FTC Nabs Illuminate Education in Deception Settlement Deal
Published Date: 12/4/2025
Notice
Summary
Illuminate Education, a company that helps schools with data, is being called out for unfair business practices. They’ve agreed to fix these issues under a new deal, and the public can share their thoughts until January 5, 2026. This means Illuminate must change how they operate, but no fines or money penalties are mentioned yet.
Analyzed Economic Effects
6 provisions identified: 5 benefits, 1 costs, 0 mixed.
Millions of students' records exfiltrated
The proposed complaint says a threat actor had unfettered access to Illuminate's network for 13 days and exfiltrated millions of students' personal information. The exposed data included names, addresses, parent contact information, grades, indicators of special education plans (IEP/504), and free or reduced lunch status.
Must implement comprehensive security program
Part IV requires Illuminate to establish, implement, and maintain a comprehensive information security program to protect the security, availability, confidentiality, and integrity of covered information. The complaint lists failures the program must address, including lack of encryption (data stored in plaintext until at least January 2022), weak access controls, poor threat detection, and missing incident response until at least November 2022.
Ban on lying about security and breach timing
The proposed order bars Illuminate from misrepresenting how well it protects privacy, security, availability, confidentiality, or integrity of covered information and from misrepresenting the time period in which it will notify school districts and students of a breach. This stops the company from saying it does security or breach notices it does not actually perform.
Requirement to delete unneeded student data
Part II and Part III of the proposed order require Illuminate to delete or destroy covered information that is not needed under its customer contracts, and to document and follow a retention schedule showing why it collects each item and when it will be deleted. This limits how long student data can be kept.
Independent security assessments for 10 years
Part V requires Illuminate to obtain an initial and then biennial (every two years) independent third-party information security assessment for 10 years. Part VI requires disclosing material facts to the assessor and forbids misrepresenting facts material to those assessments.
Annual CISO certification and FTC breach notice reporting
Part VII requires an annual certification from the Chief Information Security Officer that the company implemented the order and reports any material noncompliance. Part VIII requires Illuminate to notify the Commission any time it notifies a federal, state, or local government that consumer information was accessed or exposed without authorization.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Related Federal Register Documents
2026-11635 — Ascension Health Alliance; Analysis of Proposed Agreement Containing Consent Orders To Aid Public Comment
The Federal Trade Commission is reviewing a deal with Ascension Health Alliance to stop unfair competition practices. This affects Ascension and its healthcare partners, aiming to keep the market fair and open. People have until July 10, 2026, to share their thoughts before the deal is finalized—no money changes hands, just rules to play fair.
2026-11114 — Privacy Act of 1974; System of Records
The FTC is updating its Privacy Act records notice to make it clearer and more accurate. This affects anyone whose info is in the FTC’s systems, like consumer complaints or Do Not Call lists. The changes take effect on June 3, 2026, with no extra costs involved—just better info protection and transparency!
2026-10546 — MindSift LLC; Analysis of Proposed Consent Order To Aid Public Comment
MindSift LLC is facing claims for unfair or tricky business practices, and they’ve agreed to stop these actions through a new deal with the Federal Trade Commission. The public can share their thoughts on this agreement until June 29, 2026. This means MindSift must change how they operate soon, or face further action.
2026-10548 — CMG Media Corporation; Analysis of Proposed Consent Order To Aid Public Comment
CMG Media Corporation is facing charges for unfair or tricky business practices, and they’ve agreed to stop these actions through a new deal with the government. People can share their thoughts on this agreement until June 29, 2026. This means CMG Media must change how they operate, and the public gets a say before it’s final.
2026-10547 — 1010 Digital Works LLC; Analysis of Proposed Consent Order To Aid Public Comment
1010 Digital Works LLC is facing charges for unfair or tricky business practices, and they’ve agreed to stop these actions under a new deal. The public can share their thoughts on this agreement until June 29, 2026. This means 1010 Digital must clean up its act, and everyone gets a say before the deal is final.
2026-09704 — Granting of Requests for Early Termination of the Waiting Period Under the Premerger Notification Rules
If companies want to merge or buy each other, they usually have to wait a set time so the government can check for any problems. This notice says some companies got the green light to skip that wait early between April 1 and April 30, 2026, meaning their deals can close faster. This helps businesses save time and money while the government signals no issues with these deals.
Previous / Next Documents
Previous: 2025-21891 — Self-Regulatory Organizations; Cboe BZX Exchange, Inc.; Notice of Filing and Immediate Effectiveness of a Proposed Rule Change To Introduce a Small Retail Broker Hosted Solutions Program and To Update the Existing Eligibility Requirements for the Small Retail Brokerage Distribution Program for the Cboe One Summary Feed
Cboe BZX Exchange is rolling out a new Small Retail Broker Hosted Solutions Program and updating who can join the Small Retail Brokerage Distribution Program for the Cboe One Summary Feed. This means small retail brokers get easier, better access to important market data starting right away, with no extra fees announced yet. If you’re a small broker, these changes could make your data game stronger and simpler starting now!
Next: 2025-21894 — Endangered and Threatened Species; Receipt of Recovery Permit Applications
The U.S. Fish and Wildlife Service got requests from scientists and groups who want special permits to help save endangered and threatened animals. They’re asking everyone—local communities, tribes, and the public—to share their thoughts by January 5, 2026, before deciding. These permits let researchers do important work to protect wildlife without breaking the law.