2018 State of EdTech Privacy Report: Track Users

A majority of applications and services are non-transparent or explicitly Track Users across other websites.

June 05, 2018
Girard Kelly
Counsel & Director, Privacy Review

Jeff Graham Senior Engineer
Developer

CATEGORIES Privacy Evaluation Initiative

Among the applications and services we evaluated for our 2018 State of EdTech Privacy Report, approximately 28% disclosed a qualitatively better response that collected information will never be used to track and target advertisements to users on other third-party websites or services. Similarly to Third-party Tracking, collection of information from children or students using persistent identifiers or third-party scripts that can be used to recognize and track a user across other websites is considered qualitatively worse in our evaluation process, because tracking users in this manner can be used for exfiltration of sensitive data through unknown processes, or for marketing or advertising purposes.

From our analysis, it appears there is approximately a 16% lower occurrence of qualitatively worse practices, as compared to Third-party Tracking. This decrease is significant, because it highlights an important distinction that vendor’s policies make between engaging directly or indirectly in advertising tracking practices: Direct (by placing those tracking technologies on their service), or Indirect (by providing third-parties with persistent identifier information from users) for third-party marketing or advertising purposes on other services. Similarly to Third-party Marketing, among the 21% of applications and services with qualitatively worse practices, a majority of policies use language to try and restrict their use of tracking to only parent or teacher information in order to avoid compliance issues with children or students. However, this distinction is difficult to apply in practice and may not adequately exculpate vendors from potential compliance violations of tracking children or students.[1,2,3,4] From our analysis, it appears vendors are not predisposed to disclose whether third parties may collect personal information about children or students’ online activities over time and across different web sites, as required by State law.[5] Moreover, the relative percent increase in non-transparency and qualitatively better practices, as compared to Third-party Tracking, is likely the result of both vendors remaining unaware of the difference between first and third-party tracking, and vendors choosing to carefully differentiate the qualitatively better practice of not sharing collected persistent identifiers that they may use themselves with other third parties for their own advertising or marketing purposes.

Key Finding: Track Users

Figure 1: This chart illustrates the percentage of question responses for Track Users. Qualitatively better question responses indicate collected information will never be used to track and target advertisements to users on other third-party websites or services. Qualitatively worse question responses indicate collected information may be used to track and target advertisements to users on other third-party websites or services. Non-Transparent responses indicate the terms are unclear about whether or not collected information can be used to track and target advertisements to users on other third-party websites or services.

For more information about our key findings download the full 2018 State of EdTech Privacy Report.

 

References:

[1] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 (an operator is prohibited from sharing a persistent identifier collected from children that can be used to recognize and track a user over time and across different websites or services without verifiable parental consent).

[2] Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 (“Personal Information” under FERPA includes direct identifiers such as a student or family member’s name, or indirect identifiers such as a date of birth, or mother’s maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty).

[3] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(b)(1)(B) (an operator is prohibited from tracking a student across websites with targeted advertising).

[4] California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§22580-22582 (prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to erase or remove and obtain removal of content or information posted on the operator’s site).

[5] California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(6) (an operator is required to disclose whether other third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites).