Evaluation Tiers

In schools and districts, people make decisions about privacy based on their specific needs — and these needs can vary between districts and schools. The privacy evaluation process is designed to support and augment local expertise, not replace it. The evaluation process incorporates these specific needs and the decision-making processes of schools and districts into the following three tiers.

  1. Use Responsibly, which indicates that the application or service meets our minimum criteria but more research should be completed prior to use;
  2. Use with Caution, which indicates that the application or service does not clearly define the safeguards to protect child or student information; and
  3. Not Recommended, which indicates that the application or service does not support encryption or lacks a detailed privacy policy.

Basic and Full Evaluations:

Basic evaluations and full evaluations both have the same tier names and use the same tier questions, but designate whether the evaluation is a basic or full evaluation below the tier name and icon. Basic evaluations are a 35-point inspection of the most important privacy and security questions about a product. Full evaluations are a 150-point inspection of all the possible privacy and security questions about a product. Basic evaluations answer the most critical privacy and security questions about a product to determine which evaluation tier they belong in order to allow parents, teachers, schools, and districts to make an informed decision about whether to use the product. However, because basic evaluations do not answer all the questions of a full 150-point inspection evaluation of a product, basic evaluations do not display a full evaluation overall score or section scores. The following list displays all the possible evaluation tiers a product could receive:

Tier Criteria:

Use Responsibly:

Use Responsibly

Meets our minimum requirements for privacy safeguards, but more research should be completed prior to use.

  • Full evaluation (150-point inspection)
  • Basic evaluation (35-point inspection)

Applications and services in the "Use Responsibly" tier have met a minimum criteria for transparency and quality in their policies. Before using an application or service in this tier, parents, teachers, schools, and districts are strongly advised to read the full privacy evaluation as a starting point for the process of vetting the service. In addition, a more detailed review should happen before any child or student data is shared with a service. Among the applications and services we evaluated, approximately 10% are designated Use Responsibly, which indicates their policies are sufficiently transparent and they provide qualitatively better responses to the Use with Caution and Not Recommended criterion.

Use with Caution:

Use with caution

Does not meet our minimum requirements for privacy safeguards, and more research should be completed prior to use.

  • Full evaluation (150-point inspection)
  • Basic evaluation (35-point inspection)

Applications and services in the "Use with Caution" tier have issues narrowly focused around data uses related to creating profiles that are not associated with any educational purpose, and/or using data to target advertisements. We include data use from both the first party (i.e., the vendor that builds the service) and third parties (any company given access to data by the vendor). Using data to profile students can potentially violate multiple State laws, and in some cases also violates Federal law. An application or service can be designated "Use with Caution" for either a lack of transparency around data use -- which creates the potential for profiling and behavioral targeting -- or for clearly stating the service uses data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their State laws and school policies. The questions listed below trigger inclusion in the Use with Caution tier:

  1. Do the policies clearly indicate the version or effective date of the policies?
  2. Do the policies clearly indicate whether or not a user’s personal information is sold or rented to third parties?
  3. Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?
  4. Do the policies clearly indicate whether or not behavioral or contextual advertising based on a child or student’s personal information is displayed?
  5. Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the application or service?
  6. Do the policies clearly indicate whether or not a user’s personal information is used to track and target advertisements on other third-party websites or services?
  7. Do the policies clearly indicate whether or not the vendor allows third parties to use a student’s data to create a profile, engage in data enhancement or social advertising, or target advertising to students, parents, teachers, or the school?

An evaluation designation of “Use with Caution” is not a sign that a vendor is doing anything unethical, but it could mean, based on how the application or service is used, that it may be violating either federal or state laws. It is a sign that, based on publicly available policies, we do not have adequate guarantees that data will not be used by first or third parties to create noneducational profiles or to target behavioral ads. The majority of applications and services, approximately 80 percent, are designated “Use with Caution.” This high percentage is attributable to general non-transparency as well as qualitatively worse responses to most of the “Use with Caution” criteria. In particular, a majority of applications and services disclosed an effective date or version number of the policies. In addition, a majority of applications and services disclosed that they do not rent, lease, trade, or sell data. However, a majority of applications and services are non-transparent or explicitly allow third-party marketing, behavioral advertising, third-party tracking, tracking users across other websites, or the creation of ad profiles.

Not Recommended:

Not Recommended

Fails to meet our basic requirements for privacy safeguards, which include encryption and a detailed privacy policy.

  • No distinction between basic or full evaluation

Applications and services in the “Not Recommended” tier have issues narrowly focused on whether a detailed privacy policy is available for evaluation and whether collected information is protected with default encryption during login or account creation to protect child and student data. The questions listed below trigger inclusion in the Not Recommended tier:

  1. Is a privacy policy available?
  2. Do the account-creation page, the login page, and all pages accessed while a user is logged in support encryption with HTTPS?
  3. Do the account-creation page, the login page, and all pages accessed while a user is logged in require encryption with HTTPS?

The criteria for Not Recommended measure whether or not a vendor has done the bare minimum to provide users with a rudimentary understanding of how the vendor protects user privacy. The three criteria above all are basics of sound privacy and security practice. Applications and services that do not meet these basic requirements can potentially run afoul of federal and state privacy laws.

Nonetheless, as with the Use with Caution criteria described above, a Not Recommended designation is not a sign that a vendor is doing anything unethical, but it could mean, based on how the application or service is used, that it’s violating either federal or state laws. It is a sign that, based on publicly available policies and observable security practices, their services do not provide adequate guarantees that information stored in their information systems will be protected. Among the applications and services we evaluated, approximately 10 percent are designated Not Recommended, which indicates their policies are neither sufficiently transparent nor provide qualitatively better responses to the Not Recommended criteria. Among the applications or services we evaluated, each had a privacy policy and/or terms of service available on their website at the time of our evaluation. However, the applications and services designated Not Recommended all failed to protect collected information from children and students with default encryption during the login or account-creation process.