Federal Trade Commission · Announced 2022-10-31

Chegg, Inc.

Online education company Chegg suffered four data breaches affecting ~40 million consumers and employees due to repeatedly inadequate security practices.

Case identifiers

Respondent: Chegg, Inc.
Agency: Federal Trade Commission
Announced: 2022-10-31
Monetary relief: Injunctive only
Case number: FTC File No. 202-3151
Statutes cited: FTC Act § 5

Key facts

1
Four separate security incidents from 2017 through 2020 exposed consumer Social Security numbers, medical information, religious affiliations, sexual orientations, and disabilities.
2
Chegg failed to implement basic protections including multi-factor authentication, secure password storage, and employee security training.
3
The 2018 breach alone exposed 40 million consumer accounts.
4
Consent order without monetary relief; FTC focused on injunctive data-minimization requirements.

What the order requires

Injunctive terms imposed by the Federal Trade Commission. These bind Chegg, Inc.'s data practices going forward.

Required data-minimization: collect and retain only data needed for specific purposes.
Required multi-factor authentication for all employees, contractors, and users.
Biennial third-party assessments of the comprehensive information security program.
Consumer access rights: view, delete, or request deletion of personal information.

Primary sources

Read the original government documents. These are the authoritative records, everything on this page is derived from them.

Federal Trade Commission press release
https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-ed-tech-provider-chegg-careless-security-exposed-personal-data-millions

Exercise your rights now

Generate a deletion request for $5

The FTC order binds Chegg, Inc.'s future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to Chegg, Inc.'s registered privacy contact.

Start for $5 →

FAQ

What did the FTC charge Chegg, Inc. with?+

Online education company Chegg suffered four data breaches affecting ~40 million consumers and employees due to repeatedly inadequate security practices. The Federal Trade Commission cited FTC Act § 5.

How much did Chegg, Inc. pay?+

The 2022-10-31 order did not include monetary penalties against Chegg, Inc.; the agency focused on injunctive relief (prohibiting certain practices going forward).

Does the Chegg, Inc. settlement mean my data has been deleted?+

The order requires Chegg, Inc. to delete certain categories of consumer data (see injunctive terms). Individual consumers should still exercise state-law deletion rights (CCPA, CPA, TDPSA) to confirm deletion from any remaining successor databases.

How can I read the original FTC order?+

The Federal Trade Commission press release is available at https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-ed-tech-provider-chegg-careless-security-exposed-personal-data-millions. The case / matter number is FTC File No. 202-3151.

Related enforcement actions

Equifax, Inc. (2019)multi-state · $575,000,000 Ring LLC (2023)FTC · $5,800,000 Drizly, LLC (2022)FTC · Injunctive Residual Pumpkin Entity, LLC (formerly CafePress) (2022)FTC · $500,000 T-Mobile USA, Inc. (2024)FCC · $31,500,000 23andMe Holding Co. (2025)multi-state · $2,315,000

Full enforcement trackerCCPA + GDPR + BIPA + FTC Public data brokersSEC-filer index California registry566 registered brokers 300+ broker directoryCovered brokers What is CCPA?Consumer rights Start for $5Generate opt-out email