Browse all articles

Breaking Down Silos in EdTech Privacy: Aligning Privacy Policies with Privacy Practice

written by Taylor Deitrick, Spring Privacy Law Intern

Jill Bronfman | March 13, 2020

On almost every website, consumers can find a link to the company's privacy policy. But what is a privacy policy? And do companies really have to practice what is stated in their privacy policy? In this article, we will provide an overview of what a privacy policy is as well as what privacy practices are and why the two should be aligned.

What is a privacy policy?

Companies that collect personal information are required to have a privacy policy. However, while a privacy policy may include what is legally required to be in that policy, a company's terms and conditions may provide a more complete overview of a company's practices. Further, some companies have additional policies, like a separate cookie policy or a separate child privacy policy, that are all part of the picture.

A privacy policy is a contract, and some companies require users to agree to the terms before using the service. A privacy policy is also a notice to consumers about the company’s stated privacy practices. Generally, a privacy policy discloses some or all of the ways a company might use a consumer's data, how the data is gathered, who the data might be disclosed to, and/or for what purposes that the data is utilized. In addition to stating how the company will utilize the personal data provided by its consumers, the policy may also include how they will comply with their legal privacy obligations. For example, they might mention not only that they will comply with COPPA regulations for child privacy, but also go on to describe the measures they use to get parental consent. 

Why is a privacy policy important?

A privacy policy is required by law when a company collects personal information, and having one ensures compliance with the law. A privacy policy is also important to consumers. The free market depends on good information and without it, people are buying and using products without clear expectations. Thus, a privacy policy is an essential tool that helps inform the consumer about the goods or services they may wish to use. A privacy policy is also important for researchers (like Common Sense Media) to understand and analyze what companies are publicly saying about how they collect, store, and disclose personal data provided by its consumers. These researchers can analyze this information and provide useful tools to help consumers who are overwhelmed by the quantity and complexity of privacy policies.

A privacy policy can also be seen as a different asset depending on who is interpreting it. For instance, a privacy policy might be viewed differently by a consumer, a lawmaker, and a journalist. All in all, there's a reason why the law requires a privacy policy—it's a basic element of consumer protection.

What is a privacy practice?

A privacy practice is what a company is actually doing, not just what they say they are doing in a privacy policy. Similarly, a privacy practice covers collecting, sharing, and using consumers' personal data. With new regulations and increasing concern from consumers on data privacy, companies are encouraged to engage in their industry’s best practices for data privacy. One such best practice is to increase awareness and to educate both employees and consumers on the companies' privacy practices. Privacy practices are also important because companies have to comply with privacy laws and regulations, such as COPPA. 

Meeting in the Middle

A company's privacy policy and its privacy practices should be aligned for both legal and ethical reasons. 

Consequences of the Privacy Policy and Privacy Practices Not Being Aligned

Recent lawsuits by state attorneys general indicate that there may be a difference between publicly stated privacy policies and companies' actual privacy practices. Allegations of this kind show an imbalance between transparency and alignment. Such allegations, whether viable or not, can diminish consumers' trust or loyalty to a company. And with media increasing their focus on privacy, awareness of the alleged misalignment is brought to current and potential consumers' attention. Thus, companies are not only worried about the potential of fines, but also about keeping and retaining customers.

Where Can We Start?

Common Sense Media's evaluations of privacy policies consider transparency, not just content. Users are encouraged to review these ratings to understand what companies are publicly saying about their privacy policies/practices. Lawmakers and law enforcement personnel are also encouraged to review these evaluations to see if consumer complaints about a product’s privacy practices are supported by or completely different from their privacy policies. In both cases, consumers will be able to make better decisions when privacy policies and privacy practices are on the same page.