Core Resources

In this section you will find a collection of our core privacy resources that include publications, training materials, FAQ guides, and documentation on our evaluation process that describes our evaluation questions, evaluation tiers, and overall scores.

Publications:

2018 State of EdTech Security Survey

  • The 2018 State of EdTech Security Survey represents a yearly examination of security practices of education technology-related online services using our security assessment. Our overall findings in 2018 indicate a significant increase in the percentage of services that both support and require encryption. In addition, our findings indicate that there was a modest decrease in the percentage of services that support encryption, but do not require encryption. However, there was no significant change in the percentage of services that implement HSTS.

2018 State of EdTech Privacy Report

  • The 2018 State of EdTech Privacy Report represents the culmination of our research over the past three years and evaluation of hundreds of education technology-related applications and services. Our overall findings are illustrative of current trends in the edtech industry including widespread lack of transparency and inconsistent privacy and security practices. The key findings illustrate better, worse, and unclear privacy and security practices of 100 popular edtech applications and services that were evaluated in the following areas: encryption, effective policy dates, selling data, third-party marketing, traditional advertising, behavioral advertising, ad tracking, third-party tracking, profiling, and the onward transfer of data to third parties.

Information Security Primer

  • The Information Security Primer details how to set-up a security testing environment for Web-based and mobile apps, and also covers basic testing scenarios, how to test responsibly, and how to disclose responsibly if and when testing uncovers issues. The information security primer can be used by anyone interested in evaluating privacy and basic information security. Vendors can use these tools to evaluate their privacy and security practices. Districts can use these tools as part of their strategy to build an internal review process. Parents, students, teachers, and privacy advocates can use these tools to ask questions about privacy and security practices and to evaluate tools on their own.

Full Evaluations:

Evaluation Framework

  • The privacy evaluation process combines transparency and qualitative questions in a single streamlined framework. This requires organizing all the questions into categories and sections derived from the Fair Information Practice Principles (FIPPs) that underlie international privacy laws and regulations. In addition, the questions and the categories that organize them all are mapped to a range of statutory, regulatory, and technical resources that provide background information on why each question is relevant to the privacy evaluation process.

Full Evaluation Questions

  • The privacy evaluation question set builds off the rubric developed by the districts. Every question in the question set is mapped to federal and state privacy statute, FTC guidelines, PTAC resources, and/or data-handling best practices. Because each question is mapped to a specific rationale, the question set can be used both to evaluate privacy practice and as a training or advocacy tool to help inform people about the different elements that can be relevant when thinking about privacy terms. Additionally, vendors can use these questions to proactively review their own policies.

Basic Evaluation Questions

  • The basic privacy evaluation question set builds off the rubric developed by the districts. Every question in the basic question set is mapped to federal and state privacy statute, FTC guidelines, PTAC resources, and/or data-handling best practices. Because each question is mapped to a specific rationale, the question set can be used both to evaluate privacy practice and as a training or advocacy tool to help inform people about the different elements that can be relevant when thinking about privacy terms. Additionally, vendors can use these questions to proactively review their own policies.

Evaluation Process

  • Our evaluation process for edtech applications and services attempts to address some of the common barriers to effectively evaluating privacy practices. Privacy concerns and needs vary widely based on the type of application or service and the context in which it is used. For example, it makes sense for a student-assessment system to collect a home address or other personal information. However, it would not make sense for an online calculator to collect a student’s home address or other types of personal information. Therefore, our evaluation process pairs a transparency evaluation with a qualitative evaluation. This provides the ability to track the information a policy discloses as well as the strengths and weaknesses of how a policy discloses that information. Lastly, our evaluation process includes reviewer-written summary evaluations that highlight the implications of the application or service’s privacy practices alongside the goals and contexts within which the service may be used.

Evaluation Tiers

  • In schools and districts, people make decisions about privacy based on their specific needs — and these needs can vary between districts and schools. The privacy evaluation process is designed to support and augment local expertise, not replace it. The evaluation process incorporates these specific needs and the decision-making processes of schools and districts into three tiers: (1) Not Recommended, (2) Use with Caution, and (3) Use Responsibly.

Evaluation Scores

  • As part of our updated evaluations, we are including a numerical roll-up score with our summary reports. The numerical roll-up score should only be used as part of a decision-making process that includes the rest of the evaluation. The number's best use is as an indicator of how much additional work a person will need to do to make an informed decision about a service. This use is directly related to the core work driving the evaluations: to help people make informed decisions about a service with less effort. The higher the number, the less effort required to make an informed and appropriate decision.

Standard Privacy Report:

Standard Privacy Report Format

  • The Common Sense Standard Privacy Report (SPR) displays the most important privacy practices from a product’s policies in a single easy-to-read outline. The SPR indicates whether or not a product’s policies disclose that they engage in each particular privacy practice and displays an alert when a particular detail is risky, unclear, or not evaluated. This alert indicates that users should investigate these particular details prior to use.

Standard Privacy Report Questions

  • The Common Sense Standard Privacy Report (SPR) is comprised of 80 core questions. You can view all of the SPR core questions with each of their possible answers for yes, no, unclear, and not evaluated. In addition, you can navigate the full privacy evaluation question set which include additional background information and relevant citations to help understand each possible answer in the SPR.

Training:

Educator Privacy Training

  • This 45-minute interactive online course for educators introduces the topic of student online privacy and offers concrete best practices for managing the risks to students. It includes specific tools and methods for assessing the privacy and security of products commonly used in the classroom, and it will support teachers in mitigating the risk of student data being compromised.

Vendor Training

  • This 11-minute presentation provides training for vendors on the Common Sense privacy evaluations, use of the policy annotator, our transparency questions, scoring methodology, and more information about our published evaluations. In addition, there is a Training Guide that provides all the information provided in the video presentation in an easy-to-read format with links for more information. 

Definitions Guide

  • Here's where to find the meaning of key terms used in the privacy evaluation questions in the context of edtech privacy and security.

Support:

FAQ and Help Center

  • The Common Sense Media Help Center provides a searchable knowledge base about the Privacy Initiative and can help answer some Frequently Asked Questions.

Evaluation Glossary

  • Our evaluation process attempts to explain complex privacy and security practices of applications and services in simple to understand language. However, there are many privacy, security, technology, and legal related acronyms that are used to describe our evaluation process and are explained here in more detail.