Blog

New Report Reveals Inconsistent Privacy and Security Practices in EdTech

Read the key findings and learn how you can support better student data protections.

May 24, 2018
Erin Wilkey Oh Executive Editor, Education Content and Distribution
Common Sense Education

CATEGORIES Privacy, Research & Studies

When determining whether an edtech tool is safe or secure to use with students, many school administrators and educators turn to the tool's privacy policy to help inform their decision. But what should we be looking for in a privacy policy? And what if we can't make sense of what we find there?

Over the past three years, the Common Sense Privacy Initiative has evaluated the privacy policies of hundreds of edtech applications and services. Using a comprehensive rubric based on existing federal and state law, as well as on universal privacy and security principles, the Privacy Initiative team gathered data on some of the most popular edtech tools being used in schools.

This data informs the Common Sense Privacy Evaluations, which help teachers, schools, and districts make informed choices about the technology they adopt in the classroom. In addition, the findings serve as a unique and valuable snapshot of the current state of privacy and security practices in the edtech space.

The 2018 State of EdTech Privacy Report represents the culmination of a three-year examination into how student information is collected, used, and disclosed. It evaluates the 100 most popular applications and services used in educational technology using two broad criteria: transparency and quality. What we found is eye-opening and underscores how challenging it can be for schools to make informed decisions about which tools to adopt.
 

Key Findings

Overall, we found inconsistent privacy and security practices and a widespread lack of transparency, meaning the policy's explanations of privacy practices were unclear, not mentioned at all, or contradictory. Nearly all the edtech tools we evaluated either do not clearly define safeguards taken to protect child or student information, do not support encryption, or lack a detailed privacy policy. Only 10 percent of the apps or services met our minimum criteria for transparency and quality in their policies with a designation of "Use Responsibly."

In evaluating 25 indicators for safety, privacy, security, and compliance, our research uncovered key findings in several important areas:

●   Third-party marketing: Thirty-eight percent of educational technologies evaluated indicated they may use children's personal and non-personal information for third-party marketing.

●   Advertising: Forty percent indicated they may display contextual ads based on webpage content, and 29 percent indicated they may display behavioral ads based on information collected from use of the service.

●   Tracking: Among web-based services, 37 percent indicated collected information can be used by tracking technologies and third-party advertisers, 21 percent indicated collected data may be used to track visitors after they leave the site, and 30 percent indicated they ignore "do not track" requests or other mechanisms to opt out.

●   Profiling: Ten percent indicated they may create and target profiles of their users.

●   Data transfer: Seventy-four percent indicated they maintain the right to transfer any personal information collected to a third party if the company is acquired, merges with another company, or files for bankruptcy.

●   Moderation of interactions and content: Only 11 percent indicated they moderate social interactions among users, if available. Additionally, only 14 percent indicated they review user-generated content to remove non-age-appropriate content, such as references to gambling, alcohol, violence, or sex.

●   Visible personal information: Fifty percent indicated they may allow children's information to be made publicly visible.

To be sure, there are also areas where vendors scored well. We found, for example, that 92 percent indicated they use reasonable security standards to protect their users' information. In addition, 65 percent affirmed that they do not sell, rent, lease, or trade users' personally identifiable information. That said, 33 percent were non-transparent on this critical issue.

What Can Educators Do?

These findings are troubling, but they also serve as a rallying cry for action. Educators can be a critical voice in the movement for change. If you're looking to be part of the solution, here are three ways you can support better student data protections:

1. Seek out companies that have responsible practices. The Common Sense Privacy Evaluations can help you identify which tools are clear and consistent in their privacy policies and which need to improve. If you represent a school or district, consider joining the more than 140 schools and districts that are part of the Common Sense Privacy Consortium and commit to using the privacy evaluations as part of your vetting process.

2. Put pressure on companies that aren't transparent. If you find out the developer of one of your favorite edtech tools isn't protecting kids' data or isn't clear about what they're doing, let them know. There are a lot of reasons a company might be missing the mark. Get in touch with them and share your school or district's expectations.

3. Advocate for student privacy legislation and enforcement. To set consistent standards for protecting kids' data, we need laws that hold companies accountable for their practices. Contact your legislators through Common Sense Kids Action to support policies that help kids, and take a stand against those that don't.


Want articles like this delivered directly to your inbox? Subscribe to our weekly Digital Classroom newsletter.