2018 State of EdTech Privacy Report: Transfer of Data

A majority of applications and services are non-transparent or explicitly allow the onward Transfer of Data.

June 07, 2018
Girard Kelly
Counsel & Director, Privacy Review

Jeff Graham Senior Engineer
Developer

CATEGORIES Privacy Evaluation Initiative

Among the applications and services we evaluated for our 2018 State of EdTech Privacy Report, approximately 74% disclosed a qualitatively worse response that collected information can be transferred to a successor third party in the event of a merger, acquisition, or bankruptcy. Accordingly, transferring collected information to a third party successor as an asset is considered qualitatively worse in our evaluation process, because transferred data can include personal and non-personal information that was collected for the specific purpose of using the application and service, and not for any other purpose that includes monetization through a third-party transfer. Transferring users’ information collected from the application or service to a third party can change the context in which the data is used or disclosed by that third party with unintended consequences. This raises additional questions about whether personal information that is not required to use the application or service should be collected or aggregated in the first place; which creates an incentive to use collected information as an asset to be transferred to third parties. This practice can be mitigated however, as illustrated in our analysis of Collection Limitation, where approximately 58% of applications and services disclosed that they limit the collection of information. Limiting the collection of information in this manner can change the incentive model to transfer information as an asset, because there would be less information available in which to transfer to third parties.

However, approximately 23% of applications and services are non-transparent about whether collected information can be transferred to a successor third party in the event of a merger, acquisition, or bankruptcy. Lack of transparency on this issue means applications and services still reserve the right to transfer collected information to third parties, if not otherwise prohibited by private contractual agreements. Therefore, a majority of approximately 97% of applications and services may transfer collected information in this context, and in many cases may transfer information without contractual limitations or obligations on the third party recipient.[1] Many applications and services are non-transparent about whether or not the third-party successor of a data transfer is contractually required to provide the same level of privacy protections as the vendor. However, even with contractual obligations in place, most applications and services do not provide users the ability to opt-out of a data transfer to a third party. Therefore, third parties can still use and disclose transferred information in an anonymous or de-identified format, or use information in a different context. Context matters when transferring data because policies often do not require consent from users to use collected information in a different context from which it was collected.

Key Finding: Transfer Data

Figure 1: This chart illustrates the percentage of question responses for Transfer Data. Qualitatively better question responses indicate the application or service does not transfer collected information to a successor third party in the event of a merger, acquisition, or bankruptcy. Qualitatively worse question responses indicate the application or service may transfer collected information to a successor third party in the event of a merger, acquisition, or bankruptcy. Non-Transparent responses indicate the terms are unclear about whether or not the application or service may transfer collected information.

For more information about our key findings download the full 2018 State of EdTech Privacy Report.

 

References:

[1] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 (release of personal information means the sharing, selling, renting, or transfer of personal information to any third party).