2018 State of EdTech Privacy Report: Ad Profile

A majority of applications and services are non-transparent about creating Advertising Profiles.

June 06, 2018
Girard Kelly
Counsel & Director, Privacy Review

Jeff Graham Senior Engineer
Developer

CATEGORIES Privacy Evaluation Initiative

Among the applications and services we evaluated for our 2018 State of EdTech Privacy Report, approximately 26% disclosed a qualitatively better response that collected information will never be used by the vendor to create an advertising profile, engage in data enhancement, or target advertising. Accordingly, collection of information from children or students to amass an advertising profile or share that information with third parties for data enhancement is considered qualitatively worse in our evaluation process, because it is considered another indirect method in which to share information for marketing, advertising, or automated decision making purposes. Profiling in our evaluation process means the automated processing of personal data to evaluate certain personal aspects relating to a specific child or student, in order to analyze or predict aspects concerning that child or student for marketing or advertising purposes.[1,2,3,4,5] As compared with other marketing or advertising indicators in our evaluation, this issue has the highest relative percentage of non-transparency and lowest percentage of qualitatively worse disclosures. Simply stated: the majority of applications and services evaluated are not even aware of this issue. Among the approximately 64% that were non-transparent, it appeared vendors did not understand the distinction between using personal information for advertising or marketing purposes, and using non-personal information for amassing a profile or sharing that generated profile information with third parties for subsequent data combination or enhancement. In practice, applications and services can place contractual limitations on third parties in which they share data that describe how personal and non-personal information can be used. Accordingly, approximately 70% of applications and services disclose qualitatively better practices that they place contractual limitations on third parties, which can mitigate otherwise non-transparent responses to whether collected information can be used to create an advertising profile.[6,7,8,9]

The existence of automated decision-making, including profiling children or students for advertising purposes is likely misunderstood by vendors as Behavioral Advertising or Third-party Tracking. However, vendors should be aware that amassing a profile of a child or student for non-K-12 educational purposes is a much broader prohibition on use of collected information, because the amount and type of collected data goes beyond the scope of behavioral information, and the prohibition on use goes beyond simply advertising or marketing purposes. Therefore, parents and teachers need to exercise caution with advertising profiles when evaluating whether to use popular edtech applications and services, and vendors need to provide greater transparency on this issue. When these practices are not transparently disclosed, there is no future expectation or trust on behalf of parents, teachers, schools, or districts about how collected information from children and students will be handled in order to meet their expectations of privacy.

Key Finding: Ad Profile

Figure 1: This chart illustrates the percentage of question responses for Ad Profile. Qualitatively better question responses indicate third parties cannot create an advertising profile, engage in data enhancement, or target advertising. Qualitatively worse question responses indicate third parties can create an advertising profile, engage in data enhancement, or target advertising. Non-Transparent responses indicate the terms are unclear about whether or not third parties can create an advertising profile, engage in data enhancement, or target advertising.

For more information about our key findings download the full 2018 State of EdTech Privacy Report.

 

References:

[1] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 (an operator is prohibited from including behavioral advertisements or amassing a profile of a child under the age of 13 child without parental consent).

[2] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(b)(2) (an operator is prohibited from amassing a profile of a student).

[3] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(e)(2) (an operator may share student data with third parties for legitimate research purposes if not used for advertising or to amass a profile on a student for purposes other than K–12 school purposes).

[4] California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§22580-22582 (prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to erase or remove and obtain removal of content or information posted on the operator’s site).

[5] See General Data Protection Regulation (GDPR), Definitions, Art. 4(4); General Data Protection Regulation (GDPR), Information to be provided where personal data are collected from the data subject, Art. 13(2)(f); General Data Protection Regulation (GDPR), Information to be provided where personal data have not been obtained from the data subject, Art. 14(2)(g); General Data Protection Regulation (GDPR), Right of access by the data subject, Art. 15(1)(h); General Data Protection Regulation (GDPR), Automated individual decision-making, including profiling, 22(1)-(3).

[6] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8 (an operator must take reasonable steps to release a child’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner).

[7] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. §22584(b)(4)(E)(i) (an operator may disclose student information to a third party service provider, but the third party is prohibited from using the information for or any purpose other than providing the service).

[8] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(b)(4)(E)(ii) (a third party service provider may not disclose student information to any subsequent third party).

[9] See General Data Protection Regulation (GDPR), Processor, Art. 28(2)-(4); General Data Protection Regulation (GDPR), Processing under the authority of the controller or processor, Art. 29.