hours of a valid request. Noncompliant companies may face future legal action and civil penalties of up to $53,088 per violation.
The FTC began enforcing the TAKE IT DOWN Act on May 19, 2026, a law requiring covered platforms to establish a process for victims to request removal of nonconsensual intimate images and delete such content within 48 hours of a valid request. The agency launched a consumer complaint portal, issued compliance guidance for businesses and consumers, and sent reminder letters to major platforms including Meta, TikTok, and X about their obligations under the law. No specific penalties or enforcement actions against individual companies were announced in this release.
$6.5M
A federal court held Cliq Inc. and its executives Andrew Phillips and John Blaugrund in civil contempt for multiple violations of a 2015 FTC order requiring the payment processor to prevent enabling consumer fraud. The court found the defendants facilitated fraud by processing transactions for high-risk merchants, avoiding fraud monitoring, failing to conduct required underwriting, and ignoring chargeback thresholds. The court imposed $6.5 million in civil contempt sanctions against the defendants.