The Santa Clara, California-based company has had at least four high-profile breaches since 2017. Regulators accused the firm of "lax data security practices" that left the data of its users vulnerable. The data, stored on Amazon Web Services, included names, email addresses and passwords, and was stolen by a hacker in 2018 before some of it was put up for sale.
The agency said some of the data also had sensitive information about users' religion, sexual orientation, disabilities and parents' income.
"Chegg took shortcuts with millions of students' sensitive information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement.
"Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data."
The agency also issued an order calling on the company to improve its practices by limiting data collection, introducing multi-factor authentication, and enabling users to access and delete data.
The company has said that it is concerned about user privacy and remains cooperative with the FTC guidelines.
"Chegg is wholly committed to safeguarding users' data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts," the company said in a statement.
The order means Chegg avoids a sizeable fine from the FTC. However, further lapses could lead the agency to impose penalties exceeding $45,000 for each violation.
The pandemic and the emergence of remote learning have been a boost for the educational tech industry. Chegg, which has a market cap of nearly $2.9 billion, reported revenues of $776 million in 2021, a 20% rise from the year before.
Shares of Chegg closed Monday at $21.57, down $1.24, or 5.44%.