Privacy Evaluation Questions - Qualitative with Background

The Qualitative questions listed here are part of the questions used to drive the Common Sense District Privacy Evaluation Initiative. The release announcement gives more information about the complete question set. The qualitative questions on this page can be used to evaluate the protections and potential risks as they are defined in policies and terms of service of educational software. As you will see, not every question has a legal rationale, but between the legal rationale supplied with the Category descriptions and the legal rationale supplied with the Transparency questions, we attempt to provide thorough background information to help people looking to learn more about privacy.

Not every question will be applicable to every software product, but the Qualitative questions, alongside the Transparency evaluation, can help people make more informed decisions for their specific context.

1. Transparency (What is the Privacy Practice?)

Qualitative Questions

  1. Does the online website, service, or application provide a Privacy Policy, a Terms of Service (TOS), or any other relevant legal policies?
  2. Who is notified of changes to the policies?
    • Qualitative Rationale
      • A school or district should maintain control of student data by preventing the vendor from changing its privacy policies without the school's or district's consent. A vendor that agrees to give notice of policies changes is good, however, a vendor that agrees not to change its policies without consent is better. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 4.
  3. How is a user notified of changes to the policies?
    • Qualitative Rationale
      • The FTC adopts the OECD principle that companies should be accountable for their privacy practices. Specifically, the FTC calls on companies to implement procedures – such as designating a person responsible for privacy, training employees, and ensuring adequate oversight of third parties – to help ensure that they are implementing appropriate substantive privacy protections. See FTC 2012, P. 24.
  4. How does a user review updates or changes to the policies before they are adopted?
  5. How does a user indicate that they accept the updated policies?

More information on Transparency

2. Focused Collection (What Information is Collected?)

Qualitative Questions

  1. Which of the following data are collected by the online website, service, or application?
    • Student name
    • Student address
    • Telephone number
    • Email address
    • Photo
    • Date of Birth
    • Place of birth
    • Gender
    • Student grade level
    • School name
    • Dates of attendance at schoool
    • Subjects studied at that school
    • Student ID number, student user ID (i.e., for a school badge), or other unique personal identifier
    • Student grades (coursewide or on individual assignments)
    • Student transcripts
    • Student course enrollment or course list
    • Academic or athletic honors or awards
    • Financial infomation of student or parent/guardian
    • Student social security number
    • Parent/guardian name or address
    • Behavioral or discipline information
    • Geolocation data (either via a form, or automatically via a mobile app/web site) sufficient to identify the student's street name or town
    • Photos, videos, or audio recordings of student
    • Medical or health information
    • Mental health information
    • Race or ethnicity
    • Free or reduced lunch status
    • Biometric information such as fingerprints, facial recognition, iris scan, etc.
    • Behavioral biometric information such as keystroke patterns, typing speed, or swiping patterns on mobile devices
    • Non-educational application data (i.e., “likes” or “interests”)
    • Contact information such as an instant messaging user ID, VOIP ID, video chat user ID, or social media (Twitter, Facebook, Instagram) screen name or username that functions as online contact information
    • Online activity such as web searches, assessments, messages, metadata, or student-created content
    • Persistent identifiers that can be used to identify a user over time or to access different websites/apps/services, including but not limited to customer number in a cookie, IP address, processor or device serial number, or unique device ID
    • Student's or parent's political affiliation or beliefs
    • Student's or parent's religious affiliation or beliefs
    • Sexual orientation
    • Information that is linked or linkable to a student or student's family
    • Contact lists or friends list from contact apps or social media accounts
    • The application is unclear about data collected
    • Other
  2. How do the policies describe the practice of collecting only the information required to provide the service (i.e., data minimization)?
    • Qualitative Rationale
      • Data Minimization is a privacy principle best practice that requires companies to limit the data they collect and retain, and dispose of it once they no longer need it. This best practice is reinforced by FTC which encourages companies to collect only the data they need to accomplish a specific business purpose, and is generally supported by Federal privacy statutes and regulations such as FERPA, COPPA, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See FTC, Internet of Things, Privacy and Security in a Connected World (2015), p. 24,

More information on Focused Collection

3. Data Sharing (How do Third-Parties Collect, Access, and Use Data?)

Qualitative Questions

  1. What third-party services are used to support the operation of the website or application?
    • Qualitative Rationale
      • Data while not traditionally considered personally identifiable, can be linkable to a consumer or device. Studies have demonstrated that consumers object to being tracked, regardless of whether the tracker explicitly learns a consumer name, and the potential for harm, such as discriminatory pricing based on online browsing history, even without the use of PII. See FTC 2012, p. 18.
    • The ability to re-identify “anonymous” data supports the FTC's framework application to data that can be reasonably linked to a consumer or device, because consumers' privacy interest in data goes beyond what is strictly labeled PII. There exists a legitimate interest for consumers in having control over how companies collect and use aggregated or de-identified data, browser fingerprints, and other types of non-PII. See FTC 2012, pp. 18-19.
  2. What functions or purposes are served by third-party vendors?
  3. How do third-parties ensure they maintain the confidentiality of collected data?
    • Qualitative Rationale
      • Properly de-identified data can reduce the risk of a person's sensitive personal information being disclosed, but data de-identification must be done carefully. Simple removal of direct identifiers from the data to be released does not constitute adequate de-identification. Properly performed de-identification involves removing or obscuring all identifiable information until all data that can lead to individual identification have been expunged or masked. Further, when making a determination as to whether the data have been sufficiently de-identified, it is necessary to take into consideration cumulative re-identification risk from all previous data releases and other reasonably available information. See PTC, Data De-identification: An Overview of Basic Terms, p. 3,
      • When data are collected in one context and combined with data from other sources or different contexts, it increases the potential for an individual's privacy to be compromised. Combining data from multiple sources is part of the process of creating a digital profile of a student. Combining data from multiple sources can also be used to re-identify data sets that have been de-identified, or to identify individuals within data sets that have been shared as anonymous aggregated data. A privacy policy that prohibits third-parties from re-identifying anonymous aggregated data provides an additional level of privacy protection for users. See generally PTC, Data De-identification: An Overview of Basic Terms,
      • FERPA allows properly de-identified data to be used for other purposes, though providers planning to use de-identified student data should be clear about their methodologies for de-identification. If de-identified data will be transferred to another party, it is a best practice to contractually prohibit the third-party from attempting to re-identify any student data. Providers should also acknowledge whether anonymized metadata—a type of deidentified or partially de-identified data—will be used, and for what purposes. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 3
  4. What data are collected by or shared with third-parties? Does any of the data include personal information?
    • Qualitative Rationale
      • Consumers deserve more transparency about how their data is shared beyond the entities with which they do business directly, including “third-party” data collectors. This means ensuring that consumers are meaningfully aware of the spectrum of information collection and reuse as the number of firms that are involved in mediating their consumer experience or collecting information from them multiplies. The data services industry should follow the lead of the online advertising and credit industries and build a common website or online portal that lists companies, describes their data practices, and provides methods for consumers to better control how their information is collected and used or to opt-out of certain marketing uses. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 62,
      • What is the "School Official" Exception? In some cases, providers need PII from a students's education records in order to deliver the agreed-upon services. FERPA's school official exception to consent is most likely to apply to the schools' and districts' relationships with service providers. When schools and districts outsource institutional services or functions, FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third-parties provided that the outside party meets specified requirements. See 34 C.F.R. § 99.31(a)(1)(i); See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 2; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 3-5.
  5. How can third-party services use data that are collected or shared?
    • Qualitative Rationale
      • Online educational services increasingly collect a large amount of contextual or transactional data as part of their operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student's mouse hovered over an item (potentially indicating indecision). See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 2-3.
      • Metadata that have been stripped of all direct and indirect identifiers are not considered protected information under FERPA, because the data are not PII. A provider that has been granted access to PII from education records under the "school official" exception may use any metadata that are not linked to FERPA-protected information for other purposes, unless otherwise prohibited by the terms of their agreement with the school or district. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 2-3.
  6. For what purposes are data shared with third-parties?
  7. What data are sold to third-parties? Does any of this data include personal information?
  8. For what purposes are data sold to third-parties?
  9. If data are sold or shared with third-parties, is the data only shared in an anonymous or de-identified format?
    • Qualitative Rationale
      • There is nothing wrong with a provider using de-identified data for other purposes, because privacy statutes, govern PII, not de-identified data. But because it can be difficult to fully de-identify data, as a best practice, an agreement between a company and third-party should prohibit re-identification and any future data transfers unless the third-party also agrees not to attempt re-identification. It is also a best practice to be specific about the de-identification process. De-identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-identify specific individuals. Retaining location and school information can also greatly increase the risk of re-identification. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 3.
      • Properly de-identified data can reduce the risk of a person's sensitive personal information being disclosed, but data de-identification must be done carefully. Simple removal of direct identifiers from the data to be released does not constitute adequate de-identification. Properly performed de-identification involves removing or obscuring all identifiable information until all data that can lead to individual identification have been expunged or masked. Further, when making a determination as to whether the data have been sufficiently de-identified, it is necessary to take into consideration cumulative re-identification risk from all previous data releases and other reasonably available information. See PTC, Data De-identification: An Overview of Basic Terms, p. 3,
      • FERPA allows properly de-identified data to be used for other purposes, though providers planning to use de-identified student data should be clear about their methodologies for de-identification. If de-identified data will be transferred to another party, it is a best practice to contractually prohibit the third-party from attempting to re-identify any student data. Providers should also acknowledge whether anonymized metadata—a type of deidentified or partially de-identified data—will be used, and for what purposes. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 3
  10. How are data anonymized or de-identified prior to disclosure to third parties?
    • Qualitative Rationale
      • While data shared in the aggregate can reduce the risk of re-identifying anonymous individuals, it does not completely eliminate the risk, and sharing of aggregate data should be carefully reviewed. The aggregation of student-level data into school-level (or higher) reports removes much of the risk of disclosure, since no direct identifiers (such as a name, Social Security Number, or student ID) are present in the aggregated tables. Some risk of disclosure does remain, however, in circumstances where one or more students possess a unique or uncommon characteristic (or a combination of characteristics) that would allow them to be identified in the data table (this commonly occurs with small ethnic subgroup populations), or where some easily observable characteristic corresponds to an unrelated category in the data table (e.g., if a school reports that 100% of males in grade 11 scored at “Below Proficient” on an assessment). In these cases, some level of disclosure avoidance is necessary to prevent disclosure in the aggregate data table." See PTAC, Frequently Asked Questions—Disclosure Avoidance (Oct 2012), p. 2,
  11. If anonymized or de-identified data are shared with or sold to a third-party, is the third-party contractually prohibited not to re-identify the data?
    • Qualitative Rationale
      • When data are collected in one context and combined with data from other sources or different contexts, it increases the potential for an individual's privacy to be compromised. Combining data from multiple sources is part of the process of creating a digital profile of a student. Combining data from multiple sources can also be used to re-identify data sets that have been de-identified, or to identify individuals within data sets that have been shared as anonymous aggregated data. A privacy policy that prohibits third-parties from re-identifying anonymous aggregated data provides an additional level of privacy protection for users. See generally PTC, Data De-identification: An Overview of Basic Terms,
      • A company that transfers data from one company to another should not place emphasis on the disclosures themselves, but on whether a disclosure leads to a use of personal data that is inconsistent within the context of its collection or a consumer's expressed desire to control the data. Thus, if a company transfers personal data to a third party, it remains accountable and thus should hold the recipient accountable—through contracts or other legally enforceable instruments. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22,
      • A company's data would not be “reasonably linkable” to a particular consumer or device to the extent that the company implements three significant protections for that data: (1) a given data set is not reasonably identifiable, (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form. See FTC 2012, pp. 21.
  12. If data are shared or sold to a third-party, is the third-party contractually required not to combine the data with other data sources?
    • Qualitative Rationale
      • The FTC recommends that third-party data brokers take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes. Of course, the use of race, color, religion, and certain other categories to make credit, insurance, and employment decisions is already against the law, but data brokers should help ensure that the information does not unintentionally go to unscrupulous entities that would be likely to use it for unlawful discriminatory purposes. Similarly, data brokers should conduct due diligence to ensure that data that they intend for marketing or risk mitigation purposes is not used to deny consumers credit, insurance, employment, or the like. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), pp. 55-56,
      • A company that transfers data from one company to another should not place emphasis on the disclosures themselves, but on whether a disclosure leads to a use of personal data that is inconsistent within the context of its collection or a consumer's expressed desire to control the data. Thus, if a company transfers personal data to a third party, it remains accountable and thus should hold the recipient accountable—through contracts or other legally enforceable instruments. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22,
      • The FTC's framework application applies to data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so. There is significant evidence demonstrating that technological advances and the ability to combine disparate pieces of data can lead to identification of a consumer, computer, or device even if the individual pieces of data do not constitute PII. See FTC 2012, p. 20.
  13. What external authentication providers (social or federated login) are supported by the vendor?
  14. What data are collected from social or federated login providers?
  15. What data are shared with social or federated login providers?

More information on Data Sharing

4. Respect for Context (What are the Data Purpose, Classification, Notice, and Changes?)

Qualitative Questions

  1. How are collected data used within the application or service?
    • Qualitative Rationale
      • Any PII from a students's education record that the provider receives under FERPA's "school official" exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function, and the school or district must have direct control over the use and maintenance of the PII by the provider receiving the PII). Further, under FERPA's school official exception, the provider may not share or sell FERPA-protected information, or re-use it for any other purposes, except as directed by the school or district and as permitted by FERPA. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, P. 5.
  2. Is the use of collected data consistent with the context in which it was collected?
  3. Does the indicated use of the data align with the type and amount of data collected?
    • Qualitative Rationale
      • There may be practices that are inconsistent with the context of the interaction standard and thus warrant consumer choice. For instance, there may be contexts in which the “repurposing” of data to improve existing products or services would exceed the internal operations concept. Thus, where a product improvement involves additional sharing of consumer data with third-parties, it would no longer be an “internal operation” consistent with the context of the consumer's interaction with a company. See FTC 2012, Pg. 39.
      • Support for the internal operations of the website or online service, means activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill a request of a child. See 16 C.F.R. 312.2; See also FTC, Complying with COPPA: Frequently Asked Questions, q. 5,
  4. What classes of data are defined in the policies?
  5. How can the purpose or context of data change?

More information on Respect for Context

5. Individual Control (How are Data Owned, Licensed, Used, Disclosed, and Managed?)

Qualitative Questions

  1. Does a student, educator, parent, or the school have ownership of any student data collected?
    • Qualitative Rationale
      • What is the "School Official" Exception? In some cases, providers need PII from a students's education records in order to deliver the agreed-upon services. FERPA's school official exception to consent is most likely to apply to the schools' and districts' relationships with service providers. When schools and districts outsource institutional services or functions, FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third-parties provided that the outside party meets specified requirements. See 34 C.F.R. § 99.31(a)(1)(i); See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 2; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 3-5.
      • The FTC recommends companies take reasonable steps to ensure the accuracy of the data they collect and maintain, particularly if such data could cause significant harm or be used to deny consumers services. The best approach to improving the accuracy of the consumer data companies collect and maintain is a flexible one, scaled to the intended use and sensitivity of the information. See FTC 2012, pp. 29-30.
  2. Does the school limit any vendor's rights in providing the educational service, if a vendor is acting as a "school official"?
  3. Does a vendor claim any Intellectual Property rights or license to copy, distribute, or republish user created content or user data?
    • Qualitative Rationale
      • Maintaining ownership of data to which the provider may have access allows schools or districts to retain control over the use and maintenance of FERPA protected student information and protect against a provider selling information. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 7.
  4. Does the vendor claim any Intellectual Property rights to a user's information, metadata, or created content beyond what is required to provide the service?
    • Qualitative Rationale
      • Maintaining ownership of data to which the provider may have access allows schools or districts to retain control over the use and maintenance of FERPA protected student information and protect against a provider selling information. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 7.
  5. Does the vendor provide notice to a user if their content is blocked or removed because it violates the Intellectual Property rights of others?
    • Qualitative Rationale
      • The Digital Millennium Copyright Act (DMCA) establishes procedures for proper notification, and rules to take down a user's content that violates the copyright of others. Under the notice and takedown procedure, a copyright owner submits a notification under penalty of perjury, including a list of specified elements, to the service provider's designated agent. If, upon receiving a proper notification, the service provider promptly removes or blocks access to the material identified in the notification, the provider is exempt from monetary liability. In addition, the provider is protected from any liability to any person for claims based on its having taken down the material. However, the service provider is required to provide adequate notice to the affected user, who has the opportunity to respond to the notice and takedown by filing a counter notification. See U.S. Copyright Office Summary, The Digital Millennium Copyright Act (DMCA), p. 12,; See 17 U.S.C. § 512(c)(3); 17 U.S.C. § 512(g)(1)
  6. Does the vendor allow a student, educator, or school to control what types of data are collected?
    • Qualitative Rationale
      • Establishing consumer choice as a baseline requirement for companies that collect and use consumer data, while also identifying certain practices where choice is unnecessary, is an appropriately balanced model. It increases consumers' control over the collection and use of their data, preserves the ability of companies to innovate new products and services, and sets clear expectations for consumers and industry alike. See FTC 2012, P. 36.
      • There are five categories of data practices that companies can engage in without offering consumer choice, because they involve data collection and use that is either obvious from the context of the transaction or sufficiently accepted or necessary for public policy reasons. The categories include: (1) product and service fulfillment; (2) internal operations; (3) fraud prevention; (4) legal compliance and public purpose; and (5) first-party marketing. See FTC 2012, P. 36.
      • Companies should recognize the sensitivity of data and take special care to delete data as soon as possible and implement reasonable restrictions on the retention of data and dispose of it once the data has outlived the legitimate purpose for which it was collected. See FTC 2012, P. 28-29.
      • The Administration encourages companies engaged in online advertising to refrain from collecting, using, or disclosing personal data that may be used to make decisions regarding employment, credit, and insurance eligibility or similar matters that may have significant adverse consequences to consumers. Collecting data for such sensitive uses is at odds with the contextually well-defined purposes of generating revenue and providing consumers with ads that they are more likely to find relevant. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 18,
  7. Does the vendor allow a user to control whether data are disclosed to a third-party?
    • Qualitative Rationale
      • While notice and consent remains fundamental in many contexts, it is important to examine whether a greater focus on how data is used and reused would be a more productive basis for managing privacy rights in a big data environment. It may be that creating mechanisms for individuals to participate in the use and distribution of his or her information after it is collected is actually a better and more empowering way to allow people to access the benefits that derive from their information. Privacy protections must also evolve in a way that accommodates the social good that can come of big data use. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 61,
  8. Does the vendor allow a user to control communication preferences with the vendor or third-parties?
  9. Does the vendor allow an individual to request whether the vendor has collected any personal information about them?

More information on Individual Control

6. Access and Accuracy (How are Data Accessed, Corrected, Retained, Deleted, and Exported?)

Qualitative Questions

  1. Does the vendor provide access to a student's data for authorized educators, parents, or school officials? If Yes, how does the vendor authorize access?
  2. Does the vendor provide a student, educator, parent, or school the ability to withdraw consent to access a student's data? If Yes, how is consent withdrawn?
  3. Does the vendor provide a user the ability to export their data from the service or application?
  4. Does a student, educator, parent, or school have the ability to modify inaccurate student data?
  5. Does a student, educator, parent, or school need to contact the vendor to initiate the data correction process?
  6. Do the policies clearly indicate whether the school or district has the ability to provide parents, and eligible students, with the ability to access and correct student information?
    • Qualitative Rationale
      • FERPA guarantees parents the right to access their child's education records, including those maintained by providers on behalf of the school or district, upon request within 45 days; some states provide a shorter window. As a best practice, parental access to their child's education records should be seamless, with providers giving the requested records to the school or district, who can confirm the parent's identity and provide them access to the records. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 4.
  7. Is a student's personal information deleted by the vendor after the period required to provide the authorized educational purpose has elapsed?
  8. How do the policies describe data sunsets, or any time-period after which a student's data will be automatically deleted if they are inactive on the service or application?
  9. Is a teacher's or non-student's personal information deleted after the time-period required to provide the authorized educational purpose has elapsed?
  10. Does a user or school official have the ability to delete a student's data if the data is no longer necessary for the educational purpose, or does the individual need to contact the vendor to initiate the deletion process?
  11. Does the vendor provide a method for a user to contact them to initiate the data deletion process?
  12. If the vendor needs to initiate the data deletion process for a user, how is the process to request deletion described in their policies?
  13. How is a student's data deleted or expunged from third-parties who have accessed the data from the vendor?

More information on Access and Accuracy

7. Data Transfer (How are Data Transferred During a Bankruptcy, Merger, or Acquisition?)

Qualitative Questions

  1. How will a user's data be handled in the event of a vendor bankruptcy?
  2. How will a user's data be handled in the event of a vendor merger?
  3. How will a user's data be handled in the event of a vendor acquisition?
  4. Does the vendor define merger, acquisition, or bankruptcy as identical events, or as different events? If different events, how is the handling of a user's data different between events?
  5. In the event of a onward transfer will a user be given adequate notice of the event to allow them the opportunity to request the vendor delete their data before a data transfer occurs?

More information on Data Transfer

8. Security (How are Data Transmitted, Stored, and Protected?)

Qualitative Questions

  1. How will a user's data be secured while in transit? Data in transit can include, but are not limited to: authentication data (e.g., username and password), session data, cookies, API keys, and personal information (full name, age or DOB, email address, gender, location, and student ID)? Choose ONE of the following:
    • No encryption--all data are passed in clear text.
    • Service provides the option to log-in without encryption (i.e., encryption not enforced).
    • Password is encrypted in transit.
    • Username and password are encrypted in transit.
    • Username, password, cookies, APIs, third-party plugins, and all data exchanges that display or transmit personally identifiable information are encrypted.
    • All data are encrypted when transmitted.
    • N/A--no sensitive data are transmitted (including login credentials or any third-party trackers, cookies, etc.).
  2. Is it possible for a user to use any section of the website: landing page, login, updating settings or profile information, or any other website activity without "https" enabled?
  3. Is all data handled by the website or service encrypted when stored at rest? What best describes how this service or application stores data?
    • Unknown or no encryption--all data are stored as clear text in the cloud and on the client.
    • Passwords are encrypted in a reversible format, and/or data are stored in clear text on the client.
    • Passwords are salted and hashed (or equivalent) in the cloud and on the client (or not stored locally).
    • Username and some sensitive data are encrypted at rest and on the client.
    • All sensitive data are encrypted at rest in the cloud and on the client.
    • All data are encrypted at rest in the cloud and on the client.
    • N/A--no sensitive data are stored (including login credentials or by any third-party).
    • Qualitative Rationale
      • Stored data can reside on a vendor or third-party server, on a client (in an app or a browser), or on both, and can include authentication data (e.g., password), user data (e.g., personal information), session data, and log entries.
  4. How does a vendor describe the security measures that protect the confidentiality, security, and integrity of a student's personal information?
  5. How does a vendor describe their response in the event of a data breach?
    • Qualitative Rationale
      • The breach notification laws in California and the 46 other states are similar in many ways, because most are modeled on the original California law. All of them require notifying individuals when their personal information has been breached, prefer written notification but allow using the “substitute method” in certain situations, allow for a law enforcement delay, and provide an exemption from the requirement to notify when data is encrypted. There are some differences, primarily in three areas: (i) the notification trigger, (ii) the timing for notification, and (iii) the definition of covered information. See CA DOJ, California Data Breach Report (2016),

More information on Security

9. Responsible Use (How are Social Interactions Managed and User Information Displayed?)

Qualitative Questions

  1. Within the service or application, how can a student's information be displayed to others?
  2. What visibility levels exist to display a student's personal information to others (i.e., private, members only, over the web, within a class, etc.)?
  3. How does the vendor describe the tools and processes that support safe and appropriate social interactions on the website or application?
  4. Can a user flag or report abusive content or unwanted social interactions? (If Yes, how would a user would flag or report the content?)
  5. Can an adult interact with or contact a student that is not under their supervision or care? (If Yes, describe the interactions.)
  6. Are student interactions with adults limited or monitored? (If Yes, describe how the interactions are limited or monitored.)
  7. Can a student interact with other students? (If Yes, describe how students can interact with one another, including the possibility of students from different classes or schools communicating with each another.)
  8. Are interactions between students monitored? (If Yes, describe how student interactions are monitored.)
  9. Are interactions between adults monitored? (If Yes, describe how interactions adult interactions are monitored.)
  10. Does a user need to share personal information in order to interact with other users? (If Yes, does the personal information shared include geolocation data, gender, photo, name, or date of birth?)
  11. Does the school or district have the right and ability to audit interactions between users? (If Yes, what is the process?)
  12. Does a teacher or supervisory adult have the right and ability to review interactions between users? (If Yes, what is the process?)
  13. Does a parent or guardian have the right and ability to review the interactions of their children? (If Yes, what is the process?)
  14. Does a user have the right to review, correct, and potentially delete, their past interactions? (If Yes, what is the process?)
  15. Does a student, educator, parent, or school have the right and ability to prevent or block social interactions with unauthorized individuals? (If Yes, what is the process?)

More information on Responsible Use

10. Advertising (How are Data used for Traditional, Contextual, or Behavioral Marketing?)

Qualitative Questions

  1. Does the service or application display any advertisements? What information is provided in the policies about these advertisements?
  2. Does the vendor use student data to target advertising to students, parents, teachers, or the school? If yes, what types of advertising are delivered?
    • Qualitative Rationale
      • The FTC recommends that affirmative express consent is appropriate when a company uses sensitive data for any marketing, whether first or third-party. When health or children's information is involved, for example, the likelihood that data misuse could lead to embarrassment, discrimination, or other harms is increased. This risk exists regardless of whether the entity collecting and using the data is a first-party or a third-party that is unknown to the consumer. In light of the heightened privacy risks associated with sensitive data, first parties should provide a consumer choice mechanism at the time of data collection. See FTC 2012, P. 47.
      • The FTC believes affirmative express consent for first-party marketing using sensitive data should be limited. Certainly, where a company's business model is designed to target consumers based on sensitive data – including data about children, financial and health information, Social Security numbers, and certain geolocation data – the company should seek affirmative express consent before collecting the data from those consumers. On the other hand, the risks to consumers may not justify the potential burdens on general audience businesses that incidentally collect and use sensitive information. See FTC 2012, pp. 47-48.
  3. Does the vendor allow third-parties to use a student's data to create a profile, engage in data enhancement, or target advertising to students, parents, teachers, or the school? If yes, what types of advertising are delivered?
    • Qualitative Rationale
      • Companies should improve the transparency of their advertising practices by disclosing that they engage in data enhancement and educate consumers about the practice, identifying the third-party sources of the data, and providing a link or other contact information so the consumer can contact the third-party source directly. See FTC 2012, P. 44.
      • The FTC recommends that to further protect consumer privacy, first-parties that obtain marketing data for enhancement should take steps to encourage their third-party data broker sources to increase their own transparency, including by participating in a centralized data broker website, where consumers could learn more information about data brokers and exercise choice. See FTC 2012, P. 44.
      • Companies' privacy policies should be clear that collected data and/or metadata may not be used to create user profiles for the purposes of targeting students or their parents for advertising and marketing, which could violate several privacy laws. See PTAC, Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, P. 4.
      • As students begin to share information with educational institutions or vendors, they expect that they are doing so in order to develop knowledge and skills, not to have their data used to build extensive profiles about their strengths and weaknesses that could be used to their disadvantage in later years. Educational institutions are also in a unique position to help prepare children, adolescents, and adults to grapple with the world of big data. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 63,
  4. Does the service or application display advertisements to students under the age of 13?
    • Qualitative Rationale
      • The FTC restricts advertisements that may be misleading to children. Advertising to children under the age of 13 is particularly scrutinized, as research shows that these children are especially vulnerable because they are unable to understand an advertisement's persuasive intent. Self-regulatory guidelines are also published by the Children's Advertising Review Unit, which is a branch of the advertising self-regulatory program administered by the Council of Better Business Bureaus. The guidelines generally provide that any advertising to young children should be clearly distinguishable from the other content.
      • Third-party data brokers should implement better measures to refrain from collecting information from children and teens, particularly in marketing products. As to children under 13, COPPA already requires certain online services to refrain from collecting personal information from this age group without parental consent; the principles underlying that legislation could apply equally to information collected offline from children. As to teens, the FTC previously has noted that they often lack the judgment to appreciate the long-term consequences of, for example, posting data on the Internet. See FTC, Data Brokers: A Call For Transparency and Accountability (May 2014), p. 55,
  5. If the vendor allows advertisements displayed to a user under the age of 13, is the content of the advertisement filtered or reviewed to eliminate age inappropriate content?
    • Qualitative Rationale
      • Advertising to children in school presents a variety of legal issues. Several states have laws that place restrictions on the advertising of products or services that have inappropriate content for children, such as alcohol and firearms. Additionally, contextual advertising would likley be permissible as, "support for internal operations" of a service or applciation, in contrast to behaviorally targeted advertising that implicates several privacy laws such as the PPRA, COPPA, and FERPA, which restrict the use of personal information without parental consent.
  6. Can the vendor or third-parties use student data collected from the website or application to target advertisements to the user on other websites, or on other applications or services?
    • Qualitative Rationale
      • The FTC recommends that where a company that has a first-party relationship with a consumer for delivery of a specific service, but also tracks the consumer's activities across other parties' websites, such tracking is unlikely to be consistent with the context of the consumer's first-party relationship with the entity. See FTC 2012, P. 41.
      • The FTC agrees that the defintion of first-party marketing should include the practice of contacting consumers across different channels. Regardless of the particular means of contact, receipt of a message from a company with which a consumer has interacted directly is likely to be consistent with the consumer's relationship with that company. If an offline or online retailer tracks a customer's activities on a third-party website, this is unlikely to be consistent with the customer's relationship with the retailer; thus, choice should be required. See FTC 2012, P. 42; See also FTC Staff Report, Self-Regulatory Principles For Online Behavioral Advertising, pp. 26-28,
  7. Can the vendor or third-parties use student data collected through support requests or any other type of direct communication to provide any type of advertising?
    • Qualitative Rationale
      • The FTC agrees that the defintion of first-party marketing should include the practice of contacting consumers across different channels. Regardless of the particular means of contact, receipt of a message from a company with which a consumer has interacted directly is likely to be consistent with the consumer's relationship with that company. If an offline or online retailer tracks a customer's activities on a third-party website, this is unlikely to be consistent with the customer's relationship with the retailer; thus, choice should be required. See FTC 2012, P. 42; See also FTC Staff Report, Self-Regulatory Principles For Online Behavioral Advertising, pp. 26-28,
  8. Does the vendor's policies honor "Do Not Track" signals?
    • Qualitative Rationale
      • Even as we focus more on data use, consumers still have a valid interest in "Do Not Track" tools that help them control when and how their data is collected. Strengthening these tools is especially important because there is now a growing array of technologies available for recording individual actions, behavior, and location data across a range of services and devices. Public surveys indicate a clear and overwhelming demand for these tools, and the government and private sector must continue working to evolve privacy-enhancing technologies in step with improved consumer services. See Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), p. 62,

More information on Advertising

11. Compliance (How do Statutes and Regulations apply from COPPA/FERPA/PPRA?)

Qualitative Questions

  1. Does the website, service, or application vendor have actual knowledge that it collects, uses, or discloses personal information from children under the age of 13?
  2. Is the service or application directed to children under 13, or (even if for an older audience) would the service appeal to children under 13?
  3. Does the service or application vendor participate in a COPPA approved safe harbor program? (If Yes, identify which safe harbor program.)
  4. Has the vendor signed any privacy pledge commitments, performed any privacy evaluations or audits, or received any other certifications? (If yes, please identify.)
    • Qualitative Rationale
      • Privacy protection depends on companies being accountable to consumers as well as to agencies that enforce consumer data privacy protections. However, compliance goes beyond external accountability to encompass practices through which companies prevent lapses in their privacy commitments or detect and remedy any lapses that may occur. Companies that can demonstrate that they live up to their privacy commitments have powerful means of maintaining and strengthening consumer trust. A company's own evaluation can prove invaluable to this process. The appropriate evaluation technique, which could be a self-assessment and need not necessarily be a full audit, will depend on the size, complexity, and nature of a company’s business, as well as the sensitivity of the data involved. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), p. 22,
  5. Does the vendor transfer responsibility or liability for obtaining verifiable parental consent to the school or district? (If Yes, how is this process managed?)
  6. How are data entered into the application? Is data entered by district staff, school employees, parents, teachers, students, or some other authorized person?
  7. Does the vendor obtain verifiable parental consent before a student's data is entered into the service or application?
  8. What methods are used to obtain verifiable parental consent?
  9. Does a contract with the vendor or their policies designate the vendor as a "school official"?
  10. Does the vendor disclose student data without verifiable parental consent as "Directory Information"?
  11. Does the vendor use or disclose a user's data under a requirement of applicable law, to comply with a legal process, respond to governmental requests, enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?
  12. If there is a dispute with the vendor or a third-party, what is the process for resolving that dispute?

More information on Compliance

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.

Privacy Evaluation Question Navigation and Information