Definitions Guide

Definitions for Privacy Evaluation Questions

This guide provides the meaning of key terms used in the privacy evaluation questions in the context of edtech privacy and security.


abuse: cruelty, violence, or insulting or offensive behavior directed at individuals or groups

actual knowledge: a particular fact a vendor knows or has reason to know -- for example, when a user enters a birth date showing their age

alternate dispute resolution (ADR): arbitration, mediation, or another method of resolving a dispute between parties other than filing a lawsuit

analytics: computation or use of data or statistics

anonymous: indicates that no personally identifying data is associated -- for example, name, address, or other data that could be used to reidentify or deanonymize

application: software or a program written for a mobile device or computer that may or may not require login authentication

assistive technology: tools designed to assist a user with one or more life functions -- for example, a tool that allows users with visual impairment to access larger fonts or one that allows users with hearing impairment to access read-aloud text

audit: a third-party company review of the practices of a vendor

authorized individual/user: a user who is permitted by a vendor to use a product, including a student, parent, guardian, or school official

behavioral advertising: commercial messages displayed to a user by a vendor or third party based on data collected from that user's online activities

behavioral data: information about a user's activities -- for example, how long the user has looked at a webpage or which webpages they have looked at

biometric data: health and physical information from human bodies -- for example, fingerprints

changelog: a record of changes made to a project, program, or policy

class action lawsuit: a legal action brought by one or more individuals on behalf of a larger group of similarly situated individuals

collection: as defined here, first-party collection of data or information from a user

compliance: legal and/or regulatory rules and standards being followed

consent: a user or responsible individual giving written or electronic agreement to an action -- for example, a user allowing collection of their information

contextual advertising: commercial messages displayed to a user based on the surrounding content

control: legal or physical power over an action

cookie: message given to a web browser by a web server to facilitate the storage of information about a user

persistent cookie: a cookie that stores information on a user's computer for longer periods, even after a user closes their web browser. This type of cookie remains on a user's hard drive until it reaches its expiration date or is deleted by the user

session cookie: a cookie that is stored temporarily on a user's computer and lasts only as long as the web browser is open


COPPA: the Children's Online Privacy Protection Act, a law created to protect the privacy of children under age 13

COPPA Safe Harbor Program: a self-regulatory compliance program approved by a regulatory agency

copyright license: permission given to use another's content

cyberbullying: bullying that takes place over the internet on devices like phones, tablets, and computers. It can happen in social media, texts, or online games, where people can view, participate in, or share content. It typically includes sending, posting, or sharing negative or harmful content about someone else on purpose. It can include sharing private information about someone else to cause embarrassment or humiliation.

data: raw unprocessed facts -- for example, that Tim is six feet tall

data at rest: information stored or not in transit between software and/or devices  

data breach: unauthorized disclosure of information to a third party, voluntarily or involuntarily

data controller: principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, securing, etc.

data enhancement: adding information to existing data to improve, augment, or correct it

data processor: person who processes or analyzes information on behalf of a data controller

data-protection officer: person in a privacy and/or security leadership role at a company

data-retention policy: a vendor's rules for how long user information is kept in its storage facility before it is deleted permanently

data sunset: the phasing out, terminating, or deleting of information

data transfer: any change of control of data, including a change of ownership of data

de-identification: the processing of data to remove information that can directly or indirectly be used to identify an individual person

direct control: legal and physical access -- to, for example, education information collected by a school or third party

directory information: school lists of students, faculty, and/or parents that show names and/or addresses. This includes information contained in the education records of a student as defined under FERPA.

disclosure practices: a vendor's activities relating to the public display or availability of user information

Do Not Track: a policy used to indicate that, upon request of a user's web browser agent, a company should not monitor that user's behavior on websites or should stop monitoring them

education record: information directly related to an individual K–12 student and maintained by their educational institution or by a third party acting as a school official on behalf of the educational institution

educator: a teacher at an educational institution who uses curriculum to instruct students

encryption: the process of encoding data or information to prevent unauthorized or unintended access

federated identity: information provided to a vendor from another vendor's sign-in process that is used to authorize a user and provide for the exchange of information about that user among companies

federated login: a process that allows user access to a product or application via another vendor's sign-in process

FERPA: the Family Educational Rights and Privacy Act of 1974, a federal law that, among other things, protects the privacy of student education records

filtered: processed (as of data or information) so that only a subset of the original data or information is included

free/reduced lunch status: indicates a government program providing free or subsidized meals for lower-income students that also serves as a proxy for estimating the poverty level of students' families, which then is used to determine school district funding

FTC: the Federal Trade Commission, a government agency responsible for regulating commerce and unfair and deceptive trade practices

GDPR: the General Data Protection Regulation, effective as of May 2018, which is European laws protecting the privacy and security of personal information

geolocation data: information related to the physical location of a user

government request: indicates a federal, state, or local agency asking for information

home page: the first page a user can view when linking to a company (includes App Store purchase page and landing pages for websites)

HTTP: hypertext transfer protocol, the underlying instruction system used by the web to communicate information.

HTTPS: a secure version of HTTP (hypertext transfer protocol secure)

hyperlink: a connection to another website, usually accessed when clicking on a word that is underlined

in-app purchase: the buying of something with real currency while logged into an application

indexing: processing data in order to identify it, label it, or make it easier to search

information: as defined here, data that has been processed, organized, or otherwise structured

intellectual property: generally, creative work produced and owned by an individual or company, covered by copyright, trademark, or patent law

interaction: social communication by text or posting, or information being passed from an individual to another individual or a group of individuals

internal operations: operations used for the function of a company, not for disclosure or use outside the company

IP address: internet protocol address, which identifies a computer or device's location on the internet

jurisdiction: location where a legal action may be brought

legacy contact: individual to whom an account may be assigned if that account becomes inactive

legal request: a request for information from a court or attorney as part of a legal action or in preparation for a legal action

logged: recorded electronically

login page: a webpage where a user can input authentication information, often a username and password, to access a product

machine crawling: programmed, automatic electronic searching for data or information

markup length: character length of the HTML markup used to deliver a website or privacy policy

material change: a change that affects a user's rights or responsibilities

mobile device: standalone or hand-held electronic technology that can connect to a cellular telephone network and/or the internet

moderate: to monitor and review information (as of by human or machine) for the purposes of controlling or filtering the content that is available to users

monitored: indicates when content or communications channels are reviewed, watched, or listened to

non-personally identifiable information: information that cannot be associated with an individual without the association of additional information or analysis

notice: communication from a vendor to a user for the purpose of informing the user

offline: not connected to the internet

opt-in: when the user affirmatively indicates they agree to something before it is allowed to occur

opt-out: when the user indicates they do not agree to something to continue to occur

parent: parent or legal guardian of a minor child under the age of 18, or 13 with respect to COPPA regulation

parental consent: a parent verifiably communicating to a vendor that they agree to a certain action performed by the vendor with respect to the parent's child

password: a series of letters, numbers, phrases, or symbols allowing access to an account or other restricted materials

persistent identifier: a unique electronic number used to identify a user or device on more than one application or website that allows tracking of an individual across multiple devices or sessions

personal information: characteristics that are associated with a unique individual

personally identifiable information (PII): characteristics associated with a unique individual that allow someone to identify that individual

physical access controls: controls that grant or restrict individual access to facilities -- for example, doors, gates, or pass cards

privacy certification: awarded when a vendor follows certain rules or affirms certain privacy practices in its privacy policy to receive approval from a government or privacy standards organization

privacy pledge: pledge by which a vendor affirms it will agree to uphold certain privacy industry standards

privacy policy: a document a vendor publicly posts explaining its data collection and use and disclosure practices associated with its protection of personal information

privacy shield: indicates that a vendor follows a set of privacy principles from an agreement between the United States and the European Union to meet the EU's regulatory standards

product: as defined here, an application or service offered by a vendor to the public for use

profile: a set of information about a single individual that can be used for identification

prohibited activities: actions that are not allowed in relation to a product or contract between vendor and user

protective order: a court-issued document that requires that certain information remain secret

reidentification: the taking of information that has been made anonymous and analyzing it or adding information so it can be associated with a particular individual

safe interaction: communication with trusted users only

screen reader: assistive technology used to aid in understanding the textual content of a page

school: as defined here, an educational institution offering full or partial instruction from pre-K through 12th grade

school district: a regional group of pre-K–12 schools under a central administration or authority

school official: an individual with a legitimate educational interest in, and under direct control of, a school (in this context, regarding the use and maintenance of education records)

security: as defined here, the practice of keeping personal data and information from discovery, disclosure, or use by unauthorized individuals

sensitive information/sensitive personal information: information that contains categories that have been given strong legal protections; categories vary by region

service: indicates an offering by a vendor to the public for use through a website that may or may not require login authentication

sharing: affirmative allowing of access to information, including its selling, giving, and disclosing

shouting index: amount of capital-letter text used to convey information relative to that of non-capitalized text

signal-to-noise ratio: the amount of plaintext policy information (signal) relative to the markup length (noise). This can be used as an indication of how much extraneous detail is on a policy page

social advertising: commercial activities designed to sell products or services using social media

social login: the use of a username and/or password from a social media account to gain access to another product and to share information with that product

student: a user enrolled in a level of school from pre-K to 12th grade

successor vendor: a new vendor that purchases or acquires a named vendor

teacher: a certified individual employed in pre-K–12 education

terms of service: a legal document describing both a vendor's and a user's rights and responsibilities

terms of use: a legal document describing a vendor's restrictions on a user's interactions with the product or service

third party: an entity or person other than the vendor, specifically excluding a user's parent if the user is a minor and/or that user's teacher if the user is a student using a product for school

third-party access: the allowing of third parties to access data on their own without it being affirmatively shared

third-party affiliate: company associated with a vendor not involved in providing the primary service

third-party subsidiary: legal business entity of a vendor not involved in providing the primary service

tracking: the practice of observing and recording a user's activities on one or more products

traditional advertising: advertising that is not generated by any particular user's data and is not targeted to an individual

transit: the transference of data from one electronic device to another

tracker: a cookie or other electronic mechanism used to observe and record user activities on one or more websites

trusted user: an individual who has provided credentials to use a product on behalf of themselves or another user

unauthorized user: an individual without credentials or permission to use a product on behalf of themselves or another user

unique device ID: a number/letter/symbol code to point to a particular piece of electronics, often used to track that device and therefore a user

URL: uniform resource locator, a location on the internet for a website

user: an individual who engages or attempts to engage with a vendor's product

user-created content: textual, visual, or audio information originating with an individual user rather than a vendor that may be uploaded or posted using the vendor's product

username: a word that identifies an individual user and that may be used for login and identification

vendor: a company that offers a product to the public, either for sale or free use

verifiable parental consent: a method that is reasonably designed in light of available technology to ensure that the person giving consent is the child's parent

waiver: an agreement to forgo a certain right

web: connection of human-readable pages of information on the internet