The release of our 2018 State of EdTech Privacy Report represents the culmination of our research over the past three years in evaluating hundreds of education technology-related applications and services. The report limits its findings to 100 privacy policies from popular edtech applications and services, as determined from interviews with various teachers, schools, and districts as well as total App Store downloads during the past 12 months. These applications and services provide a representative sample of the wide range of educational technologies that include educational games and tools for communication, collaboration, formative assessment, student feedback, content creation, and delivery of instructional content. These types of applications and services are currently used by millions of children at home and by tens of millions of students in classrooms across the country. To effectively evaluate the policies of all these applications and services, a comprehensive assessment framework was developed based on existing federal and state law, as well as privacy and security universal principles. This framework incorporates over 150 privacy- and security-related questions that are commonly expected to be disclosed in a vendor's policies in an educational context. In addition, both qualitative and quantitative methods were developed to determine both the particular issues vendors actually disclose in their policies and the meanings behind those disclosures.
Our overall findings indicate a widespread lack of transparency and inconsistent privacy and security practices. Our key findings are illustrative of current trends in the edtech industry, but are not a sign that a vendor is doing anything unethical. However, our findings could mean, based on how the application or service is used, that it may be violating federal or state laws. Our privacy-evaluation process uses only publicly available policies and is not an observational evaluation or assessment of a company’s actual practices. The key findings in Figure 1 below focus on these general areas: encryption, effective policy dates, selling data, third-party marketing, traditional advertising, behavioral advertising, third-party tracking, and the onward transfer of data to third parties.
Figure 1: This chart illustrates the percentage of question responses for each of our top 10 key findings. A "Yes" question response indicates a better practice, and a "No" question response indicates a worse practice in our evaluation. An "Unclear" question response indicates there was not sufficient information to determine whether the application or service engages in a better or worse practice.
- A majority of applications and services use Default Encryption of information for login and account creation.
- A majority of applications and services disclosed an Effective Date or version number of their policies.
- A majority of applications and services disclosed that they do not rent, lease, trade, or Sell Data, but many are non-transparent.
- A majority of applications and services are non-transparent or explicitly allow Third-party Marketing.
- A majority of applications and services are non-transparent or explicitly allow Traditional Advertising.
- A roughly equivalent percentage of applications and services have either non-transparent, better, or worse practices about Behavioral Advertising.
- A majority of applications and services are non-transparent or explicitly allow Third-party Tracking.
- A majority of applications and services are non-transparent or explicitly Track Users across other websites.
- A majority of applications and services are non-transparent about creating Ad Profiles.
- A majority of applications and services are non-transparent or explicitly allow the onward Transfer of Data.
For more information about our key findings download the full 2018 State of EdTech Privacy Report.