Privacy Evaluation Questions - Transparency

The Transparency questions listed here are part of the questions used to drive the Common Sense District Privacy Evaluation Initiative. The release announcement gives more information about the complete question set. The list of transparency questions on this page can be used to get a sense of what can be covered in policies and terms of service of educational software. Not every question will be applicable to every software product, but taken as a whole, the Transparency evaluation helps create a sense of how thorough a set of policies might be.

1. Transparency (What is the Privacy Practice?)

Transparency Questions

  1. Are the policies available on the main landing webpage?
  2. Are the policies available in a machine-readable format?
  3. Do the policies prohibit machine crawling or indexing?
  4. Are the policies available on all product purchase or acquisition web pages?
  5. Are the policies available on the new account creation webpage for review prior to starting a new account creation process?
  6. Are the policies available from the website login-page?
  7. Are the policies available from within the online website, service, or application so logged-in users can also access them?
  8. Do the policies clearly indicate the version or revision date of the policies?
  9. Do the policies clearly indicate whether or not a user is notified if there are any material changes to the Privacy Policy or Terms of Service?
  10. Do the policies clearly indicate who is notified when policies are updated or materially change?
  11. Do the policies clearly indicate the method used to notify the user or organization when policies are updated or materially change?
  12. Do the policies clearly indicate how a user can contact the vendor about any updates or material changes to the policies?
  13. Do the policies clearly indicate whether or not updates or material changes to the policies will be accessible for review by a user prior to the new changes being adopted?
  14. Do the policies clearly indicate how a user can accept updates or material changes to the policies?

More information on Transparency

2. Focused Collection (What Information is Collected?)

Transparency Questions

  1. Do the policies clearly indicate what data is collected by the application or service?
  2. Do the policies clearly indicate whether or not the vendor collects Personally Identifiable Information (PII)?
  3. Do the policies clearly indicate whether or not the vendor collects information or education records from K-12 students?
  4. Do the policies clearly indicate whether or not the vendor collects information from children under 13 years of age?
  5. Do the policies clearly indicate whether or not the vendor limits the collection of information to only data that are specifically required to run the application?
  6. Do the policies clearly indicate whether or not geolocation data are collected?
  7. Do the policies clearly indicate whether or not any biometric data are collected?
  8. Do the policies clearly indicate whether or not any behavioral data are collected?
  9. Do the policies clearly indicate whether or not the service or application collects a user's persistent identifier, unique device ID, IP address, or other device information?
  10. Do the policies clearly indicate whether or not the vendor uses web beacons, cookies, or local shared objects to collect information?
  11. Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?
  12. Do the policies clearly indicate whether or not the vendor accesses or stores a user's contact list or friend list?

More information on Focused Collection

3. Data Sharing (How do Third-Parties Collect, Access, and Use Data?)

Transparency Questions

  1. Do the policies clearly indicate whether or not third-party services are used to support the internal operation of the application or website?
  2. Do the policies clearly indicate whether or not collected information (this includes data collected via automated tracking or usage analytics) is shared with third-parties?
  3. Do the policies clearly indicate whether or not the vendor uses third-party services (including usage analytics) to collect tracking information or personal information?
  4. Do the policies clearly indicate a list of third-parties that the vendor shares data with?
  5. Do the policies clearly indicate the role of all third-parties?
  6. Do the policies clearly indicate whether third-party privacy policies or Terms of Service (TOS) are available from a link on the vendor's website or legal terms?
  7. Do the policies clearly indicate what data are collected by or shared with third-parties?
  8. Do the policies clearly indicate the vendor's intention or reason for sharing a student's personal information with third-parties?
  9. Do the policies clearly indicate whether or not a student's personal information is sold to third-parties?
  10. Do the policies clearly indicate that all student personal information that is shared or sold to a third-party is only done so in an anonymous or de-identified format?
  11. Do the policies clearly indicate how student personal information is de-identified, or provide links to any information that describes their de-identification process?
  12. Do the policies clearly indicate whether or not data collected or maintained by the vendor will be augmented, extended, or combined with data from other sources?
  13. Do the third-party policies clearly indicate that third-party services are prohibited from re-identifying information shared or sold to them?
  14. Do the third-party policies clearly indicate that shared data will not be combined or used with other data sources?
  15. Do the policies clearly indicate whether or not social or federated login is required or optional?

More information on Data Sharing

4. Respect for Context (What are the Data Purpose, Classification, Notice, and Changes?)

Transparency Questions

  1. Do the policies clearly indicate the vendor's purpose or use of data collected by the application?
  2. Do the policies clearly indicate the context in which data are collected?
  3. Do the policies clearly indicate specific classes of information (PII, Children's PII, Sensitive information, etc.)?
  4. Do the policies clearly indicate whether or not specific classes of information can change?
  5. Do the policies clearly indicate whether or not the purpose or context in which data are collected can change?
  6. Do the policies clearly indicate whether or not notice is provided to a user if the vendor changes the context in which data are collected?

More information on Respect for Context

5. Individual Control (How are Data Owned, Licensed, Used, Disclosed, and Managed?)

Transparency Questions

  1. Do the policies clearly indicate who owns the Intellectual Property rights to the data collected by the application or service?
  2. Do the policies clearly indicate the vendor's rights or limitations to the data collected from a user's interactions?
  3. Do the policies clearly indicate whether the vendor responds to notifications of alleged copyright infringement of the data collected by the application or service?
  4. Do the policies clearly indicate whether a user can control the types of information collected?
  5. Do the policies clearly indicate whether a user must opt-in or opt-out to allow their data to be disclosed?
  6. Do the policies clearly indicate whether a user must opt-in or opt-out of communication preferences?
  7. Do the policies clearly indicate whether a user can prevent the use or disclosure of thier data by the vendor if the data contains sensitive personal information?
  8. Do the policies clearly indicate whether a user can request the vendor to disclose all the personal information collected about them?

More information on Individual Control

6. Access and Accuracy (How are Data Accessed, Corrected, Retained, Deleted, and Exported?)

Transparency Questions

  1. Do the policies clearly indicate whether the vendor provides access for authorized individuals to a student's data?
  2. Do the policies clearly indicate whether there is a process available for the school, parents, or eligible students to access student information?
  3. Do the policies clearly indicate whether the vendor provides a process to withdraw access for individuals to a student's data?
  4. Do the policies clearly indicate whether there is a process for the school, parents, or eligible students to modify inaccurate student information?
  5. Do the policies clearly indicate whether a user or the school has the ability to modify a student's inaccurate data on their own?
  6. Do the policies clearly indicate whether a student, school, or parent must submit a request to the vendor to modify a student's inaccurate personal information?
  7. Do the policies clearly indicate how long a vendor has to modify inaccurate student data after given notice by a user or the school?
  8. Do the policies clearly indicate how a user's data or account are deleted?
  9. Do the policies clearly indicate whether a user or the school has the ability to delete a student's data on their own?
  10. Do the policies clearly indicate whether or not a user or the school has the ability to delete a student's data by accessing or initiating a process managed by the vendor?
  11. Do the policies clearly indicate how long the vendor has to delete student data after given notice by a user or the school?
  12. Do the policies clearly indicate whether student data is or can be deleted from third-parties?
  13. Do the policies clearly indicate whether or not a user can export their data, including any content they have created on the website or application?
  14. Do the policies clearly indicate what export formats are supported?
  15. Do the policies clearly indicate the vendor's data retention policy, including any data sunsets?
  16. Do the policies clearly indicate whether a user can extend the time-period for data retention?
  17. Do the policies clearly indicate whether or not a vendor will delete a student's personal information when the data is no longer necessary to complete the educational purpose?
  18. Do the policies clearly indicate whether or not a vendor will delete a teacher's or non-student's personal information when the data is no longer necessary to complete the educational purpose?

More information on Access and Accuracy

7. Data Transfer (How are Data Transferred During a Bankruptcy, Merger, or Acquisition?)

Transparency Questions

  1. Do the policies clearly indicate what happens to data if a vendor declares bankruptcy?
  2. Do the policies clearly indicate what happens to data if a vendor declares a merger?
  3. Do the policies clearly indicate what happens to data if a vendor declares an acquisition?
  4. Do the policies clearly indicate whether a user can request to delete their data prior to its transfer to a third-party in the event of a vendor bankruptcy, merger, or acquisition?
  5. Do the policies clearly indicate whether a user will be notified and allowed to opt-out of a data transfer in the event of a vendor bankruptcy, merger, or acquisition?
  6. Do the policies clearly indicate whether the third-party recipient of the data transfer is contractually required to provide the same level of privacy protection?

More information on Data Transfer

8. Security (How are Data Transmitted, Stored, and Protected?)

Transparency Questions

  1. Do the policies clearly indicate how all data in transit is handled?
  2. Do the policies clearly indicate how all data at rest is handled?
  3. Do the policies clearly indicate whether security measures are used to protect the confidentiality of a student's personal information?
  4. Do the policies clearly indicate the vendor's response in the event of a data breach?

More information on Security

9. Responsible Use (How are Social Interactions Managed and User Information Displayed?)

Transparency Questions

  1. Do the policies clearly indicate whether or not a student's personal information is displayed in any way?
  2. Do the policies clearly indicate whether or not a student's personal information is displayed outside the context of social interactions?
  3. Do the policies clearly indicate whether or not a student has control over how their personal information is displayed to others?
  4. Do the policies clearly indicate whether or not interactions between users in the website or application are moderated?
  5. Do the policies clearly indicate whether or not a user can flag unwanted messages?
  6. Do the policies clearly indicate whether or not a user can report abuse?
  7. Do the policies clearly indicate whether or not a user can interact with strangers, including adults?
  8. Do the policies clearly indicate what information must be shared or revealed by a user in order to participate in social interactions?
  9. Do the policies clearly indicate whether or not social interactions are logged?
  10. Do the policies clearly indicate whether or not social interactions may be audited by the school or district?
  11. Do the policies clearly indicate whether or not social interactions may be audited by parents of a student?

More information on Responsible Use

10. Advertising (How are Data used for Traditional, Contextual, or Behavioral Marketing?)

Transparency Questions

  1. Do the policies clearly indicate whether or not advertisements are displayed?
  2. Do the policies clearly indicate whether or not behavioral or contextual advertising based on a student's personal information is displayed to a user?
  3. Do the policies clearly indicate whether or not advertisements that are age inappropriate for minors are displayed (e.g., alcohol, gambling, violent, or sexual content)?
  4. Do the policies clearly indicate whether or not advertisements are displayed to children under 13 years of age?
  5. Do the policies clearly indicate whether or not a student's personal information is used to target advertisements on other websites or services?
  6. Do the policies clearly indicate whether or not a user's data gathered within the application or by third-parties can be used for any non-educational or advertising purpose, including research?
  7. Do the policies clearly indicate whether or not third-party advertising services or trackers collect any information from a user of the website or application?
  8. Do the policies clearly indicate whether or not a user can opt-out of contextual or behavioral advertising?
  9. Do the policies clearly indicate whether the vendor responds to a “Do Not Track” signal or to other mechanisms?

More information on Advertising

11. Compliance (How do Statutes and Regulations apply from COPPA/FERPA/PPRA?)

Transparency Questions

  1. Do the policies clearly indicate whether or not personal information from children under 13 years of age is collected?
  2. Do the policies clearly indicate whether or not the service or application participates in an approved COPPA safe harbor program?
  3. Do the policies clearly indicate whether or not the vendor has signed any privacy pledges or received any other certifications?
  4. Do the policies clearly indicate the process by which data are entered into the application? For example, is data entered by district staff, school employees, parents, teachers, students, or some other person?
  5. Do the policies clearly indicate whether or not responsibility or liability for obtaining verified parental consent is transferred to the school or district?
  6. Do the policies clearly indicate whether or not verified parental consent should be obtained?
  7. Do the policies clearly indicate the methods available to provide verified parental consent, under COPPA?
  8. Do the policies clearly indicate the methods available to provide verified parental consent, under FERPA?
  9. Do the policies clearly indicate whether or not the vendor discloses student data to third parties without verifiable parental consent?
  10. Do the policies clearly indicate whether or not the vendor is designated as a “school official,” under FERPA?
  11. Do the policies clearly indicate the jurisdiction that will govern the construction, interpretation, and enforcement of the policies?
  12. Do the policies clearly indicate whether or not the vendor can use or disclose a user's data to comply with the law, legal process, respond to an emergency, or ensure legal or regulatory compliance?
  13. Do the policies clearly indicate the forum or legal process used to settle disputes?

More information on Compliance

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.

Privacy Evaluation Question Navigation and Information