Privacy Evaluation Questions - Qualitative

The Qualitative questions listed here are part of the questions used to drive the Common Sense District Privacy Evaluation Initiative. The release announcement gives more information about the complete question set. The qualitative questions on this page can be used to evaluate the protections and potential risks as they are defined in policies and terms of service of educational software. Not every question will be applicable to every software product, but the Qualitative questions, alongside the Transparency evaluation, can help people make more informed decisions for their specific context.

1. Transparency (What is the Privacy Practice?)

Qualitative Questions

  1. Does the online website, service, or application provide a Privacy Policy, a Terms of Service (TOS), or any other relevant legal policies?
  2. Who is notified of changes to the policies?
  3. How is a user notified of changes to the policies?
  4. How does a user review updates or changes to the policies before they are adopted?
  5. How does a user indicate that they accept the updated policies?

More information on Transparency

2. Focused Collection (What Information is Collected?)

Qualitative Questions

  1. Which of the following data are collected by the online website, service, or application?
    • Student name
    • Student address
    • Telephone number
    • Email address
    • Photo
    • Date of Birth
    • Place of birth
    • Gender
    • Student grade level
    • School name
    • Dates of attendance at schoool
    • Subjects studied at that school
    • Student ID number, student user ID (i.e., for a school badge), or other unique personal identifier
    • Student grades (coursewide or on individual assignments)
    • Student transcripts
    • Student course enrollment or course list
    • Academic or athletic honors or awards
    • Financial infomation of student or parent/guardian
    • Student social security number
    • Parent/guardian name or address
    • Behavioral or discipline information
    • Geolocation data (either via a form, or automatically via a mobile app/web site) sufficient to identify the student's street name or town
    • Photos, videos, or audio recordings of student
    • Medical or health information
    • Mental health information
    • Race or ethnicity
    • Free or reduced lunch status
    • Biometric information such as fingerprints, facial recognition, iris scan, etc.
    • Behavioral biometric information such as keystroke patterns, typing speed, or swiping patterns on mobile devices
    • Non-educational application data (i.e., “likes” or “interests”)
    • Contact information such as an instant messaging user ID, VOIP ID, video chat user ID, or social media (Twitter, Facebook, Instagram) screen name or username that functions as online contact information
    • Online activity such as web searches, assessments, messages, metadata, or student-created content
    • Persistent identifiers that can be used to identify a user over time or to access different websites/apps/services, including but not limited to customer number in a cookie, IP address, processor or device serial number, or unique device ID
    • Student's or parent's political affiliation or beliefs
    • Student's or parent's religious affiliation or beliefs
    • Sexual orientation
    • Information that is linked or linkable to a student or student's family
    • Contact lists or friends list from contact apps or social media accounts
    • The application is unclear about data collected
    • Other
  2. How do the policies describe the practice of collecting only the information required to provide the service (i.e., data minimization)?

More information on Focused Collection

3. Data Sharing (How do Third-Parties Collect, Access, and Use Data?)

Qualitative Questions

  1. What third-party services are used to support the operation of the website or application?
  2. What functions or purposes are served by third-party vendors?
  3. How do third-parties ensure they maintain the confidentiality of collected data?
  4. What data are collected by or shared with third-parties? Does any of the data include personal information?
  5. How can third-party services use data that are collected or shared?
  6. For what purposes are data shared with third-parties?
  7. What data are sold to third-parties? Does any of this data include personal information?
  8. For what purposes are data sold to third-parties?
  9. If data are sold or shared with third-parties, is the data only shared in an anonymous or de-identified format?
  10. How are data anonymized or de-identified prior to disclosure to third parties?
  11. If anonymized or de-identified data are shared with or sold to a third-party, is the third-party contractually prohibited not to re-identify the data?
  12. If data are shared or sold to a third-party, is the third-party contractually required not to combine the data with other data sources?
  13. What external authentication providers (social or federated login) are supported by the vendor?
  14. What data are collected from social or federated login providers?
  15. What data are shared with social or federated login providers?

More information on Data Sharing

4. Respect for Context (What are the Data Purpose, Classification, Notice, and Changes?)

Qualitative Questions

  1. How are collected data used within the application or service?
  2. Is the use of collected data consistent with the context in which it was collected?
  3. Does the indicated use of the data align with the type and amount of data collected?
  4. What classes of data are defined in the policies?
  5. How can the purpose or context of data change?

More information on Respect for Context

5. Individual Control (How are Data Owned, Licensed, Used, Disclosed, and Managed?)

Qualitative Questions

  1. Does a student, educator, parent, or the school have ownership of any student data collected?
  2. Does the school limit any vendor's rights in providing the educational service, if a vendor is acting as a "school official"?
  3. Does a vendor claim any Intellectual Property rights or license to copy, distribute, or republish user created content or user data?
  4. Does the vendor claim any Intellectual Property rights to a user's information, metadata, or created content beyond what is required to provide the service?
  5. Does the vendor provide notice to a user if their content is blocked or removed because it violates the Intellectual Property rights of others?
  6. Does the vendor allow a student, educator, or school to control what types of data are collected?
  7. Does the vendor allow a user to control whether data are disclosed to a third-party?
  8. Does the vendor allow a user to control communication preferences with the vendor or third-parties?
  9. Does the vendor allow an individual to request whether the vendor has collected any personal information about them?

More information on Individual Control

6. Access and Accuracy (How are Data Accessed, Corrected, Retained, Deleted, and Exported?)

Qualitative Questions

  1. Does the vendor provide access to a student's data for authorized educators, parents, or school officials? If Yes, how does the vendor authorize access?
  2. Does the vendor provide a student, educator, parent, or school the ability to withdraw consent to access a student's data? If Yes, how is consent withdrawn?
  3. Does the vendor provide a user the ability to export their data from the service or application?
  4. Does a student, educator, parent, or school have the ability to modify inaccurate student data?
  5. Does a student, educator, parent, or school need to contact the vendor to initiate the data correction process?
  6. Do the policies clearly indicate whether the school or district has the ability to provide parents, and eligible students, with the ability to access and correct student information?
  7. Is a student's personal information deleted by the vendor after the period required to provide the authorized educational purpose has elapsed?
  8. How do the policies describe data sunsets, or any time-period after which a student's data will be automatically deleted if they are inactive on the service or application?
  9. Is a teacher's or non-student's personal information deleted after the time-period required to provide the authorized educational purpose has elapsed?
  10. Does a user or school official have the ability to delete a student's data if the data is no longer necessary for the educational purpose, or does the individual need to contact the vendor to initiate the deletion process?
  11. Does the vendor provide a method for a user to contact them to initiate the data deletion process?
  12. If the vendor needs to initiate the data deletion process for a user, how is the process to request deletion described in their policies?
  13. How is a student's data deleted or expunged from third-parties who have accessed the data from the vendor?

More information on Access and Accuracy

7. Data Transfer (How are Data Transferred During a Bankruptcy, Merger, or Acquisition?)

Qualitative Questions

  1. How will a user's data be handled in the event of a vendor bankruptcy?
  2. How will a user's data be handled in the event of a vendor merger?
  3. How will a user's data be handled in the event of a vendor acquisition?
  4. Does the vendor define merger, acquisition, or bankruptcy as identical events, or as different events? If different events, how is the handling of a user's data different between events?
  5. In the event of a onward transfer will a user be given adequate notice of the event to allow them the opportunity to request the vendor delete their data before a data transfer occurs?

More information on Data Transfer

8. Security (How are Data Transmitted, Stored, and Protected?)

Qualitative Questions

  1. How will a user's data be secured while in transit? Data in transit can include, but are not limited to: authentication data (e.g., username and password), session data, cookies, API keys, and personal information (full name, age or DOB, email address, gender, location, and student ID)? Choose ONE of the following:
    • No encryption--all data are passed in clear text.
    • Service provides the option to log-in without encryption (i.e., encryption not enforced).
    • Password is encrypted in transit.
    • Username and password are encrypted in transit.
    • Username, password, cookies, APIs, third-party plugins, and all data exchanges that display or transmit personally identifiable information are encrypted.
    • All data are encrypted when transmitted.
    • N/A--no sensitive data are transmitted (including login credentials or any third-party trackers, cookies, etc.).
  2. Is it possible for a user to use any section of the website: landing page, login, updating settings or profile information, or any other website activity without "https" enabled?
  3. Is all data handled by the website or service encrypted when stored at rest? What best describes how this service or application stores data?
    • Unknown or no encryption--all data are stored as clear text in the cloud and on the client.
    • Passwords are encrypted in a reversible format, and/or data are stored in clear text on the client.
    • Passwords are salted and hashed (or equivalent) in the cloud and on the client (or not stored locally).
    • Username and some sensitive data are encrypted at rest and on the client.
    • All sensitive data are encrypted at rest in the cloud and on the client.
    • All data are encrypted at rest in the cloud and on the client.
    • N/A--no sensitive data are stored (including login credentials or by any third-party).
  4. How does a vendor describe the security measures that protect the confidentiality, security, and integrity of a student's personal information?
  5. How does a vendor describe their response in the event of a data breach?

More information on Security

9. Responsible Use (How are Social Interactions Managed and User Information Displayed?)

Qualitative Questions

  1. Within the service or application, how can a student's information be displayed to others?
  2. What visibility levels exist to display a student's personal information to others (i.e., private, members only, over the web, within a class, etc.)?
  3. How does the vendor describe the tools and processes that support safe and appropriate social interactions on the website or application?
  4. Can a user flag or report abusive content or unwanted social interactions? (If Yes, how would a user would flag or report the content?)
  5. Can an adult interact with or contact a student that is not under their supervision or care? (If Yes, describe the interactions.)
  6. Are student interactions with adults limited or monitored? (If Yes, describe how the interactions are limited or monitored.)
  7. Can a student interact with other students? (If Yes, describe how students can interact with one another, including the possibility of students from different classes or schools communicating with each another.)
  8. Are interactions between students monitored? (If Yes, describe how student interactions are monitored.)
  9. Are interactions between adults monitored? (If Yes, describe how interactions adult interactions are monitored.)
  10. Does a user need to share personal information in order to interact with other users? (If Yes, does the personal information shared include geolocation data, gender, photo, name, or date of birth?)
  11. Does the school or district have the right and ability to audit interactions between users? (If Yes, what is the process?)
  12. Does a teacher or supervisory adult have the right and ability to review interactions between users? (If Yes, what is the process?)
  13. Does a parent or guardian have the right and ability to review the interactions of their children? (If Yes, what is the process?)
  14. Does a user have the right to review, correct, and potentially delete, their past interactions? (If Yes, what is the process?)
  15. Does a student, educator, parent, or school have the right and ability to prevent or block social interactions with unauthorized individuals? (If Yes, what is the process?)

More information on Responsible Use

10. Advertising (How are Data used for Traditional, Contextual, or Behavioral Marketing?)

Qualitative Questions

  1. Does the service or application display any advertisements? What information is provided in the policies about these advertisements?
  2. Does the vendor use student data to target advertising to students, parents, teachers, or the school? If yes, what types of advertising are delivered?
  3. Does the vendor allow third-parties to use a student's data to create a profile, engage in data enhancement, or target advertising to students, parents, teachers, or the school? If yes, what types of advertising are delivered?
  4. Does the service or application display advertisements to students under the age of 13?
  5. If the vendor allows advertisements displayed to a user under the age of 13, is the content of the advertisement filtered or reviewed to eliminate age inappropriate content?
  6. Can the vendor or third-parties use student data collected from the website or application to target advertisements to the user on other websites, or on other applications or services?
  7. Can the vendor or third-parties use student data collected through support requests or any other type of direct communication to provide any type of advertising?
  8. Does the vendor's policies honor “Do Not Track” signals?

More information on Advertising

11. Compliance (How do Statutes and Regulations apply from COPPA/FERPA/PPRA?)

Qualitative Questions

  1. Does the website, service, or application vendor have actual knowledge that it collects, uses, or discloses personal information from children under the age of 13?
  2. Is the service or application directed to children under 13, or (even if for an older audience) would the service appeal to children under 13?
  3. Does the service or application vendor participate in a COPPA approved safe harbor program? (If Yes, identify which safe harbor program.)
  4. Has the vendor signed any privacy pledge commitments, performed any privacy evaluations or audits, or received any other certifications? (If yes, please identify.)
  5. Does the vendor transfer responsibility or liability for obtaining verifiable parental consent to the school or district? (If Yes, how is this process managed?)
  6. How are data entered into the application? Is data entered by district staff, school employees, parents, teachers, students, or some other authorized person?
  7. Does the vendor obtain verifiable parental consent before a student's data is entered into the service or application?
  8. What methods are used to obtain verifiable parental consent?
  9. Does a contract with the vendor or their policies designate the vendor as a "school official"?
  10. Does the vendor disclose student data without verifiable parental consent as "Directory Information"?
  11. Does the vendor use or disclose a user's data under a requirement of applicable law, to comply with a legal process, respond to governmental requests, enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?
  12. If there is a dispute with the vendor or a third-party, what is the process for resolving that dispute?

More information on Compliance

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.

Privacy Evaluation Question Navigation and Information