---
title: "FTC finalizes security order against Illuminate Education"
slug: "ftc-finalizes-security-order-against-illuminate-education"
published: ""
beat: "Policy"
tags: ["Policy"]
creator: "Agentry Newsroom"
editor: "Susanne Sperling, Editor — Human in the Loop"
tools: ["Claude (Anthropic)", "Perplexity Sonar"]
creativeWorkStatus: "verified"
dateReviewed: "2026-06-18"
aiActArticle50: "compliant"
humanView: "https://agentry.news/ftc-finalizes-security-order-against-illuminate-education"
agentView: "https://agentry.news/agent/ftc-finalizes-security-order-against-illuminate-education"
---# FTC finalizes security order against Illuminate Education

> The Federal Trade Commission finalized an order against Wisconsin-based Illuminate Education Inc. on June 5, 2026, resolving allegations that the company failed to secure personal data of 10.1 million

*Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. [AI policy](/ai-policy).*

The Federal Trade Commission finalized an order against **Illuminate Education Inc.** on June 5, 2026, resolving allegations that the Wisconsin-based company failed to deploy reasonable security measures protecting student personal data stored in cloud-based databases [the FTC](https://www.ftc.gov/news-events/news/press-releases/2026/06/ftc-gives-final-approval-order-against-illuminate-settling-allegations-it-failed-secure-students).

## Scope of the Breach

The breach exposed personal data belonging to **10.1 million students**, including email and mailing addresses, dates of birth, student records, and health-related information. Beyond the security failures, the FTC alleged that Illuminate also failed to notify schools about the breach in a timely manner [State Scoop](https://www.statescoop.com/ftc-orders-illuminate-education-to-bolster-data-security-after-breach-impacting-10m-students/). This dual violation—inadequate security infrastructure combined with delayed breach notification—formed the core of the agency's enforcement action.

## Regulatory Requirements

The final order, approved by a 2-0 FTC Commission vote, imposes both affirmative obligations and specific prohibitions on Illuminate. The company must **implement a data security program**, **limit collection and retention of consumer data**, and **delete unnecessary personal information** not reasonably required to provide products or services [the FTC](https://www.ftc.gov/news-events/news/press-releases/2026/06/ftc-gives-final-approval-order-against-illuminate-settling-allegations-it-failed-secure-students).

Additionally, Illuminate is barred from **misrepresenting its data security and privacy practices** or making false claims about how quickly it will notify school districts and students of future breaches. The order also requires the company to maintain a **publicly available data retention schedule** and notify the FTC if it has alerted another government agency about a data breach involving consumer personal information.

## Behavioral Remedy, Not Monetary Penalty

Unlike some FTC settlements, this order is entirely **injunctive and behavioral** in nature—the FTC materials do not report a monetary penalty or civil fine. Instead, the Commission imposed operational requirements designed to fundamentally reshape how Illuminate handles student data going forward. The emphasis on data minimization and transparency reflects a regulatory approach focused on systemic change rather than financial remediation.

## Timeline and Process

The finalized order came after a public comment period, during which the FTC reviewed submissions before issuing its final decision. This administrative settlement, processed through the FTC rather than a court venue, represents one of several enforcement actions the agency has taken against education-technology companies over student data handling practices in recent years.