Privacy Questions, organized by Concern

In the full Privacy Evaluations, we organize each evaluation into four concerns: Safety, Privacy, Security, and Compliance. When we run an evaluation, we read the policies and answer questions that relate to each of these concerns. This page shows the questions that we use when evaluating these specific concerns.

To jump to a specific concern, use these links:

You have multiple other options to learn more about the questions used to run the evaluations:

Safety: Promoting responsible use

9.1.1: Safe Interactions

  • Do the policies clearly indicate whether or not a user can interact with other users, or students can interact with other students in the same classroom, or school?

    Citation: Children's Online Privacy Protection Act: (An operator is required to disclose whether the service enables a child to make personal information publicly available) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)(2) Children's Online Privacy Protection Act: (An operator is prohibited from making personal information from a child publicly available in identifiable form by any means, including a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service, a pen pal service, an electronic mail service, a message board, or a chat room) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

9.1.2: Unsafe Interactions

  • Do the policies clearly indicate whether or not a user can interact with strangers, including adults?

    Citation: Children's Online Privacy Protection Act: (An operator is required to disclose whether the service enables a child to make personal information publicly available) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)(2) Children's Online Privacy Protection Act: (An operator is prohibited from making personal information from a child publicly available in identifiable form by any means, including a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service, a pen pal service, an electronic mail service, a message board, or a chat room) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

9.1.3: Share Profile

  • Do the policies clearly indicate whether or not information must be shared or revealed by a user in order to participate in social interactions?

    Citation: * Children's Online Privacy Protection Act: (An operator is required to disclose whether the service enables a child to make personal information publicly available) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)(2)

9.2.1: Visible Data

  • Do the policies clearly indicate whether or not a user's personal information can be displayed publicly in any way?

    Citation: Children's Online Privacy Protection Act: (An operator is required to disclose whether the service enables a child to make personal information publicly available) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)(2) Children's Online Privacy Protection Act: (An operator is prohibited from making personal information from a child publicly available in identifiable form by any means, including a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service, a pen pal service, an electronic mail service, a message board, or a chat room) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

9.2.2: Profile Visibility

  • Do the policies clearly indicate whether or not a user's personal information can be displayed publicly, outside the context of social interactions?

    Citation: * Children's Online Privacy Protection Act: (An operator is required to disclose whether the service enables a child to make personal information publicly available) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)(2)

9.2.3: Control Visibility

  • Do the policies clearly indicate whether or not a user has control over how their personal information is displayed to others?

9.3.1: Block Content

  • Do the policies clearly indicate whether or not an educator, parent, or a school has the ability to filter or block inappropriate content, or social interactions with unauthorized individuals?

    Citation: Children's Internet Protection Act: (A K-12 school under E-Rate discounts is required to adopt a policy of Internet safety for minors that includes monitoring the online activities of minors and the operation of a technology protection measure with respect to any of its computers with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors) See Children's Internet Protection Act (CIPA), 47 U.S.C. § 254(h)(5)(B) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582 * The Communications Decency Act of 1996: (A provider of an interactive computer service shall notify the customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors) See The Communications Decency Act of 1996 (CDA), 47 U.S.C. 230(d)

9.3.2: Report Abuse

  • Do the policies clearly indicate whether or not a user can report abuse or cyber-bullying?

9.4.1: Monitor Content

  • Do the policies clearly indicate whether or not user content is reviewed, screened, or monitored by the vendor?

9.4.2: Filter Content

  • Do the policies clearly indicate whether or not the vendor takes reasonable measures to delete all personal information from a user's postings before they are made publicly visible?

    Citation: * Children's Online Privacy Protection Act: (An operator may prevent collection of personal information if it takes reasonable measures to delete all or virtually all personal information from a child's postings before they are made public and also to delete the information from its records) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

9.4.3: Moderate Interactions

9.4.4: Log Interactions

  • Do the policies clearly indicate whether or not social interactions are logged by the vendor?

9.4.5: School Audit

  • Do the policies clearly indicate whether or not social interactions may be audited by a school or district?

9.4.6: Parent Audit

  • Do the policies clearly indicate whether or not social interactions may be audited by a parent or guardian?

9.4.7: User Audit

  • Do the policies clearly indicate whether or not social interactions may be audited by a user or eligible student?

9.5.1: Safe Tools

  • Do the policies clearly indicate whether or not tools and processes that support safe and appropriate social interactions on the application or service are provided by the vendor?

    Citation: Children's Internet Protection Act: (A K-12 school under E-Rate discounts is required to adopt a policy of Internet safety for minors that includes monitoring the online activities of minors and the operation of a technology protection measure with respect to any of its computers with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors) See Children's Internet Protection Act (CIPA), 47 U.S.C. § 254(h)(5)(B) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582 * The Communications Decency Act of 1996: (A provider of an interactive computer service shall notify the customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors) See The Communications Decency Act of 1996 (CDA), 47 U.S.C. 230(d)

Privacy: Protecting collected information

1.1.1: Effective Date

1.1.2: Change Log

  • Do the policies clearly indicate a changelog or past versions of the policies are available for review?

1.2.1: Services Include

  • Do the policies clearly indicate the websites, services, or mobile applications that are covered by the policies?

    Citation: * California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a)

1.3.1: Review Changes

  • Do the policies clearly indicate whether or not any updates or material changes to the policies will be accessible for review by a user prior to the new changes being effective?

    Citation: * California Online Privacy Protection Act: (An operator is required to describe the process by which they notify consumers who use or visit its website or online service of any material changes to its privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(3)

1.3.2: Effective Changes

  • Do the policies clearly indicate whether or not any updates or material changes to the policies are effective immediately and continued use of the application or service indicates consent?

    Citation: California Online Privacy Protection Act: (An operator is required to describe the process by which they notify consumers who use or visit its website or online service of any material changes to its privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(3)
    Background: A school or district should maintain control of student data by preventing the vendor from changing its privacy policies without the school's or district's consent. A vendor that agrees to give notice of policy changes is good, however, a vendor that agrees not to change its policies without consent is better. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, p. 4.

1.4.1: Change Notice

  • Do the policies clearly indicate whether or not a user is notified if there are any material changes to the policies?

    Citation: * California Online Privacy Protection Act: (An operator is required to describe the process by which they notify consumers who use or visit its website or online service of any material changes to its privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(3)

1.4.2: Method Notice

  • Do the policies clearly indicate the vendor provides prominent notice on the homepage that the website or service uses cookies?

    Citation: * General Data Protection Regulation: (The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy) See General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679)

1.5.1: Vendor Contact

1.6.1: Quick Reference

1.7.1: Preferred Language

  • Do the policies clearly indicate they are available in a language other than English?

    Citation: * General Data Protection Regulation: (The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy) See General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679)

2.1.1: Collect PII

  • Do the policies clearly indicate whether or not the vendor collects Personally Identifiable Information (PII)?

    Citation: Children's Online Privacy Protection Act: (Personally Identifiable Information under COPPA includes first and last name, photos, videos, audio, geolocation information, persistent identifiers, IP address, cookies, and unique device identifiers) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 California Online Privacy Protection Act: (The term "Personally Identifiable Information" under CalOPPA means individually identifiable information about a consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(a)(1)-(6) Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1
    Background: FERPA defines the term personally identifiable information (PII) to include direct identifiers (such as a student's or other family member's name) and indirect identifiers (such as a student's date of birth, place of birth, or mother's maiden name). Indirect identifiers include metadata about a student's interaction with an application or service, and even aggregate information can be considered PII under FERPA if a reasonable person in the school community could identify individual students based on the indirect identifiers together with other reasonably available information, including other public information. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 2; See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, p. 2.

2.1.2: PII Categories

2.1.3: Geolocation Data

  • Do the policies clearly indicate whether or not geolocation data are collected?

    Citation: Children's Online Privacy Protection Act: (Personally Identifiable Information under COPPA includes first and last name, photos, videos, audio, geolocation information, persistent identifiers, IP address, cookies, and unique device identifiers) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Student Online Personal Information Protection Act: ("Covered Information" under SOPIPA is personally identifiable information that includes descriptive information or identifies a student that was created or provided by a student, parent, teacher, district staff, or gathered by an operator through the operation of the site) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(i)(1)-(3) California Online Privacy Protection Act: (The term "Personally Identifiable Information" under CalOPPA means individually identifiable information about a consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(a)(1)-(6)
    Background: * Location information collected in the mobile context is considered a persistent identifier that can be used to recognize a user over time and across different websites or online services. Geolocation data includes information sufficient to identify the latitude and longitude coordinates of a user that can correspond to a specific street, address, name of a city or town. If location data is collected and shared with third-parties, companies should work to provide consumers with more prominent notice and choices about its geolocation data collection, transfer, use, and disposal practices. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 33; See also U.S. v. Jones, 132 S. Ct. 945, 955 (2012)("GPS monitoring generates a precise, comprehensive record of a person's public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations").

2.1.4: Health Data

  • Do the policies clearly indicate whether or not any biometric data are collected?

    Citation: Family Educational Rights and Privacy Act: (A biometric record, as used in the definition of personally identifiable information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Children's Online Privacy Protection Act: (Personally Identifiable Information under COPPA includes first and last name, photos, videos, audio, geolocation information, persistent identifiers, IP address, cookies, and unique device identifiers) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: ("Covered Information" under SOPIPA is personally identifiable information that includes descriptive information or identifies a student that was created or provided by a student, parent, teacher, district staff, or gathered by an operator through the operation of the site) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(i)(1)-(3)
    Background: Biometric data are physical or behavioral characteristics which can be used to identify unique individuals. Biometric technologies measure these unique characteristics electronically and match them against existing records to create a highly accurate identity management system. Fingerprints, retnia scans, or voice and facial recognition are examples of physcial identification technologies. It uses the layout of facial features and their distance from one another for identification against a "gallery" of faces with similar characteristics. See Privacy Best Practice Recommendations For Commercial Biometric Use, NTIA Discussion Draft (July 22, 2015), p. 1. * The ability of facial recognition technology to identify consumers based solely on a photograph, create linkages between the offline and online world, and compile highly detailed dossiers of information, makes it especially important for companies using this technology to implement privacy by design concepts with robust choice and transparency policies. Such practices should include reducing the amount of time consumer information is retained, adopting reasonable security measures, and disclosing to consumers that the facial data collected may be used to link them to information from third-parties or publicly available sources. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 46.

2.1.5: Behavioral Data

  • Do the policies clearly indicate whether or not any behavioral data are collected?

    Citation: Children's Online Privacy Protection Act: (An operator is prohibited from including behavioral advertisements or amassing a profile of a child under the age of 13 child without parental consent) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Family Educational Rights and Privacy Act: (A biometric record, as used in the definition of personally identifiable information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1

2.1.6: Sensitive Data

  • Do the policies clearly indicate whether or not sensitive personal information is collected?

2.1.7: Usage Data

  • Do the policies clearly indicate whether or not the application or service collects non-personal information such as a user's persistent identifier, unique device ID, IP address, or other device information?

    Citation: Children's Online Privacy Protection Act: (Personally Identifiable Information under COPPA includes first and last name, photos, videos, audio, geolocation information, persistent identifiers, IP address, cookies, and unique device identifiers) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Student Online Personal Information Protection Act: ("Covered Information" under SOPIPA is personally identifiable information that includes descriptive information or identifies a student that was created or provided by a student, parent, teacher, district staff, or gathered by an operator through the operation of the site) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(i)(1)-(3) California Online Privacy Protection Act: (The term "Personally Identifiable Information" under CalOPPA means individually identifiable information about a consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(a)(1)-(6)
    Background: The Children's Online Privacy Protection Act (COPPA) defines "personal information" to include identifiers, such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different websites or online services, even where such an identifier is not paired with other items of personal information. Companies should disclose in their privacy policy, and in their direct notice to parents, their collection, use or disclosure practices of persistent identifiers unless: (1) the company collects no other "personal information," and (2) persistent identifiers are collected on or through a company's site or service solely for the purpose of providing "support for the internal operations" of the site or service. See FTC, Complying with COPPA: Frequently Asked Questions, q. 6. Persistent identifiers collected for the sole purpose of providing support for the internal operations of the website or online service do not require parental consent, so long as no other personal information is collected and the persistent identifiers are not used or disclosed to contact a specific individual, including through behavioral advertising; to amass a profile on a specific individual; or for any other purpose. See FTC, Complying with COPPA: Frequently Asked Questions, q. 5. The data on students collected and maintained by Ed Tech can be extremely sensitive, including medical histories, social and emotional assessments, progress reports, and test results. Online services also collect new types of data, which were not contemplated by and may not be protected by federal privacy laws. New data types collected by Ed Tech include "metadata," such as a student’s location, how many attempts a student made to answer a question, and whether a student is using a desktop or a mobile device. Metadata can be put to good use to personalize learning and to improve educational products. It can also be used to influence or market to students or to their parents. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 3. A vendor should describe the types or categories of student information that they acquire from schools, school districts, teachers, parents, or students. Data types may include behavioral data reflecting how a student used the site or service or what content the student has accessed or created through it, and transactional data, such as persistent unique identifiers, collected through the use of your site or service. While unique identifiers are evolving with technology, currently such identifiers include, but are not limited to, cookies, device IDs, IP addresses, and other data elements if used to identify devices or users. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 11.

2.1.8: Lunch Status

  • Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?

    Citation: The National School Lunch Act: (The NSLA defines penalties for the unauthorized sharing of personal information related to free and reduced lunch status for students) See The National School Lunch Act (NSLA), 42 U.S.C. §§1751-63 Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1
    Background: * The National School Lunch Act (NSLA) requires school districts to provide free or reduced price lunches to all eligible children, including eligible children in schools that had not yet established school lunch programs. The NSLA aims to safeguard the health and well-being of children and defines penalties for the unauthorized sharing of personal information related to free and reduced lunch status for students. See 42 U.S.C. §§ 1751-63.

2.3.1: Data Excluded

  • Do the policies clearly indicate whether or not the vendor does not collect specific types of data?

2.3.2: Coverage Excluded

  • Do the policies clearly indicate whether or not the vendor excludes specific types of collected data from coverage under its privacy policy?

2.4.1: Collection Limitation

3.1.1: Data Shared

  • Do the policies clearly indicate whether or not collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?

    Citation: Children's Online Privacy Protection Act: (Release of personal information means the sharing, selling, renting, or transfer of personal information to any third party) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator may share data with third parties who provide support for the "internal operations" of the service and who do not use or disclose the information for any other purpose) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator must take reasonable steps to release a child's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8 Children's Online Privacy Protection Act: (An operator can not condition a child's participation in the service with sharing any collected information with third parties. A parent is required to have the ability to consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(a)(2) Family Educational Rights and Privacy Act: (A school is prohibited from disclosing a student's "education record" or data to third parties without parental consent) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.30 Student Online Personal Information Protection Act: (An operator is prohibited from sharing student information to third parties except in limited circumstances to other schools, or for research purposes) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(4)
    Background: Online educational services increasingly collect a large amount of contextual or transactional data as part of their operations, often referred to as "metadata." Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student's mouse hovered over an item (potentially indicating indecision). See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 2-3. Metadata that have been stripped of all direct and indirect identifiers are not considered protected information under FERPA, because the data are not PII. A provider that has been granted access to PII from education records under the "school official" exception may use any metadata that are not linked to FERPA-protected information for other purposes, unless otherwise prohibited by the terms of their agreement with the school or district. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 2-3.

3.1.2: Data Categories

  • Do the policies clearly indicate what categories of information are shared with third parties?

    Citation: Children's Online Privacy Protection Act: (A parent or guardian can request the operator to provide a description of the specific types or categories of personal information collected from children by the application or service) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.6(a)(2)
    Background: Consumers deserve more transparency about how their data is shared beyond the entities with which they do business directly, including "third-party" data collectors. This means ensuring that consumers are meaningfully aware of the spectrum of information collection and reuse as the number of firms that are involved in mediating their consumer experience or collecting information from them multiplies. The data services industry should follow the lead of the online advertising and credit industries and build a common website or online portal that lists companies, describes their data practices, and provides methods for consumers to better control how their information is collected and used or to opt-out of certain marketing uses. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 62. * What is the "School Official" Exception? In some cases, providers need PII from a students's education records in order to deliver the agreed-upon services. FERPA's school official exception to consent is most likely to apply to the schools' and districts' relationships with service providers. When schools and districts outsource institutional services or functions, FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third-parties provided that the outside party meets specified requirements. See 34 C.F.R. § 99.31(a)(1)(i); See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 2; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 3-5.

3.2.1: Sharing Purpose

3.2.2: Third-Party Analytics

3.2.3: Third-Party Research

3.2.4: Third-Party Marketing

  • Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?

    Citation: Children's Online Privacy Protection Act: (Release of personal information means the sharing, selling, renting, or transfer of personal information to any third party) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator may display contextual advertisements to a child under the age of 13 without verifiable parental consent, under the "internal operations" exception) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: (An operator is prohibited from using student data for targeted, behavioral, or contextual advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(A) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
    Background: * The FTC agrees that the defintion of first-party marketing should include the practice of contacting consumers across different channels. Regardless of the particular means of contact, receipt of a message from a company with which a consumer has interacted directly is likely to be consistent with the consumer's relationship with that company. If an offline or online retailer tracks a customer's activities on a third-party website, this is unlikely to be consistent with the customer's relationship with the retailer; thus, choice should be required. See FTC 2012, P. 42; See also FTC Staff Report, Self-Regulatory Principles For Online Behavioral Advertising, pp. 26-28.

3.3.1: Exclude Sharing

  • Do the policies clearly indicate whether the vendor specifies the categories of information that will not be shared with third parties?

3.4.1: Data Sold

3.5.1: Data Acquired

  • Do the policies clearly indicate whether or not a user's information is acquired from a third-party by the vendor?

    Citation: California Online Privacy Protection Act: (An operator is required to identify the categories of personally identifiable information that they collect about individual consumers who use or visit its website or online service) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(1) California Online Privacy Protection Act: (The term "Personally Identifiable Information" under CalOPPA means individually identifiable information about a consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(a)(1)-(6)

3.6.1: Data Deidentified

  • Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or de-identified format?

    Citation: Children's Online Privacy Protection Act: (An operator may disclose personal information collected from children to third parties if the data is not in an identifiable form such as de-identified, aggregated, or anonymous information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Family Educational Rights and Privacy Act: (An exception for disclosing personally identifiable information without obtaining parental consent exists for sharing "de-identified" student records where the educational institution has made a reasonable determination that a student's identity is not personally identifiable) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(b)(1) Student Online Personal Information Protection Act: (An operator may share student information with a third party if in an aggregated or de-identified format) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(f)-(g) California Privacy of Pupil Records: (A school district may provide, in its discretion, statistical data from which no pupil may be identified to any public agency, entity, private nonprofit college, university, or educational research and development organization when disclosure would be in the best educational interests of pupils) See California Privacy of Pupil Records, Cal. Ed. Code § 49074
    Background: There is nothing wrong with a provider using de-identified data for other purposes, because privacy statutes, govern PII, not de-identified data. But because it can be difficult to fully de-identify data, as a best practice, an agreement between a company and third-party should prohibit re-identification and any future data transfers unless the third-party also agrees not to attempt re-identification. It is also a best practice to be specific about the de-identification process. De-identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-identify specific individuals. Retaining location and school information can also greatly increase the risk of re-identification. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 3. Properly de-identified data can reduce the risk of a person's sensitive personal information being disclosed, but data de-identification must be done carefully. Simple removal of direct identifiers from the data to be released does not constitute adequate de-identification. Properly performed de-identification involves removing or obscuring all identifiable information until all data that can lead to individual identification have been expunged or masked. Further, when making a determination as to whether the data have been sufficiently de-identified, it is necessary to take into consideration cumulative re-identification risk from all previous data releases and other reasonably available information. See PTC, Data De-identification: An Overview of Basic Terms, p. 3. FERPA allows properly de-identified data to be used for other purposes, though providers planning to use de-identified student data should be clear about their methodologies for de-identification. If de-identified data will be transferred to another party, it is a best practice to contractually prohibit the third-party from attempting to re-identify any student data. Providers should also acknowledge whether anonymized metadata—a type of deidentified or partially de-identified data—will be used, and for what purposes. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 3. If a vendor shares covered information for the development and improvement of educational sites or services, they should de-identify and aggregate the information first. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 14.

3.6.2: Deidentified Process

  • Do the policies clearly indicate whether or not a user's personal information is de-identified with a reasonable level of justified confidence, or the vendor provides links to any information that describes their de-identification process?

    Citation: Children's Online Privacy Protection Act: (An operator may disclose personal information collected from children to third parties if the data is not in an identifiable form such as de-identified, aggregated, or anonymous information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Family Educational Rights and Privacy Act: (An exception for disclosing personally identifiable information without obtaining parental consent exists for sharing "de-identified" student records where the educational institution has made a reasonable determination that a student's identity is not personally identifiable) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(b)(1) Student Online Personal Information Protection Act: (An operator may share student information with a third party if in an aggregated or de-identified format) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(f)-(g)
    Background: While data shared in the aggregate can reduce the risk of re-identifying anonymous individuals, it does not completely eliminate the risk, and sharing of aggregate data should be carefully reviewed. The aggregation of student-level data into school-level (or higher) reports removes much of the risk of disclosure, since no direct identifiers (such as a name, Social Security Number, or student ID) are present in the aggregated tables. Some risk of disclosure does remain, however, in circumstances where one or more students possess a unique or uncommon characteristic (or a combination of characteristics) that would allow them to be identified in the data table (this commonly occurs with small ethnic subgroup populations), or where some easily observable characteristic corresponds to an unrelated category in the data table (e.g., if a school reports that 100% of males in grade 11 scored at "Below Proficient" on an assessment). In these cases, some level of disclosure avoidance is necessary to prevent disclosure in the aggregate data table. See PTAC, Frequently Asked Questions—Disclosure Avoidance (Oct 2012), p. 2. FERPA allows properly de-identified data to be used for other purposes, though providers planning to use de-identified student data should be clear about their methodologies for de-identification. If de-identified data will be transferred to another party, it is a best practice to contractually prohibit the third-party from attempting to re-identify any student data. Providers should also acknowledge whether anonymized metadata—a type of deidentified or partially de-identified data—will be used, and for what purposes. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 3. A company must take reasonable measures to ensure that the data is de-identified. This means that the company must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 21.
  • Do the policies clearly indicate whether or not outbound links on the site to third-party external websites are age appropriate?

    Citation: Children's Internet Protection Act: (If an operator provides third-party links on its site that link to potentially non-age appropriate information for children, then the operator must provide notice upon clicking a third-party link that a user is leaving the website) See Children's Internet Protection Act (CIPA), 47 U.S.C. § 254
    Background: If a vendor links or directs student users of the site or service to external, non-Ed Tech sites or services, the vendor should disclose any such referrals in their Privacy Policy and, where possible, include a link to the privacy policy of the referral site or service. If the vendor is also the operator of the external site or service, they should maintain the same privacy and security protections for their student users when they leave the Ed Tech site or service. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 12.

3.8.1: Authorized Access

3.9.1: Third-Party Collection

3.10.1: Data Misuse

  • Do the policies clearly indicate whether or not a user's information can be deleted from a third party by the vendor, if found to be misused by the third party?

3.11.1: Third-Party Providers

  • Do the policies clearly indicate whether or not third-party services are used to support the internal operations of the vendor's application or service?

    Citation: Children's Online Privacy Protection Act: (Release of personal information means the sharing, selling, renting, or transfer of personal information to any third party) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator may share data with third parties who provide support for the "internal operations" of the service and who do not use or disclose the information for any other purpose) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: (An operator may disclose student information to a third party service provider, but the third party is prohibited from using the information for or any purpose other than providing the service) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(4)(E)(i)
    Background: Disclosure of personal information for the "internal operations" of the website or online service, means activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill a request of a child. See 16 C.F.R. 312.2; See also FTC, Complying with COPPA: Frequently Asked Questions, q. 5.

3.11.2: Third-Party Roles

3.12.1: Third-Party Categories

3.13.1: Third-Party Policy

  • Do the policies clearly indicate whether a link to a third-party service provider, data processor, partner, or affiliate's privacy policy is available for review?

3.14.1: Vendor Combination

  • Do the policies clearly indicate whether or not data collected or maintained by the vendor can be augmented, extended, or combined with data from third party sources?

    Citation: * Children's Online Privacy Protection Act: (Non-personal information collected from a child that is later combined with personally identifiable information of that child, obtained from either the vendor or third party becomes PII) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

3.14.2: Third-Party Combination

  • Do the policies clearly indicate whether or not data shared with third parties can be augmented, extended, or combined with data from additional third party sources?

    Citation: * Student Online Personal Information Protection Act: (An operator may disclose student information to a third party service provider, but the third party is prohibited from using the information for or any purpose other than providing the service) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(4)(E)(i)

3.15.1: Social Login

  • Do the policies clearly indicate whether or not social or federated login is supported to use the service?

    Citation: * California Privacy of Pupil Records: (Prohibits schools, school districts, county offices of education, and charter schools from collecting or maintaining information about pupils from social media for any purpose other than school or pupil safety, without notifying each parent or guardian and providing the pupil with access and an opportunity to correct or delete such information) See California Privacy of Pupil Records, Cal. Ed. Code § 49073.6

3.15.2: Social Collection

  • Do the policies clearly indicate whether or not the vendor collects information from social or federated login providers?

    Citation: * California Privacy of Pupil Records: (Prohibits schools, school districts, county offices of education, and charter schools from collecting or maintaining information about pupils from social media for any purpose other than school or pupil safety, without notifying each parent or guardian and providing the pupil with access and an opportunity to correct or delete such information) See California Privacy of Pupil Records, Cal. Ed. Code § 49073.6

3.15.3: Social Sharing

  • Do the policies clearly indicate whether or not the vendor shares information with social or federated login providers?

    Background: * Social network log-on or Federated login (using a Google, Facebook, or other account to log-into multiple sites) can lead to unintended data disclosure between these web sites. Companies' privacy policies should clearly indicate what data, if any, they collect from the login provider and also what data they share back to the login provider. While these plugins or shared logins are useful and can potentially improve security by reducing the number of usernames and passwords, they can also leak sensitive personal information between third-parties. See FTC, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, p. 14; See also FTC, Mobile Apps for Kids: Disclosures Still Not Making the Grade, pp. 19-20.

3.16.1: Third-Party Limits

  • Do the policies clearly indicate whether or not third parties have contractual limits on how they can use personal information that is shared or sold to them?

    Citation: Children's Online Privacy Protection Act: (An operator must take reasonable steps to release a child's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8 Family Educational Rights and Privacy Act: (An exception for disclosing personally identifiable information without obtaining parental consent exists for sharing data with a third party who is considered a "school official" with a legitimate educational interest, and under direct control of the school for the use and maintenance of education records) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(a)(1)(i)(B) Student Online Personal Information Protection Act: (An operator may disclose student information to a third party service provider, but the third party is prohibited from using the information for or any purpose other than providing the service) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(4)(E)(i) Student Online Personal Information Protection Act: (A third party service provider may not disclose student information to any subsequent third party) See Student Online Personal Information Protection Act (SOPIPA),Cal. B.&P. Code § 22584(b)(4)(E)(ii)
    Background: A company that transfers data from one company to another should not place emphasis on the disclosures themselves, but on whether a disclosure leads to a use of personal data that is inconsistent within the context of its collection or a consumer's expressed desire to control the data. Thus, if a company transfers personal data to a third party, it remains accountable and thus should hold the recipient accountable—through contracts or other legally enforceable instruments. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22. A company's data would not be "reasonably linkable" to a particular consumer or device to the extent that the company implements three significant protections for that data: (1) a given data set is not reasonably identifiable, (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 21. The ability to re-identify "anonymous" data supports the FTC's framework application to data that can be reasonably linked to a consumer or device, because consumers' privacy interest in data goes beyond what is strictly labeled PII. There exists a legitimate interest for consumers in having control over how companies collect and use aggregated or de-identified data, browser fingerprints, and other types of non-PII. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), pp. 18-19. Properly de-identified data can reduce the risk of a person's sensitive personal information being disclosed, but data de-identification must be done carefully. Simple removal of direct identifiers from the data to be released does not constitute adequate de-identification. Properly performed de-identification involves removing or obscuring all identifiable information until all data that can lead to individual identification have been expunged or masked. Further, when making a determination as to whether the data have been sufficiently de-identified, it is necessary to take into consideration cumulative re-identification risk from all previous data releases and other reasonably available information. See PTC, Data De-identification: An Overview of Basic Terms, p. 3. * A vendor should contractually require their service providers who receive covered information acquired through the site or service to use the information only to provide the contracted service, not to further disclose the information, to implement and maintain reasonable security procedures and practices as required by law, and to return or delete covered information at the completion of the contract. Include a requirement that any service providers notify the vendor immediately of any unauthorized disclosure of the student information in their custody, and then act promptly to provide proper notice as required by law. Make clear to service providers that they may separately face liability for the mishandling of student data. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 13.

3.16.2: Combination Limits

  • Do the policies clearly indicate whether or not third parties have contractual limits that prohibit re-identification or combining data with other data sources that are shared or sold to them?

    Citation: Children's Online Privacy Protection Act: (An operator must take reasonable steps to release a child's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8
    Background: When data are collected in one context and combined with data from other sources or different contexts, it increases the potential for an individual's privacy to be compromised. Combining data from multiple sources is part of the process of creating a digital profile of a student. Combining data from multiple sources can also be used to re-identify data sets that have been de-identified, or to identify individuals within data sets that have been shared as anonymous aggregated data. A privacy policy that prohibits third-parties from re-identifying anonymous aggregated data provides an additional level of privacy protection for users. See PTC, Data De-identification: An Overview of Basic Terms. The FTC recommends that third-party data brokers take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes. Of course, the use of race, color, religion, and certain other categories to make credit, insurance, and employment decisions is already against the law, but data brokers should help ensure that the information does not unintentionally go to unscrupulous entities that would be likely to use it for unlawful discriminatory purposes. Similarly, data brokers should conduct due diligence to ensure that data that they intend for marketing or risk mitigation purposes is not used to deny consumers credit, insurance, employment, or the like. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), pp. 55-56. A company that transfers data from one company to another should not place emphasis on the disclosures themselves, but on whether a disclosure leads to a use of personal data that is inconsistent within the context of its collection or a consumer's expressed desire to control the data. Thus, if a company transfers personal data to a third party, it remains accountable and thus should hold the recipient accountable—through contracts or other legally enforceable instruments. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22. * The FTC's framework application applies to data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so. There is significant evidence demonstrating that technological advances and the ability to combine disparate pieces of data can lead to identification of a consumer, computer, or device even if the individual pieces of data do not constitute PII. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 20.

4.1.1: Purpose Limitation

  • Do the policies clearly indicate whether or not the vendor limits the use of data collected by the application to the educational purpose for which it was collected?

    Citation: Children's Online Privacy Protection Act: (An operator may retain information collected from a child only as long as necessarily to fulfill the purpose for which it was collected and must delete the information using reasonable measures to prevent unauthorized use) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.10 Children's Online Privacy Protection Act: (An operator is required to provide direct notice to parents describing what information is collected, how information is used, its disclosure practices and exceptions) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(b) Student Online Personal Information Protection Act: (Student data may be used by the operator for adaptive learning or customized assessments) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(l) California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a prohibition against the third party using any information in the pupil record for any purpose other than those required or specifically permitted by the contract) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(3)
    Background: * Any PII from a students's education record that the provider receives under FERPA's "school official" exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function, and the school or district must have direct control over the use and maintenance of the PII by the provider receiving the PII). Further, under FERPA's school official exception, the provider may not share or sell FERPA-protected information, or re-use it for any other purposes, except as directed by the school or district and as permitted by FERPA. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 5.

4.1.2: Data Purpose

  • Do the policies clearly indicate the context or purpose in which data are collected?

    Background: The Federal Trade Commission ("FTC") encourages companies that collect personal information that is inconsistent with the context of a particular transaction, or the consumer's relationship with the business, to make appropriate disclosures to consumers regarding the company's data collection practices at a relevant time and in a prominent manner – outside of a privacy policy or other legal document. See Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers ("FTC 2012 Report"), p. 27. There may be practices that are inconsistent with the context of the interaction standard and thus warrant consumer choice. For instance, there may be contexts in which the "repurposing" of data to improve existing products or services would exceed the internal operations concept. Thus, where a product improvement involves additional sharing of consumer data with third-parties, it would no longer be an "internal operation" consistent with the context of the consumer's interaction with a company. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 39.

4.2.1: Data Type

  • Do the policies clearly indicate specific types of personal information (PII, Non-PII, Children's PII, Sensitive information, etc.)?

4.3.1: Account Type

  • Do the policies clearly indicate different types or classes of user accounts?

4.4.1: Combination Type

  • Do the policies clearly indicate whether or not Personally Identifiable Information (PII) combined with non-PII would be treated as PII?

    Citation: Children's Online Privacy Protection Act: (Non-personal information collected from a child that is later combined with personally identifiable information of that child, obtained from either the vendor or third party becomes PII) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2
    Background: When data are collected in one context and combined with data from other sources or different contexts, it increases the potential for an individual's privacy to be compromised. Combining data from multiple sources is part of the process of creating a digital profile of a student. Combining data from multiple sources can also be used to re-identify data sets that have been de-identified, or to identify individuals within data sets that have been shared as anonymous aggregated data. A privacy policy that prohibits third-parties from re-identifying anonymous aggregated data provides an additional level of privacy protection for users. See PTC, Data De-identification: An Overview of Basic Terms.

4.5.1: Context Notice

  • Do the policies clearly indicate whether or not notice is provided to a user if the vendor changes the context in which data are collected?

4.6.1: Practice Changes

  • Do the policies clearly indicate whether or not the vendor will obtain consent if the practices in which data are collected change or are inconsistent with contractual requirements?

4.7.1: Community Guidelines

  • Do the policies clearly indicate whether or not the vendor may terminate a user's account if they engage in any prohibited activities?

5.1.1: User Submission

  • Do the policies clearly indicate whether or not a user can create or upload content to the service?

5.1.2: Content Control

5.4.1: User Control

  • Do the policies clearly indicate whether or not a user can control the vendor or third party's use of their information through privacy settings?

    Background: * While notice and consent remains fundamental in many contexts, it is important to examine whether a greater focus on how data is used and reused would be a more productive basis for managing privacy rights in a big data environment. It may be that creating mechanisms for individuals to participate in the use and distribution of his or her information after it is collected is actually a better and more empowering way to allow people to access the benefits that derive from their information. Privacy protections must also evolve in a way that accommodates the social good that can come of big data use. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 61.
  • Do the policies clearly indicate whether or not a user can provide consent or opt-out from disclosure of their data to a third party?

    Citation: * California "Shine the Light": (California's "Shine the Light" law refers to information sharing disclose requirements for companies that do business with California residents to allow customers to opt-out of information sharing, or make a detailed disclosure of how personal information was shared for direct marketing purposes) See Information Sharing Disclosure, Cal. Civ. Code §§1798.83-1798.84

5.5.2: Disclosure Request

  • Do the policies clearly indicate whether or not a user can request the vendor to disclose all the personal information or records collected about them or shared with third parties?

    Citation: California "Shine the Light": (California's "Shine the Light" law refers to information sharing disclose requirements for companies that do business with California residents to allow customers to opt-out of information sharing, or make a detailed disclosure of how personal information was shared for direct marketing purposes) See Information Sharing Disclosure, Cal. Civ. Code §§1798.83-1798.84 Family Educational Rights and Privacy Act: (A parent or guardian may request to receive a copy of their student's records that have been disclosed by the vendor) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.30(c)(1)

5.5.3: Disclosure Notice

  • Do the policies clearly indicate whether or not in the event a vendor discloses information in response to a government or legal request, if they will contact the affected user, school, parent, or student with notice of the request, so they may choose to seek a protective order or other legal remedy?

    Citation: Family Educational Rights and Privacy Act: (An educational agency or institution may disclose information for lawful reasons if they make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, so that the parent or eligible student may seek protective action) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(a)(9)(ii) California Electronic Communications Privacy Act: (Prohibits a government entity from compelling the production of or access to electronic communication information or electronic device information, without a search warrant, wiretap order, order for electronic reader records, or subpoena issued pursuant under specified conditions, except for emergency situations) See California Electronic Communications Privacy Act, Cal. Pen. Code § 1546-1546.4)

6.6.1: User Export

7.1.1: Transfer Data

7.1.2: Data Assignment

  • Do the policies clearly indicate whether or not the vendor can assign its rights or delegate its duties under the policies to a third party without notice or consent?

7.2.1: Transfer Notice

  • Do the policies clearly indicate whether or not a user will be notified and allowed to provide consent to a data transfer to a third-party successor, in the event of a vendor bankruptcy, merger, or acquisition?

7.3.1: Delete Transfer

  • Do the policies clearly indicate whether or not a user can request to delete their data prior to its transfer to a third-party successor in the event of a vendor bankruptcy, merger, or acquisition?

7.4.1: Contractual Limits

  • Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same level of privacy protections as the vendor?

    Citation: Children's Online Privacy Protection Act: (An operator must take reasonable steps to release a child's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8 Student Online Personal Information Protection Act: (An operator may transfer a student's personal information to a third party in the event of a merger, acquisition, or bankruptcy, but the successor entity is subject to the same onward data privacy and security obligations) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(3)
    Background: * A vendor should not sell any student information acquired through the site or service, except as part of a merger or acquisition. In such cases, ensure that any successor entity is contractually obligated to comply with the terms of your privacy policy under which the student information was collected, and with all legal requirements for the use, disclosure, and security of the student information previously acquired through your site or service. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 14.

10.1.1: Service Messages

  • Do the policies clearly indicate whether or not a user will receive service or administrative related email or text message communications from the vendor or third party?

10.2.1: Traditional Ads

10.3.1: Behavioral Ads

  • Do the policies clearly indicate whether or not behavioral or contextual advertising based on a student's personal information are displayed?

    Citation: Children's Online Privacy Protection Act: (An operator may display contextual advertisements to a child under the age of 13 without verifiable parental consent, under the "internal operations" exception) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator is prohibited from including behavioral advertisements or amassing a profile of a child under the age of 13 child without parental consent) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: (An operator is prohibited from using student data for targeted, behavioral, or contextual advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(A)
    Background: Online behavioral or targeted advertising is the practice of collecting information about consumers' online interests in order to deliver targeted advertising to them. This system of advertising revolves around ad networks that can track individual consumers—or at least their devices—across different websites. When organized according to unique identifiers, this data can provide a potentially wide-ranging view of individual use of the Internet. These individual behavioral profiles allow advertisers to target ads based on inferences about individual interests, as revealed by Internet use. Targeted ads are generally more valuable and efficient than purely contextual ads and provide revenue that supports an array of free online content and services. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), pp. 11-12. The FTC recommends that affirmative express consent is appropriate when a company uses sensitive data for any marketing, whether first or third-party. When health or children's information is involved, for example, the likelihood that data misuse could lead to embarrassment, discrimination, or other harms is increased. This risk exists regardless of whether the entity collecting and using the data is a first-party or a third-party that is unknown to the consumer. In light of the heightened privacy risks associated with sensitive data, first parties should provide a consumer choice mechanism at the time of data collection. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 47. The FTC believes affirmative express consent for first-party marketing using sensitive data should be limited. Certainly, where a company's business model is designed to target consumers based on sensitive data – including data about children, financial and health information, Social Security numbers, and certain geolocation data – the company should seek affirmative express consent before collecting the data from those consumers. On the other hand, the risks to consumers may not justify the potential burdens on general audience businesses that incidentally collect and use sensitive information. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), pp. 47-48. * If a vendor displays targeted advertising they should not use any information, including covered information and persistent unique identifiers, acquired through the site or service as a basis for targeting advertising to a specific student or other user. This includes both advertising delivered on the site or service that acquired the information and advertising delivered on any other site or service based on that information. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 12.

10.4.1: Third-Party Tracking

10.4.2: Track Users

  • Do the policies clearly indicate whether or not a user's information is used to track and target advertisements on other third-party websites or services?

    Citation: Children's Online Privacy Protection Act: (An operator is prohibited from sharing a persistent identifier collected from children that can be used to recognize and track a user over time and across different websites or services without verifiable parental consent) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: (An operator is prohibited from tracking a student across websites with targeted advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(B) California Online Privacy Protection Act: (An operator is required to disclose whether other third parties may collect personally identifiable information about a consumer's online activities over time and across different Web sites) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(6) Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
    Background: The FTC recommends that where a company that has a first-party relationship with a consumer for delivery of a specific service, but also tracks the consumer's activities across other parties' websites, such tracking is unlikely to be consistent with the context of the consumer's first-party relationship with the entity. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 41. * The FTC agrees that the defintion of first-party marketing should include the practice of contacting consumers across different channels. Regardless of the particular means of contact, receipt of a message from a company with which a consumer has interacted directly is likely to be consistent with the consumer's relationship with that company. If an offline or online retailer tracks a customer's activities on a third-party website, this is unlikely to be consistent with the customer's relationship with the retailer; thus, choice should be required. See FTC 2012, P. 42; See also FTC Staff Report, Self-Regulatory Principles For Online Behavioral Advertising, pp. 26-28.

10.4.3: Ad Profile

10.5.1: Child Ads

  • Do the policies clearly indicate whether or not advertisements are displayed to children under 13 years of age?

    Citation: Student Online Personal Information Protection Act: (An operator is prohibited from using student data for targeted, behavioral, or contextual advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(A) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
    Background: The FTC restricts advertisements that may be misleading to children. Advertising to children under the age of 13 is particularly scrutinized, as research shows that these children are especially vulnerable because they are unable to understand an advertisement's persuasive intent. Self-regulatory guidelines are also published by the Children's Advertising Review Unit, which is a branch of the advertising self-regulatory program administered by the Council of Better Business Bureaus. The guidelines generally provide that any advertising to young children should be clearly distinguishable from the other content. See Children's Advertising Review Unit, Self-Regulatory Program for Children's Advertising. Third-party data brokers should implement better measures to refrain from collecting information from children and teens, particularly in marketing products. As to children under 13, COPPA already requires certain online services to refrain from collecting personal information from this age group without parental consent. The principles underlying COPPA could apply equally to information collected offline from children. As to teens, the FTC previously has noted that they often lack the judgment to appreciate the long-term consequences of, for example, posting personal information on the Internet. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), p. 55.

10.5.2: Filter Ads

  • Do the policies clearly indicate whether or not advertisements that are age inappropriate for minors are filtered (e.g., alcohol, gambling, violent, or sexual content)?

    Citation: California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582 Children's Internet Protection Act: (A K-12 school under E-Rate discounts is required to adopt a policy of Internet safety for minors that includes monitoring the online activities of minors and the operation of a technology protection measure with respect to any of its computers with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors) See Children's Internet Protection Act (CIPA), 47 U.S.C. § 254(h)(5)(B)
    Background: * Advertising to children in school presents a variety of legal issues. Several states have laws that place restrictions on the advertising of products or services that have inappropriate content for children, such as alcohol and firearms. Additionally, contextual advertising would likley be permissible as, 'support for internal operations' of a service or applciation, in contrast to behaviorally targeted advertising that implicates several privacy laws such as the CIPA, COPPA, and FERPA, which restrict the use of personal information without parental consent.

10.6.1: Marketing Messages

  • Do the policies clearly indicate whether or not the vendor may send marketing emails, text messages, or other related communications that may be of interest to a user?

    Citation: Children's Online Privacy Protection Act: (An operator may display contextual advertisements to a child under the age of 13 without verifiable parental consent, under the "internal operations" exception) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (A vendor is prohibited from conditioning a child's participation in a game or prize on the child disclosing more info than necessary to participate in the activity) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.7 California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582 Student Online Personal Information Protection Act: (An operator is prohibited from using student data for targeted, behavioral, or contextual advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(A)

10.6.2: Third-Party Promotions

10.7.1: Unsubscribe Ads

  • Do the policies clearly indicate whether or not a user can opt-out of traditional, contextual, or behavioral advertising?

    Citation: Children's Online Privacy Protection Act: (An operator can not condition a child's participation in the service with sharing any collected information with third parties. A parent is required to have the ability to consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(a)(2) California Online Privacy Protection Act: (An operator may provide a hyperlink in their privacy policy to a location containing a description, including the effects, of any program or protocol that offers the consumer a choice not to be tracked) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(7)

10.7.2: Unsubscribe Marketing

  • Do the policies clearly indicate whether or not a user can opt-out or unsubscribe from a vendor or third party marketing communication?

    Citation: * Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003: (The sender of a commerical electronic communication may not require that any recipient pay any fee, provide any information other than the recipient's electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to submit a request not to receive future commercial electronic mail messages from the sender) See Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), 16 C.F.R. Part 316.5

10.8.1: DoNotTrack Response

  • Do the policies clearly indicate whether or not the vendor responds to a "Do Not Track" signal or other opt-out mechanisms from a user?

    Citation: California Online Privacy Protection Act: (An operator is required to disclose how they respond to Web browser "Do Not Track" signals or other mechanisms that provide consumers the ability to opt-out of the collection of personally identifiable information about their online activities over time and across third-party Web sites) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(5)
    Background: A Do Not Track system should be implemented universally to cover all parties that would track consumers. The choice mechanism should be easy to find, easy to understand, and easy to use. Any choices offered should be persistent and should not be overridden if, for example, consumers clear their cookies or update their browsers. A Do Not Track system should be comprehensive, effective, and enforceable. It should opt consumers out of behavioral tracking through any means and not permit technical loopholes. Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting de-identified data for analytics purposes). See California Business and Professions Code §§ 22575(b)(5)-(6); See also FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), p. 53. * Even as we focus more on data use, consumers still have a valid interest in "Do Not Track" tools that help them control when and how their data is collected. Strengthening these tools is especially important because there is now a growing array of technologies available for recording individual actions, behavior, and location data across a range of services and devices. Public surveys indicate a clear and overwhelming demand for these tools, and the government and private sector must continue working to evolve privacy-enhancing technologies in step with improved consumer services. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 62.

10.8.2: DoNotTrack Description

  • Do the policies clearly indicate whether the vendor provides a hyperlink to a description, including the effects, of any program or protocol the vendor follows that offers consumers a choice not to be tracked?

    Citation: * California Online Privacy Protection Act: (An operator may provide a hyperlink in their privacy policy to a location containing a description, including the effects, of any program or protocol that offers the consumer a choice not to be tracked) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(7)

0.1.1: Policy Available

  • Are the policies for the specific service available (and not, for example, for the public-facing website)?

    Citation: * California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a)

0.1.2: Same Policy

  • Do Android or iOS app privacy policies link to the same privacy policy URL location as the home page policy?

    Citation: California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a) California Online Privacy Protection Act: (An operator may provide a hyperlink in their privacy policy to a location containing a description, including the effects, of any program or protocol that offers the consumer a choice not to be tracked) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(7)

0.1.5: Use Trackers

  • Does the application or service use trackers on its homepage, registration page, or while a user is logged-in?

    Citation: Children's Online Privacy Protection Act: (An operator is prohibited from sharing a persistent identifier collected from children that can be used to recognize and track a user over time and across different websites or services without verifiable parental consent) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Student Online Personal Information Protection Act: (An operator is prohibited from tracking a student across websites with targeted advertising) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(1)(B) California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(9) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
  • Are hyperlinks to the vendor's policies available on the homepage and labeled Privacy Policy or Terms of Use?

    Citation: California Online Privacy Protection Act: (An operator of a service or application that collects personally identifiable information through the Internet about individual consumers from California who use or visit its service is required to conspicuously post a privacy policy) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(a) California Online Privacy Protection Act: (An operator is required to post a conspicuous hyperlink that includes the word "privacy" to its actual privacy policy on the homepage or first significant page after entering the Web site, or an icon that hyperlinks to a Web page on which the actual privacy policy is posted, so that a reasonable person would notice it) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(b)(1)-(4)
    Background: * A vendor should make their Policy recognizable by giving it a descriptive title, such as 'Privacy Policy' or 'Data Collection and Use Policy.' Make the Privacy Policy available in a single location; don't make users search for it in Terms of Service or Terms and Conditions statements, for example. Make the Policy conspicuously available on the website or from within the mobile app or other online service. If your app is available through an online store or other platform, also provide a link to the Policy there so that potential users can review it before downloading the app. Be prepared to provide a copy of or a link to the Policy to a school or school district for posting on their website. Schools and districts are increasingly receiving requests from parents to share the privacy policies of the online services they use. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 15.

0.2.2: Policy Accessible

  • Are the policies available in a human and machine readable format that is accessible on the web, mobile devices, screen readers or assistive technologies?

    Citation: California Online Privacy Protection Act: (An online service or application is required to post a conspicuous hyperlink that includes the word "privacy" to its actual privacy policy on the homepage, or provide any other reasonably accessible means of making the privacy policy available for consumers of the online service) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22577(b)(5)
    Background: A vendor should make the Privacy Policy for the site or service easy for parents and educators to understand. Use plain language, for example, say what you currently do or don’t do, instead of what practices you 'may' employ at some future time. If there are practices that a vendor may only employ in some circumstances, specify those circumstances. Be concrete and specific about the data practices related to all the features of your site or service, explaining where appropriate that a school or district may choose not to use all of its features. Format the Policy with headers that identify key parts of the policy, such as Information We Collect, How We Use Your Information, Information We Share, Access to Your Information, Security, Effective Date, and Privacy Contact. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 16.

0.2.3: Allow Crawling

  • Do the policies allow machine crawling or indexing?

    Citation: * Copyright Act of 1976: (Fair use of a copyrighted work, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright) See Copyright Act of 1976, 17 U.S.C. § 107

0.2.4: Policy Purchase

  • Are the policies available on all product purchase or acquisition web pages?

    Citation: * Children's Online Privacy Protection Act: (A notice or privacy policy on an operator's website needs a section relating to the collection of information for children under 13 years of age, and notice is required at each area of the site where information is collected from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)

0.2.5: Policy Registration

  • Are the policies available on a new account registration webpage for review prior to a user creating a new account with the service or application?

    Citation: * Children's Online Privacy Protection Act: (A notice or privacy policy on an operator's website needs a section relating to the collection of information for children under 13 years of age, and notice is required at each area of the site where information is collected from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)

0.3.1: Free Account

  • Can you create a free sample account with the application or service?

0.3.2: Access Code

  • Does the application or service require the purchase of hardware or a School access code to create an account?

0.3.3: Purchase Options

  • Does the application or service offer a seperate paid version or In-App-Purchases?

0.4.1: Policy Readable

  • Do the policies contain structural or typographical errors?

Security: Protecting against unauthorized access

6.6.2: Legacy Contact

  • Do the policies clearly indicate whether or not a user may assign an authorized account manager or legacy contact to access and download their data in the event the account becomes inactive?

    Citation: * California Revised Uniform Fiduciary Access to Digital Assets Act: (authorizes a decedent's personal representative or trustee to access and manage their digital assets and electronic communications stored with an online service provider, and give directions regarding the disclosure of those assets) See California Revised Uniform Fiduciary Access to Digital Assets Act, Cal. Prob. Code § 870-884

8.1.1: Verify Identity

8.2.1: Account Required

  • Do the policies clearly indicate whether or not the vendor requires a user to create an account with a username and password in order to use the Service?

8.2.2: Managed Account

  • Do the policies clearly indicate whether or not the vendor provides user managed accounts for a parent, teacher, school or district?

8.2.3: Two-Factor Protection

  • Do the policies clearly indicate whether or not the security of a user's account is protected by two-factor authentication?

8.3.1: Security Agreement

8.4.1: Reasonable Security

8.4.2: Employee Access

8.5.1: Transit Encryption

  • Do the policies clearly indicate whether or not all data in transit is encrypted?

    Citation: * California Data Breach Notification Requirements: (A person or business that owns, licenses, or maintains personal information about a California resident is required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure) See California Data Breach Notification Requirements, Cal. Civ. Code § 1798.81.5

8.6.1: Storage Encryption

  • Do the policies clearly indicate whether or not all data at rest is encrypted?

    Citation: * California Data Breach Notification Requirements: (A person or business that owns, licenses, or maintains personal information about a California resident is required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure) See California Data Breach Notification Requirements, Cal. Civ. Code § 1798.81.5

8.6.2: Data Control

  • Do the policies clearly indicate whether or not personal information are stored outside the direct control of the vendor?

8.7.1: Breach Notice

  • Do the policies clearly indicate whether or not the vendor provides notice in the event of a data breach to affected individuals?

    Citation: California Data Breach Notification Requirements: (A business that collects personal information from California consumers is required to disclose a breach of the security of their system following discovery or notification of the breach in the security of a consumer's data whose unencrypted personal information was reasonably believed to have been acquired by an unauthorized person) See California Data Breach Notification Requirements, Cal. Civ. Code § 1798.29; § 1798.29(h)(4); § 1798.82; California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a description of the procedures for notifying the affected parent, legal guardian, or eligible pupil in the event of an unauthorized disclosure of the pupil’s records) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(6)
    Background: The breach notification laws in California and the 46 other states are similar in many ways, because most are modeled on the original California law. All of them require notifying individuals when their personal information has been breached, prefer written notification but allow using the "substitute method" in certain situations, allow for a law enforcement delay, and provide an exemption from the requirement to notify when data is encrypted and the keys required to de-crypt the data are still secure. However, there are some differences, primarily in three areas: (1) the notification trigger, (2) the timing for notification, and (3) the definition of covered information. See CA DOJ, California Data Breach Report (2016). A vendor should develop and describe the process for notifying schools or school districts, parents, legal guardians, or eligible students, as well as any appropriate government agencies, of any unauthorized disclosure of student information. Determine whether the incident and the types of data involved also require notification under California's breach notification law, and if so, take appropriate action. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 15.

0.1.3: Default Encryption

0.1.4: Encryption Required

Compliance: Following statutory laws and regulations

1.8.1: Children Intended

  • Do the policies clearly indicate whether or not the service is intended to be used by children under the age of 13?

    Citation: * Children's Online Privacy Protection Act: (A site directed to children is where the operator has actual knowledge the site is collecting information from children under the age of 13 and parental consent is required before any collection or use of information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

1.8.2: Teens Intended

  • Do the policies clearly indicate whether or not the service is intended to be used by teens 13 to 18 years of age?

    Citation: Children's Online Privacy Protection Act: (A mixed audience site is where the site is directed to children, but does not target children as its "primary audience," but rather teens 13-to-18 years of age or adults. An operator of a mixed audience site is required to obtain age information from a user before collecting any information and if a user identifies themselves as a child under the age of 13, the operator must obtain parental consent before any information is collected) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582

1.8.3: Adults Intended

  • Do the policies clearly indicate whether or not the service is intended to be used by adults over the age of 18?

    Citation: * Children's Online Privacy Protection Act: (A general audience site is where the operator has no actual knowledge that a child under the age of 13 has registered an account or is using the service, and no age gate or parental consent is required before collection of information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2

1.8.4: Parents Intended

1.8.5: Students Intended

1.8.6: Teachers Intended

  • Do the policies clearly indicate whether or not the service is intended to be used by teachers?

    Citation: Family Educational Rights and Privacy Act: (FERPA applies to all educational institutions that accept public funds under a program of the U.S. Department of Education) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Student Online Personal Information Protection Act: (SOPIPA applies to operators of online services that are primarily used for K-12 school purposes and were designed and marketed for K-12 school purposes) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(a) Early Learning Personal Information Protection Act: (ELPIPA applies to operators of online services that are primarily used for preschool or prekindergarten purposes and were designed and marketed for preschool or prekindergarten purposes) See Early Learning Personal Information Protection Act (ELPIPA), Cal. B.&P. Code § 22586(a)(1) Protection of Pupil Rights Act: (All instructional materials including teacher's manuals, films, tapes, or other supplementary instructional material which is used in connection with any research must be made available for inspection by the parents or guardians of the children) See Protection of Pupil Rights Act (PPRA), 34 C.F.R. Part 98 * California AB 1584 - Privacy of Pupil Records: (Authorizes a Local Educational Agency (LEA) to enter into a third party contract for the collection and use of pupil records that must include a statement that the pupil records continue to be the property of and under the control of the local educational agency, a description of the actions the third party will take to ensure the security and confidentiality of pupil records, and a description of how the local educational agency and the third party will jointly ensure compliance with FERPA) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code §§ 49073.1

2.2.1: Student Data

  • Do the policies clearly indicate whether or not the vendor collects personal information or education records from preK-12 students?

    Citation: Family Educational Rights and Privacy Act: ("Education Records" are information that is directly related to a student and maintained by the educational institution, or by a third party acting as a School Official on behalf of the educational institution) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Family Educational Rights and Privacy Act: ("Personal Information" under FERPA includes direct identifiers such as a student or family member's name, or indirect identifiers such as a date of birth, or mother's maiden name, or other information that is linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.1 Student Online Personal Information Protection Act: (SOPIPA applies to operators of online services that are primarily used for K-12 school purposes and were designed and marketed for K-12 school purposes) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(a) Early Learning Personal Information Protection Act: (ELPIPA applies to operators of online services that are primarily used for preschool or prekindergarten purposes and were designed and marketed for preschool or prekindergarten purposes) See Early Learning Personal Information Protection Act (ELPIPA), Cal. B.&P. Code § 22586(a)(1)
    Background: The Family Educational Rights and Privacy Act of 1974 (FERPA), provides parents of students the right to access their children's Student Data or education records, and Students 18 years of age and older the right to access their own education records. In addition, FERPA provides the right to have the records amended, and the right to have some control over the disclosure of personally identifiable information (PII) in the education records. Furthermore, strict storage guidelines surround Student Data which require organizations to maintain accurate, and up-to-date records. See 20 U.S.C. § 1232g; 34 C.F.R. Part 99.1. What are Education Records? FERPA defines educational records as records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third-party acting on behalf of a school or district are also considered education records. 20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3; See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 1; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 2.

2.2.2: Child Data

  • Do the policies clearly indicate whether or not the vendor collects personal information online from children under 13 years of age?

    Citation: Children's Online Privacy Protection Act: (A notice or privacy policy on an operator's website needs a section relating to the collection of information for children under 13 years of age, and notice is required at each area of the site where information is collected from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d) Children's Online Privacy Protection Act: (Personally Identifiable Information under COPPA includes first and last name, photos, videos, audio, geolocation information, persistent identifiers, IP address, cookies, and unique device identifiers) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2
    Background: The Children's Online Privacy Protection Act (COPPA) requires a privacy policy to list the kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.), how the information is collected, and how the company uses the personal information. It also requires companies to indicate whether they disclose information collected from children to third-parties. If so, the company must also disclose the kinds of businesses in which the third-parties are engaged, the general purposes for which the information is used, and whether the third-parties have agreed to maintain the confidentiality and security of the information. See 15 U.S.C. § 6502; 16 C.F.R. Part 312. If a company knows that a user of the online website or service is under the age of 13, the Children's Online Privacy Protection Act (COPPA) will impose more stringent requirements on the collection of information from those users. COPPA requires that operators seeking to collect, use, or disclose personal information from children under the age of 13, must first obtain verifiable parental consent. Even where a user is 13 or older, COPPA remains a source of best practices for companies that collect personal information from users, particularly when those users are still minors. See 15 U.S.C. §§ 6501-6506; 16 C.F.R. Part 312. * COPPA permits the collection of limited personal information from children under 13 for the purposes of: (1) Obtaining verified parental consent; (2) providing parents with a right to opt-out of an operator's use of a child's email address for multiple contacts of the child; and (3) to protect a child's safety on a website or online service. See 15 U.S.C. 6502(b)(2); 16 C.F.R. 312.5(c)(1)–(5).

5.3.1: Restriction Notice

  • Do the policies clearly indicate whether or not the vendor is able to restrict or remove a user's content without notice or consent?

    Citation: The Communications Decency Act of 1996: (No provider or user of an interactive computer service shall be held liable on account of any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or any action taken to enable or make available to information content providers or others the technical means to restrict access to material) See The Communications Decency Act of 1996 (CDA), 47 U.S.C. 230(c) Digital Millennium Copyright Act: (The provider of a service or application that has removed or disabled access to material or activity claimed to be infringing must take reasonable steps to promptly notify the subscriber that it has removed or disabled access to their material) See Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 512(g)(2)(A)

5.6.1: Data Ownership

  • Do the policies clearly indicate whether or not a student, educator, parent, or the school retains ownership to the Intellectual Property rights of the data collected or uploaded to the application or service?

    Citation: California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a statement that pupil records continue to be the property of and under the control of the local educational agency) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(1) Copyright Act of 1976: (Copyright protection is extended to original works of authorship fixed in any tangible medium of expression) See Copyright Act of 1976, 17 U.S.C. § 102
    Background: * Maintaining ownership of data to which the provider may have access allows schools or districts to retain control over the use and maintenance of FERPA protected student information and protect against a provider selling information. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, p. 7.
  • Do the policies clearly indicate whether or not the vendor may limit its copyright license of a user's data?
  • Do the policies clearly indicate whether or not the vendor provides notice to a user if their content is removed or disabled because of a claim it violates the Intellectual Property rights of others?

    Citation: Digital Millennium Copyright Act: (The provider of a service or application that has removed or disabled access to material or activity claimed to be infringing must take reasonable steps to promptly notify the subscriber that it has removed or disabled access to their material) See Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 512(g)(2)(A)
    Background: The Digital Millennium Copyright Act (DMCA) establishes procedures for proper notification and rules to take down a user's content that violates the copyrights of others. Under the notice and takedown procedure, a copyright owner submits a notification under penalty of perjury, including a list of specified elements to the service provider's designated agent. If, upon receiving a proper notification, the service provider promptly removes or blocks access to the material identified in the notification, the provider is exempt from liability. However, the service provider is required to provide adequate notice to the affected user, who then has the ability to respond to the notice and takedown by filing a counter notification. See U.S. Copyright Office Summary, The Digital Millennium Copyright Act (DMCA), p. 12; See also 17 U.S.C. § 512(c)(3); 17 U.S.C. § 512(g)(1).

6.1.1: Access Data

6.1.2: Restrict Access

6.1.3: Review Data

6.2.1: Maintain Accuracy

  • Do the policies clearly indicate whether or not the vendor takes steps to maintain the accuracy of data they collect and store?

    Citation: Children's Online Privacy Protection Act: (An operator must take reasonable steps to release a child's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of the information, and provide assurances that they contractually maintain the information in the same manner) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.8 Children's Online Privacy Protection Act: (An operator must maintain the confidentiality, security, and integrity of personal information collected from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.3(e); See also 16 C.F.R. Part 312.8

6.3.1: Data Modification

  • Do the policies clearly indicate whether or not the vendor provides the ability to modify a user's inaccurate data for authorized individals?

    Citation: * California Online Privacy Protection Act: (If the operator maintains a process for a consumer to review and request changes to any of their personally identifiable information they must provide a description of that process) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(2)

6.3.2: Modification Process

6.3.3: Modification Request

6.3.4: Modification Notice

  • Do the policies clearly indicate how long the vendor has to modify a user's inaccurate data after given notice?

6.4.1: Retention Policy

  • Do the policies clearly indicate the vendor's data retention policy, including any data sunsets or any time-period after which a user's data will be automatically deleted if they are inactive on the application or service?

    Background: * A vendor should retain student information acquired through the site or service only as long as allowed or required by the school or district. A vendor should also describe their data retention policy, including how long they retain student information and why. A vendor's default retention period for covered information should not be indefinite. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 12.

6.4.2: Retention Limits

  • Do the policies clearly indicate whether or not the vendor will limit the retention of a user's data unless a valid request to inspect data are made?

    Citation: * Family Educational Rights and Privacy Act: (An educational institution must annually notify parents of their rights to inspect and review a student's education records, make corrections, delete, or consent to the disclosure of information) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.7(a)

6.5.1: Deletion Purpose

  • Do the policies clearly indicate whether or not the vendor will delete a user's personal information when the data are no longer necessary to complete the purpose for which it was collected?

    Citation: Children's Online Privacy Protection Act: (An operator may retain information collected from a child only as long as necessarily to fulfill the purpose for which it was collected and must delete the information using reasonable measures to prevent unauthorized use) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.10 California AB 1584 - Privacy of Pupil Records: (A local educational agency that enters into a contract with a third party must ensure the contract contains a certification that a pupil's records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced) See California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code § 49073.1(b)(7)

6.5.2: Account Deletion

6.5.3: User Deletion

  • Do the policies clearly indicate whether or not a user can delete all of their personal and non-personal information from the vendor?

    Citation: California Online Privacy Protection Act: (If the operator maintains a process for a consumer to review and request changes to any of their personally identifiable information they must provide a description of that process) See California Online Privacy Protection Act (CalOPPA), Cal. B.&P. Code §22575(b)(2) California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582

6.5.4: Deletion Process

6.5.5: Deletion Notice

  • Do the policies clearly indicate how long the vendor may take to delete a user's data after given notice?

11.1.1: Actual Knowledge

  • Do the policies clearly indicate whether or not the vendor has actual knowledge that personal information from children under 13 years of age is collected by the application or service?

    Citation: Children's Online Privacy Protection Act: (A general audience site is where the operator has no actual knowledge that a child under the age of 13 has registered an account or is using the service, and no age gate or parental consent is required before collection of information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (A mixed audience site is where the site is directed to children, but does not target children as its "primary audience," but rather teens 13-to-18 years of age or adults. An operator of a mixed audience site is required to obtain age information from a user before collecting any information and if a user identifies themselves as a child under the age of 13, the operator must obtain parental consent before any information is collected) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (A site directed to children is where the operator has actual knowledge the site is collecting information from children under the age of 13 and parental consent is required before any collection or use of information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (A vendor who may obtain actual knowledge that it is collecting information from a child must not encourage a child from disclosing more information than reasonably necessary through an age verification mechanism. An age gate should be: age-neutral; not encourage falsification; list day, month, and year; have no prior warning that under 13 children will be blocked; and prevent multiple attempts) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.3(d)
    Background: The Children's Online Privacy Protection Act (COPPA) requires an operator to post a link to a notice of its information practices on the homepage of its web site or online service and in each area of its web site where it collects "Personal Information" from children. An operator of a general audience web site with a separate children's area must also post a link to its privacy policy on the homepage of the children's area. See 15 U.S.C. §§ 6501-6506; 16 C.F.R. Part 312 COPPA applies anytime an operator of a website or online service has actual knowledge that it is collects, maintains, uses, or discloses personal information from a child under 13. In these situations an operator is generally required to obtain verified parental consent. * COPPA requires companies to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Companies should minimize what they collect in the first place and take reasonable steps to release personal information only to service providers and third-parties capable of maintaining its confidentiality, security, and integrity. Always obtain assurances that third-parties will live up to their contractual privacy responsibilities. Also, companies should hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. They should securely dispose of it once they no longer have a legitimate reason for retaining it. See FTC, Six-Step Compliance Plan for Your Business.

11.1.2: Child Audience

  • Do the policies clearly indicate whether or not the application or service is directed to children under 13, or (even if for an older audience) would the service appeal to children under 13 years of age?

    Citation: Children's Online Privacy Protection Act: (An exception for a general audience site exists if the site would appeal to children under 13 years of age, which would take into account several factors that include subject matter, visual content, age of models, and activities provided) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (A mixed audience site is where the site is directed to children, but does not target children as its "primary audience," but rather teens 13-to-18 years of age or adults. An operator of a mixed audience site is required to obtain age information from a user before collecting any information and if a user identifies themselves as a child under the age of 13, the operator must obtain parental consent before any information is collected) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2
    Background: * COPPA applies to operators of websites or online services that are directed to children. A child is defined as an individual under the age of 13. An online service which is not specifically targeted at children under the age of 13 may still be considered directed at children, if the service contains content that would appeal to children under the age of 13. The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience. See FTC, Six-Step Compliance Plan for Your Business.

11.1.3: COPPA Notice

  • Do the policies clearly indicate whether or not the vendor describes: (1) what information is collected from children under 13 years of age, (2) how that information is used, and (3) its disclosure practices of that information?

    Citation: Children's Online Privacy Protection Act: (A vendor is required to provide a clear privacy policy about: (1) what information is collected, (2) how information is used, and (3) its disclosure practices of that information) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.3(a); See also 16 C.F.R. Part 312.4(d)(2) Children's Online Privacy Protection Act: (A notice or privacy policy on an operator's website needs a section relating to the collection of information for children under 13 years of age, and notice is required at each area of the site where information is collected from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(d)

11.1.4: COPPA Offline

  • Do the policies clearly indicate whether or not the vendor collects personal information from children under 13 years of age "offline"?

    Citation: Children's Online Privacy Protection Act: (The Children's Online Privacy Protection Act (COPPA) applies to personal information of children under 13 years of age collected "online" not "offline") See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.1
    Background: Congress limited the scope of COPPA to only information that an operator collects online from a child. COPPA does not govern information collected by an operator offline that is later placed online. See 15 U.S.C. 6501(8) (defining personal information as individually identifiable information about an individual collected online)

11.1.5: Restrict Account

11.1.6: Restrict Purchase

  • Do the policies clearly indicate whether or not the vendor restricts in-app purchases for a child under 13 years of age?

    Citation: * Children's Online Privacy Protection Act: (An operator is required to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5

11.1.7: Safe Harbor

  • Do the policies clearly indicate whether or not the application or service participates in an FTC approved COPPA safe harbor program?

    Citation: Children's Online Privacy Protection Act: (An operator is presumed to be in compliance with verifiable parental consent if participating in a self-regulatory safe harbor program approved by the Commission) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(b)(3); See also 16 C.F.R. Part 312.11
    Background: An operator may satisfy its obligations under COPPA by participating in a safe harbor program. The safe harbor programs are self-regulatory frameworks developed by industry groups and approved by the FTC. FTC-approved COPPA safe harbor programs offer parental notification and consent systems for operators who are members of their programs. In addition, the FTC recognizes that these and other common consent mechanisms could benefit operators (especially smaller ones) and parents if they offer a proper means for providing notice and obtaining verifiable parental consent, as well as ongoing controls for parents to manage their children's accounts. The FTC recommends operators use a common consent mechanism to assist in providing notice and obtaining consent, because they are ultimately responsible for ensuring that the notice accurately and completely reflects their information collection practices and that the consent mechanism is reasonably designed to reach the parent. See 78 Fed. Reg. 3972, 3989; See FTC, Complying with COPPA: Frequently Asked Questions, q. 13.

11.2.1: Teen Data

  • Do the policies clearly indicate whether or not personal information from teens 13 to 18 years of age are collected?

    Citation: California Privacy Rights for Minors in the Digital World: (Prohibits an operator from marketing or advertising non age-appropriate types of products or services to a minor under 18 years of age and from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising non age-appropriate types of products or services. Also, a minor is permitted to request to "erase" or remove and obtain removal of content or information posted on the operator's site) See California Privacy Rights for Minors in the Digital World, Cal. B.&P. Code §§ 22580-22582
    Background: Third-party data brokers should implement better measures to refrain from collecting information from children and teens, particularly in marketing products. As to children under 13, COPPA already requires certain online services to refrain from collecting personal information from this age group without parental consent. The principles underlying COPPA could apply equally to information collected offline from children. As to teens, the FTC previously has noted that they often lack the judgment to appreciate the long-term consequences of, for example, posting personal information on the Internet. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), p. 55.

11.3.1: School Purpose

11.3.2: Education Records

11.3.3: FERPA Notice

  • Do the policies clearly indicate whether or not the vendor provides a separate agreement that provides notice to users of their rights, under FERPA?

    Citation: Family Educational Rights and Privacy Act: (An educational institution must annually notify parents of their rights to inspect and review a student's education records, make corrections, delete, or consent to the disclosure of information) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.7(a) Family Educational Rights and Privacy Act: (Any rights to access, modify, or delete student records may transfer to an "eligible" student who is over 18 years of age) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.5(a)(1)
    Background: FERPA is a Federal law that protects personally identifiable information in students' education records from unauthorized disclosure. It affords parents the right to access their child's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student ("eligible student"). 20 U.S.C. § 1232g; 34 C.F.R. Part 99; See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, pp. 1-3. FERPA denies federal funding to educational agencies or institutions that have a practice or policy of permitting the release of student information without parental consent. There is an exception where such information is released to "school officials" who have been determined by the educational agency or institution to have a legitimate educational interest. * A vendor should describe the procedures for a parent, legal guardian, or eligible student to review and correct covered information. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 14.

11.3.4: School Official

11.3.5: Directory Information

  • Do the policies clearly indicate whether or not the vendor discloses student information as 'Directory Information' under a FERPA exception?

    Citation: Family Educational Rights and Privacy Act: (An operator may disclose "Directory Information" of a student if notice is provided to parents of the type of information that is designated as "directory," and notice of a parent's right to refuse disclosure and to opt-out) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.3; 34 C.F.R. Part 99.37
    Background: What is the "Directory Information" Exception? An exception to parental consent that permits the disclosure of PII from education records under FERPA. Information designated by the school or district as directory information may be disclosed without consent and used without restriction in conformity with the policy, unless the parent, guardian, or eligible student opts out. Examples of directory information about students include name, address, telephone number, email address, date and place of birth, grade level, sports participation, and honors or awards received. Before a school or district can disclose directory information, it must first provide public notice to parents and eligible students of the types of information designated as directory information, the intended uses for the information, and the right of parents or eligible students to "opt out" of having their information shared. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 3; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 3-4.
  • Do the policies clearly indicate whether or not a parent can consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties?

    Citation: * Children's Online Privacy Protection Act: (An operator can not condition a child's participation in the service with sharing any collected information with third parties. A parent is required to have the ability to consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(a)(2)

11.4.4: Delete Child

  • Do the policies clearly indicate whether or not the vendor deletes personal information from a student or child under 13 years of age if collected without parental consent?

    Citation: Children's Online Privacy Protection Act: (If the operator has not obtained parental consent after a reasonable time from the date of the information collection, or been given actual notice that information from a child under the age of 13 has been collected without parental consent, the operator must delete the information from its records) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(c)(1); See also 16 C.F.R. Part 312.6(c) Family Educational Rights and Privacy Act: (A parent or eligible student is required to provide a signed and dated written consent before an educational institution discloses personally identifiable information from the student's records) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.30
  • Do the policies clearly indicate whether or not the vendor provides direct notice to parents of its collection and diclosure practices with method to provide verifiable parental consent, under COPPA?

    Citation: Children's Online Privacy Protection Act: (An operator is required to provide direct notice to parents describing what information is collected, how information is used, its disclosure practices and exceptions) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.4(b)
    Background: Under most circumstances an operator is required to obtain verified parental consent before the collection, use, or disclosure, of personal information from children under the age of 13. The method used to obtain parental consent must be reasonably calculated (taking into account available technology) to ensure that the person providing consent is actually the child's parent.

11.4.6: Internal Operations

  • Do the policies clearly indicate whether or not the vendor can collect and use personal information from children without parental consent to support the 'internal operations' of the vendor's website or service?

    Citation: Children's Online Privacy Protection Act: (An operator may share data with third parties who provide support for the "internal operations" of the service and who do not use or disclose the information for any other purpose) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 Children's Online Privacy Protection Act: (An operator may display contextual advertisements to a child under the age of 13 without verifiable parental consent, under the "internal operations" exception) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.2 * Children's Online Privacy Protection Act: (An exception to prior parental consent exists for an operator to collect a persistent identifier and no other personal information for the sole purpose of providing support for the "internal operations" of the site) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(c)(7)

11.4.7: COPPA Exception

11.4.8: FERPA Exception

  • Do the policies clearly indicate whether or not responsibility or liability for obtaining verified parental consent is transferred to the school or district?

11.5.1: Policy Jurisdiction

  • Do the policies clearly indicate the vendor's jurisdiction that applies to the construction, interpretation, and enforcement of the policies?

    Background: * The vendor's policies should describe the jurisdiction or state where disputes will be resolved. Typically, disputes are settled by Alternative Dispute Resolution (ADR) by an arbitrator through binding arbitration that can enter a judgement that will be upheld in any court having jurisdiction.

11.5.2: Dispute Resolution

  • Do the policies clearly indicate whether or not the vendor requires a user to waive the right to a jury trial, or settle any disputes by Alternative Dispute Resolution (ADR)?

    Background: * The vendor's policies should describe the legal process used to determine how disputes will be resolved. Any dispute arising out of an alleged breach of the policies will likely be settled by Alternative Dispute Resolution (ADR) through binding arbitration before judicial arbitration or mediation services, such as the American Arbitration Association, or a similar arbitration service.

11.5.3: Class Waiver

  • Do the policies clearly indicate whether or not the vendor requires waiver of any rights to join a class action lawsuit?

11.5.4: Law Enforcement

  • Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law, to comply with a legal process, respond to governmental requests, enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

    Citation: Children's Online Privacy Protection Act: (An operator is prohibited from sharing a child's information to third parties except in limited circumstances to ensure legal and regulatory compliance; respond to or participate in a judicial process; or to protect the safety of a child; or provide information to law enforcement agencies) See Children's Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.5(c)(5)-(6) Family Educational Rights and Privacy Act: (An operator is prohibited from sharing a student's information to third parties except in limited circumstances to ensure legal and regulatory compliance; respond to or participate in a judicial process; in connection with a health or safety emergency, or violation of any Federal, State, or local law) See Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(5),(9),(10),(13)-(16); 34 C.F.R. Part 99.36 Student Online Personal Information Protection Act: (An operator is prohibited from sharing student information to third parties except in limited circumstances to ensure legal and regulatory compliance; respond to or participate in a judicial process; or to protect the safety of users, others, or the security of the site) See Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code § 22584(b)(4)(B)-(C),(k) California Electronic Communications Privacy Act: (Prohibits a government entity from compelling the production of or access to electronic communication information or electronic device information, without a search warrant, wiretap order, order for electronic reader records, or subpoena issued pursuant under specified conditions, except for emergency situations) See California Electronic Communications Privacy Act, Cal. Pen. Code § 1546-1546.4)
    Background: Disclosure of personal information for the "internal operations" of the website or online service, means activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill a request of a child. See 16 C.F.R. 312.2; See also FTC, Complying with COPPA: Frequently Asked Questions, q. 5. A vendor should only disclose covered information acquired through the site or service to ensure legal compliance, respond to judicial process, or protect an individual's safety or the security of the site or service. See Ready for School, Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (November 2016), CA. D.O.J., p. 14.

11.6.1: Privacy Award

  • Do the policies clearly indicate whether or not the vendor has signed any privacy pledges or received any other privacy certifications?

    Background: * Privacy protection depends on companies being accountable to consumers as well as to agencies that enforce consumer data privacy protections. However, compliance goes beyond external accountability to encompass practices through which companies prevent lapses in their privacy commitments or detect and remedy any lapses that may occur. Companies that can demonstrate that they live up to their privacy commitments have powerful means of maintaining and strengthening consumer trust. A company's own evaluation can prove invaluable to this process. The appropriate evaluation technique, which could be a self-assessment and need not necessarily be a full audit, will depend on the size, complexity, and nature of a company's business, as well as the sensitivity of the data involved. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22.

11.7.1: GDPR Transfer

  • Do the policies clearly indicate whether or not a user's data are subject to International data jurisdiction laws, such as a privacy shield, or a safe harbor framework that protects the cross-border transfer of a user's data?

    Citation: * General Data Protection Regulation: (The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy) See General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679)

11.7.2: GDPR Contact

  • Do the policies clearly indicate whether or not the vendor provides a Data Protection Officer (DPO) or other contact to ensure GDPR compliance?

    Citation: * General Data Protection Regulation: (The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy) See General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679)

11.8.1: Accountability Audit

  • Do the policies clearly indicate whether or not the data privacy or security practices of the vendor are internally or externally audited to ensure compliance?

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.