2018 State of EdTech Privacy Report: Third-party Marketing

A majority of applications and services are non-transparent or explicitly allow Third-party Marketing.

May 30, 2018
Girard Kelly
Counsel & Director, Privacy Review

Jeff Graham Senior Engineer
Developer

CATEGORIES Privacy Evaluation Initiative

Among the applications and services we evaluated for our 2018 State of EdTech Privacy Report, approximately 32% disclosed a qualitatively better response that collected personal and non-personal information is never used for any third-party marketing purposes. However, approximately 30% of applications and services were non-transparent about this practice, ostensibly because many do not display any marketing related first or third- party advertisements. Therefore, these applications and services likely believe it to be self-evident that if no marketing advertisements are displayed, then a user’s data would not also be used for any unsolicited marketing purposes. When marketing practices are not transparently disclosed, there is no future expectation or trust on behalf of parents, teachers, schools, or districts about how collected information from children and students will be handled in order to meet their expectations of privacy.

However, from a parent or teacher’s perspective there is not any meaningful distinction between the display of advertisements, and use of children or student’s information for marketing communications. Surprisingly, a relative majority in this analysis of approximately 38% of applications and services disclose they use child or student personal information for advertising or marketing purposes. Given these products are intended for children and students, they are likely in violation of Federal or State law if other protections are not put in place.[1,2,3,4] Among the 38% of applications and services collecting child or student personal information for advertising or marketing purposes, a majority use language to restrict their use of personal information for marketing purposes to only parent or teachers in order to avoid compliance issues with children or students. However, it is unclear from our analysis how vendors respect the different context between acceptable and unacceptable use of collected information for marketing purposes. For example, when personal information is collected and used from parents and teachers for explicit marketing purposes, that is a different context than when personal information is collected for a separate and compliance related context of providing parental consent for their child or student’s use of the service. Moreover, a combined 68% of applications and services were either non-transparent or disclosed they engaged in qualitatively worse practices of using personal information for third-party marketing purposes.

Therefore, parents, teachers, schools, and districts need to exercise caution when evaluating whether to use popular edtech applications, and vendors need to provide greater transparency on this issue, because a significant percentage of applications and services intended for children and students are using collected information for third-party marketing purposes without adequate notice and informed consent.

Key Finding: Third-party Marketing

Figure 1: This chart illustrates the percentage of question responses for Third- party Marketing. Qualitatively better question responses indicate personal and non- personal information is never used for any third-party marketing purposes. Qualitatively worse question responses indicate personal and non-personal information may be used for third-party marketing purposes. Non-Transparent responses indicate the terms are unclear about whether or not the application or service can use personal or non-personal information for any third-party marketing purposes.

For more information about our key findings download the full 2018 State of EdTech Privacy Report.

References:

[1] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 (release of personal information means the sharing, selling, renting, or transfer of personal information to any third party).

[2] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 (an operator may display contextual advertisements to a child under the age of 13 without verifiable parental consent, under the ’internal operations’ exception).

[3] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(b)(1)(A) (an operator is prohibited from using student data for targeted, behavioral, or contextual advertising).

[4] California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§22580-22582 (prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to erase or remove and obtain removal of content or information posted on the operator’s site).