The FTC brought the case under Section 5 of the FTC Act and proposed the consent order in December 2025, following a public comment period. The final order is now binding. Illuminate must cease misrepresenting its security and breach-notification practices, delete unnecessary personal data, maintain a public data-retention schedule, implement a comprehensive information-security program, and comply with ongoing FTC monitoring and reporting obligations.
The finalized order signals a regulatory shift beyond breach response. The FTC is now actively enforcing data minimization, retention limits, and baseline security controls for companies handling sensitive student information. Edtech firms should expect similar scrutiny on whether they collect and retain student data proportionate to legitimate educational needs, and whether their security infrastructure meets baseline standards before a breach occurs.