Privacy Evaluation Questions - Transparency with Background

The Transparency questions listed here are part of the questions used to drive the Common Sense District Privacy Evaluation Initiative. The release announcement gives more information about the complete question set. The list of transparency questions on this page includes legal rationale for selected questions. As you will see, not every question has a legal rationale, but between the legal rationale supplied with the Category descriptions and the legal rationale supplied with the Qualitative questions, we attempt to provide thorough background information to help people looking to learn more about privacy.

Additionally, not every question will be applicable to every software product, but taken as a whole, the Transparency evaluation helps create a sense of how thorough a set of policies might be.

1. Transparency (What is the Privacy Practice?)

Transparency Questions

  1. Are the policies available on the main landing webpage?
  2. Are the policies available in a machine-readable format?
  3. Do the policies prohibit machine crawling or indexing?
  4. Are the policies available on all product purchase or acquisition web pages?
  5. Are the policies available on the new account creation webpage for review prior to starting a new account creation process?
  6. Are the policies available from the website login-page?
  7. Are the policies available from within the online website, service, or application so logged-in users can also access them?
  8. Do the policies clearly indicate the version or revision date of the policies?
  9. Do the policies clearly indicate whether or not a user is notified if there are any material changes to the Privacy Policy or Terms of Service?
  10. Do the policies clearly indicate who is notified when policies are updated or materially change?
  11. Do the policies clearly indicate the method used to notify the user or organization when policies are updated or materially change?
  12. Do the policies clearly indicate how a user can contact the vendor about any updates or material changes to the policies?
  13. Do the policies clearly indicate whether or not updates or material changes to the policies will be accessible for review by a user prior to the new changes being adopted?
  14. Do the policies clearly indicate how a user can accept updates or material changes to the policies?

More information on Transparency

2. Focused Collection (What Information is Collected?)

Transparency Questions

  1. Do the policies clearly indicate what data is collected by the application or service?
  2. Do the policies clearly indicate whether or not the vendor collects Personally Identifiable Information (PII)?
    • FERPA defines the term personally identifiable information (PII) to include direct identifiers (such as a student's or other family member's name) and indirect identifiers (such as a student's date of birth, place of birth, or mother's maiden name). Indirect identifiers, metadata about a students's interaction with an app or service, and even aggregate information can be considered PII under FERPA if a reasonable person in the school community could identify individual students based on the indirect identifiers together with other reasonably available information, including other public information. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 2; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 2
  3. Do the policies clearly indicate whether or not the vendor collects information or education records from K-12 students?
    • The Federal Educational Rights and Privacy Act of 1974 (FERPA), provides parents of students the right to access their children's Student Data or education records, and Students 18 years of age and older the right to access their own education records. In addition, FERPA provides the right to have the records amended, and the right to have some control over the disclosure of personally identifiable information (PII) in the education records. Furthermore, strict storage guidelines surround Student Data which require organizations to maintain accurate, and up-to-date records. See 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
    • What are Education Records? FERPA defines educational records as records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records. 20 U.S.C. § 1232g (a)(4)(A); 34 CFR § 99.3; See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 1; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 2.
  4. Do the policies clearly indicate whether or not the vendor collects information from children under 13 years of age?
    • The Children's Online Privacy Protection Act (COPPA) requires a privacy policy to list the kinds of personal information collected from children (for example, name, address, email address, hobbies, etc.), how the information is collected, and how the company uses the personal information. It also requires companies to indicate whether they disclose information collected from children to third-parties. If so, the company must also disclose the kinds of businesses in which the third-parties are engaged, the general purposes for which the information is used, and whether the third-parties have agreed to maintain the confidentiality and security of the information. See 15 U.S.C. § 6502; 16 C.F.R. Part 312.
    • If a company knows that a user of the online website or service is under the age of 13, the Children's Online Privacy Protection Act (COPPA) will impose more stringent requirements on the collection of information from those users. COPPA requires that operators seeking to collect, use, or disclose personal information from children under the age of 13, must first obtain verifiable parental consent. Even where a user is 13 or older, COPPA remains a source of best practices for companies that collect personal information from users, particularly when those users are still minors. See 15 U.S.C. §§ 6501-6506; 16 C.F.R. Part 312.
    • COPPA permits the collection of limited personal information from children under 13 for the purposes of: (1) Obtaining verified parental consent; (2) providing parents with a right to opt-out of an operator’s use of a child’s email address for multiple contacts of the child; and (3) to protect a child’s safety on a website or online service. See 15 U.S.C. 6502(b)(2); 16 CFR 312.5(c)(1)–(5).
  5. Do the policies clearly indicate whether or not the vendor limits the collection of information to only data that are specifically required to run the application?
    • Privacy principles are intended to work together to shift the burden for protecting privacy away from consumers and to encourage companies to make strong privacy protections the default. Reasonable collection limits and data disposal policies work in tandem with streamlined notices and improved consumer choice mechanisms. Together, they function to provide substantive protections by placing reasonable limits on the collection, use, and retention of consumer data to more closely align with consumer expectations, while also raising consumer awareness about the nature and extent of data collection, use, and third-party sharing, and the choices available to them. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), P. 24.
    • Companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer's relationship with the business, or as required or specifically authorized by law. For any data collection that is inconsistent with these contexts, companies should make appropriate disclosures to consumers at a relevant time and in a prominent manner – outside of a privacy policy or other legal document. This clarification of the collection limitation principle is intended to help companies assess whether their data collection is consistent with what a consumer might expect, but if it is not, they should provide prominent notice and choice. See FTC, Protecting Consumer Privacy in an era of rapid change: recommendations for business and policy makers (2012), P. 27.
  6. Do the policies clearly indicate whether or not geolocation data are collected?
    • Location information collected in the mobile context is considered a persistent identifier that can be used to recognize a user over time and across different websites or online services. Geolocation data includes information sufficient to identify the latitude and longitude coordinates of a user that can correspond to a specific street name, name of a city or town. If location data is collected and shared with third-parties, companies should work to provide consumers with more prominent notice and choices about its geolocation data collection, transfer, use, and disposal practices. See FTC 2012 Report, at 33; See also U.S. v. Jones, 565 U.S. 132 S. Ct. 945, 955 (2012)(“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations”).
  7. Do the policies clearly indicate whether or not any biometric data are collected?
    • Biometric data are physical or behavioral characteristics which can be used to identify unique individuals. Biometric technologies measure these unique characteristics electronically and match them against existing records to create a highly accurate identity management system. Fingerprints, retnia scans, or voice and facial recognition are examples of physcial identification technologies. It uses the layout of facial features and their distance from one another for identification against a “gallery” of faces with similar characteristics. See Privacy Best Practice Recommendations For Commercial Biometric Use, NTIA Discussion Draft (July 22, 2015), p. 1,
    • The ability of facial recognition technology to identify consumers based solely on a photograph, create linkages between the offline and online world, and compile highly detailed dossiers of information, that makes it especially important for companies using this technology to implement privacy by design concepts and robust choice and transparency policies. Such practices should include reducing the amount of time consumer information is retained, adopting reasonable security measures, and disclosing to consumers that the facial data they supply may be used to link them to information from third-parties or publicly available sources. See FTC 2012, P. 46.
  8. Do the policies clearly indicate whether or not any behavioral data are collected?
  9. Do the policies clearly indicate whether or not the service or application collects a user's persistent identifier, unique device ID, IP address, or other device information?
    • The Children's Online Privacy Protection Act (COPPA) defines “personal information” to include identifiers, such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different websites or online services, even where such an identifier is not paired with other items of personal information. Companies should disclose in their privacy policy, and in their direct notice to parents, their collection, use or disclosure practices of persistent identifiers unless: (1) the company collects no other “personal information,” and (2) persistent identifiers are collected on or through a company's site or service solely for the purpose of providing “support for the internal operations” of the site or service. See FTC, Complying with COPPA: Frequently Asked Questions, q. 6,
    • Persistent identifiers collected for the sole purpose of providing support for the internal operations of the website or online service do not require parental consent, so long as no other personal information is collected and the persistent identifiers are not used or disclosed to contact a specific individual, including through behavioral advertising; to amass a profile on a specific individual; or for any other purpose. See FTC, Complying with COPPA: Frequently Asked Questions, q. 5.
  10. Do the policies clearly indicate whether or not the vendor uses web beacons, cookies, or local shared objects to collect information?
  11. Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?
    • The National School Lunch Act (NSLA) requires school districts to provide free or reduced price lunches to all eligible children, including eligible children in schools that had not yet established school lunch programs. The NSLA aims to safeguard the health and well-being of children and defines penalties for the unauthorized sharing of personal information related to free and reduced lunch status for students. See 42 U.S.C. §§ 1751-63.
  12. Do the policies clearly indicate whether or not the vendor accesses or stores a user's contact list or friend list?

More information on Focused Collection

3. Data Sharing (How do Third-Parties Collect, Access, and Use Data?)

Transparency Questions

  1. Do the policies clearly indicate whether or not third-party services are used to support the internal operation of the application or website?
  2. Do the policies clearly indicate whether or not collected information (this includes data collected via automated tracking or usage analytics) is shared with third-parties?
  3. Do the policies clearly indicate whether or not the vendor uses third-party services (including usage analytics) to collect tracking information or personal information?
  4. Do the policies clearly indicate a list of third-parties that the vendor shares data with?
  5. Do the policies clearly indicate the role of all third-parties?
  6. Do the policies clearly indicate whether third-party privacy policies or Terms of Service (TOS) are available from a link on the vendor's website or legal terms?
  7. Do the policies clearly indicate what data are collected by or shared with third-parties?
  8. Do the policies clearly indicate the vendor's intention or reason for sharing a student's personal information with third-parties?
  9. Do the policies clearly indicate whether or not a student's personal information is sold to third-parties?
  10. Do the policies clearly indicate that all student personal information that is shared or sold to a third-party is only done so in an anonymous or de-identified format?
  11. Do the policies clearly indicate how student personal information is de-identified, or provide links to any information that describes their de-identification process?
  12. Do the policies clearly indicate whether or not data collected or maintained by the vendor will be augmented, extended, or combined with data from other sources?
  13. Do the third-party policies clearly indicate that third-party services are prohibited from re-identifying information shared or sold to them?
  14. Do the third-party policies clearly indicate that shared data will not be combined or used with other data sources?
  15. Do the policies clearly indicate whether or not social or federated login is required or optional?

More information on Data Sharing

4. Respect for Context (What are the Data Purpose, Classification, Notice, and Changes?)

Transparency Questions

  1. Do the policies clearly indicate the vendor's purpose or use of data collected by the application?
  2. Do the policies clearly indicate the context in which data are collected?
  3. Do the policies clearly indicate specific classes of information (PII, Children's PII, Sensitive information, etc.)?
  4. Do the policies clearly indicate whether or not specific classes of information can change?
  5. Do the policies clearly indicate whether or not the purpose or context in which data are collected can change?
  6. Do the policies clearly indicate whether or not notice is provided to a user if the vendor changes the context in which data are collected?

More information on Respect for Context

5. Individual Control (How are Data Owned, Licensed, Used, Disclosed, and Managed?)

Transparency Questions

  1. Do the policies clearly indicate who owns the Intellectual Property rights to the data collected by the application or service?
  2. Do the policies clearly indicate the vendor's rights or limitations to the data collected from a user's interactions?
  3. Do the policies clearly indicate whether the vendor responds to notifications of alleged copyright infringement of the data collected by the application or service?
  4. Do the policies clearly indicate whether a user can control the types of information collected?
  5. Do the policies clearly indicate whether a user must opt-in or opt-out to allow their data to be disclosed?
  6. Do the policies clearly indicate whether a user must opt-in or opt-out of communication preferences?
  7. Do the policies clearly indicate whether a user can prevent the use or disclosure of thier data by the vendor if the data contains sensitive personal information?
  8. Do the policies clearly indicate whether a user can request the vendor to disclose all the personal information collected about them?

More information on Individual Control

6. Access and Accuracy (How are Data Accessed, Corrected, Retained, Deleted, and Exported?)

Transparency Questions

  1. Do the policies clearly indicate whether the vendor provides access for authorized individuals to a student's data?
  2. Do the policies clearly indicate whether there is a process available for the school, parents, or eligible students to access student information?
  3. Do the policies clearly indicate whether the vendor provides a process to withdraw access for individuals to a student's data?
  4. Do the policies clearly indicate whether there is a process for the school, parents, or eligible students to modify inaccurate student information?
  5. Do the policies clearly indicate whether a user or the school has the ability to modify a student's inaccurate data on their own?
  6. Do the policies clearly indicate whether a student, school, or parent must submit a request to the vendor to modify a student's inaccurate personal information?
  7. Do the policies clearly indicate how long a vendor has to modify inaccurate student data after given notice by a user or the school?
  8. Do the policies clearly indicate how a user's data or account are deleted?
  9. Do the policies clearly indicate whether a user or the school has the ability to delete a student's data on their own?
  10. Do the policies clearly indicate whether or not a user or the school has the ability to delete a student's data by accessing or initiating a process managed by the vendor?
  11. Do the policies clearly indicate how long the vendor has to delete student data after given notice by a user or the school?
  12. Do the policies clearly indicate whether student data is or can be deleted from third-parties?
  13. Do the policies clearly indicate whether or not a user can export their data, including any content they have created on the website or application?
  14. Do the policies clearly indicate what export formats are supported?
  15. Do the policies clearly indicate the vendor's data retention policy, including any data sunsets?
  16. Do the policies clearly indicate whether a user can extend the time-period for data retention?
  17. Do the policies clearly indicate whether or not a vendor will delete a student's personal information when the data is no longer necessary to complete the educational purpose?
  18. Do the policies clearly indicate whether or not a vendor will delete a teacher's or non-student's personal information when the data is no longer necessary to complete the educational purpose?

More information on Access and Accuracy

7. Data Transfer (How are Data Transferred During a Bankruptcy, Merger, or Acquisition?)

Transparency Questions

  1. Do the policies clearly indicate what happens to data if a vendor declares bankruptcy?
  2. Do the policies clearly indicate what happens to data if a vendor declares a merger?
  3. Do the policies clearly indicate what happens to data if a vendor declares an acquisition?
  4. Do the policies clearly indicate whether a user can request to delete their data prior to its transfer to a third-party in the event of a vendor bankruptcy, merger, or acquisition?
  5. Do the policies clearly indicate whether a user will be notified and allowed to opt-out of a data transfer in the event of a vendor bankruptcy, merger, or acquisition?
  6. Do the policies clearly indicate whether the third-party recipient of the data transfer is contractually required to provide the same level of privacy protection?

More information on Data Transfer

8. Security (How are Data Transmitted, Stored, and Protected?)

Transparency Questions

  1. Do the policies clearly indicate how all data in transit is handled?
  2. Do the policies clearly indicate how all data at rest is handled?
  3. Do the policies clearly indicate whether security measures are used to protect the confidentiality of a student's personal information?
  4. Do the policies clearly indicate the vendor's response in the event of a data breach?

More information on Security

9. Responsible Use (How are Social Interactions Managed and User Information Displayed?)

Transparency Questions

  1. Do the policies clearly indicate whether or not a student's personal information is displayed in any way?
  2. Do the policies clearly indicate whether or not a student's personal information is displayed outside the context of social interactions?
  3. Do the policies clearly indicate whether or not a student has control over how their personal information is displayed to others?
  4. Do the policies clearly indicate whether or not interactions between users in the website or application are moderated?
  5. Do the policies clearly indicate whether or not a user can flag unwanted messages?
  6. Do the policies clearly indicate whether or not a user can report abuse?
  7. Do the policies clearly indicate whether or not a user can interact with strangers, including adults?
  8. Do the policies clearly indicate what information must be shared or revealed by a user in order to participate in social interactions?
  9. Do the policies clearly indicate whether or not social interactions are logged?
  10. Do the policies clearly indicate whether or not social interactions may be audited by the school or district?
  11. Do the policies clearly indicate whether or not social interactions may be audited by parents of a student?

More information on Responsible Use

10. Advertising (How are Data used for Traditional, Contextual, or Behavioral Marketing?)

Transparency Questions

  1. Do the policies clearly indicate whether or not advertisements are displayed?
  2. Do the policies clearly indicate whether or not behavioral or contextual advertising based on a student's personal information is displayed to a user?
    • Online behavioral or targeted advertising is the practice of collecting information about consumers' online interests in order to deliver targeted advertising to them. This system of advertising revolves around ad networks that can track individual consumers—or at least their devices—across different websites. When organized according to unique identifiers, this data can provide a potentially wide-ranging view of individual use of the Internet. These individual behavioral profiles allow advertisers to target ads based on inferences about individual interests, as revealed by Internet use. Targeted ads are generally more valuable and efficient than purely contextual ads and provide revenue that supports an array of free online content and services. See Exec. Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), pp. 11-12,
  3. Do the policies clearly indicate whether or not advertisements that are age inappropriate for minors are displayed (e.g., alcohol, gambling, violent, or sexual content)?
  4. Do the policies clearly indicate whether or not advertisements are displayed to children under 13 years of age?
  5. Do the policies clearly indicate whether or not a student's personal information is used to target advertisements on other websites or services?
  6. Do the policies clearly indicate whether or not a user's data gathered within the application or by third-parties can be used for any non-educational or advertising purpose, including research?
  7. Do the policies clearly indicate whether or not third-party advertising services or trackers collect any information from a user of the website or application?
  8. Do the policies clearly indicate whether or not a user can opt-out of contextual or behavioral advertising?
  9. Do the policies clearly indicate whether the vendor responds to a “Do Not Track” signal or to other mechanisms?

More information on Advertising

11. Compliance (How do Statutes and Regulations apply from COPPA/FERPA/PPRA?)

Transparency Questions

  1. Do the policies clearly indicate whether or not personal information from children under 13 years of age is collected?
    • The Children's Online Privacy Protection Act (COPPA) requires an operator to post a link to a notice of its information practices on the homepage of its web site or online service and in each area of its web site where it collects “Personal Information” from children. An operator of a general audience web site with a separate children's area must also post a link to its privacy policy on the homepage of the children's area. See 15 U.S.C. §§ 6501-6506; 16 C.F.R. Part 312.
    • COPPA applies to operators of websites or online services that are directed to children. A child is defined as an individual under the age of 13. An online service which is not specifically targeted at children under the age of 13 may still be considered directed at children, if the service contains content that would appeal to children under the age of 13. The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience. See FTC, 6-Step Compliance Plan for Your Business,
    • COPPA also applies anytime an operator of a website or online service has actual knowledge that it is collects, maintains, uses, or discloses personal information from a child under 13. In these situations an operator is generally required to obtain verified parental consent.
    • COPPA requires companies to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Companies should minimize what they collect in the first place and take reasonable steps to release personal information only to service providers and third-parties capable of maintaining its confidentiality, security, and integrity. Always obtain assurances that third-parties will live up to their contractual privacy responsibilities. Also, companies should hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. They should securely dispose of it once they no longer have a legitimate reason for retaining it. See FTC, 6-Step Compliance Plan for Your Business,
  2. Do the policies clearly indicate whether or not the service or application participates in an approved COPPA safe harbor program?
    • An operator may satisfy its obligations under COPPA by participating in a safe harbor program. The safe harbor programs are self-regulatory frameworks developed by industry groups and approved by the FTC. FTC-approved COPPA safe harbor programs offer parental notification and consent systems for operators who are members of their programs. In addition, the FTC recognizes that these and other common consent mechanisms could benefit operators (especially smaller ones) and parents if they offer a proper means for providing notice and obtaining verifiable parental consent, as well as ongoing controls for parents to manage their children's accounts. The FTC recommends operators use a common consent mechanism to assist in providing notice and obtaining consent, because they are ultimately responsible for ensuring that the notice accurately and completely reflects their information collection practices and that the consent mechanism is reasonably designed to reach the parent. See 78 Fed. Reg. 3972, 3989; See FTC, Complying with COPPA: Frequently Asked Questions, q. 13,
  3. Do the policies clearly indicate whether or not the vendor has signed any privacy pledges or received any other certifications?
  4. Do the policies clearly indicate the process by which data are entered into the application? For example, is data entered by district staff, school employees, parents, teachers, students, or some other person?
  5. Do the policies clearly indicate whether or not responsibility or liability for obtaining verified parental consent is transferred to the school or district?
  6. Do the policies clearly indicate whether or not verified parental consent should be obtained?
  7. Do the policies clearly indicate the methods available to provide verified parental consent, under COPPA?
    • Under most circumstances an operator is required to obtain verified parental consent before the collection, use, or disclosure, of personal information from children under the age of 13. The method used to obtain parental consent must be reasonably calculated (taking into account available technology) to ensure that the person providing consent is actually the child's parent.
  8. Do the policies clearly indicate the methods available to provide verified parental consent, under FERPA?
    • FERPA is a Federal law that protects personally identifiable information in students' education records from unauthorized disclosure. It affords parents the right to access their child's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). 20 U.S.C. § 1232g; 34 CFR Part 99; See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, pp. 1-3.
    • FERPA denies federal funding to educational agencies or institutions that have a practice or policy of permitting the release of student information without parental consent. There is an exception where such information is released to "school officials" who have been determined by the educational agency or institution to have a legitimate educational interest.
  9. Do the policies clearly indicate whether or not the vendor discloses student data to third parties without verifiable parental consent?
    • What is the “Directory Information” Exception? An exception to parental consent that permits the disclosure of PII from education records under FERPA. Information designated by the school or district as directory information may be disclosed without consent and used without restriction in conformity with the policy, unless the parent, guardian, or eligible student opts out. Examples of directory information about students include name, address, telephone number, email address, date and place of birth, grade level, sports participation, and honors or awards received. Before a school or district can disclose directory information, it must first provide public notice to parents and eligible students of the types of information designated as directory information, the intended uses for the information, and the right of parents or eligible students to “opt out” of having their information shared. See PTAC, Responsibilities of Third-Party Service Providers under FERPA, p. 3; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, pp. 3-4.
  10. Do the policies clearly indicate whether or not the vendor is designated as a “school official,” under FERPA?
    • What is the "School Official" Exception? In some cases, providers need PII from a students's education records in order to deliver the agreed-upon services. FERPA's school official exception to consent is most likely to apply to the schools' and districts' relationships with service providers. When schools and districts outsource institutional services or functions, FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third-parties provided that the outside party meets specified requirements. See 34 C.F.R. § 99.31(a)(1)(i); See also PTAC, Responsibilities of Third-Party Service Providers under FERPA, P. 2; See also PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, p. 3-5.
    • Any PII from students' education records that the provider receives under FERPA's school official exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function, and the school or district must have direct control over the use and maintenance of the PII by the provider receiving the PII). Further, under FERPA's school official exception, the provider may not share (or sell) FERPA-protected information, or re-use it for any other purposes, except as directed by the school or district and as permitted by FERPA. See PTAC, Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices, P. 5.
  11. Do the policies clearly indicate the jurisdiction that will govern the construction, interpretation, and enforcement of the policies?
    • The vendor's policies should describe the jurisdiction or state where disputes will be resolved. Typically, disputes are settled by Alternative Dispute Resolution (ADR) by an arbitrator through binding arbitration that can enter a judgement in any court having jurisdiction.
  12. Do the policies clearly indicate whether or not the vendor can use or disclose a user's data to comply with the law, legal process, respond to an emergency, or ensure legal or regulatory compliance?
    • Support for the internal operations of the website or online service, means activities necessary for the site or service to maintain or analyze its functioning; perform network communications; authenticate users or personalize content; serve contextual advertising or cap the frequency of advertising; protect the security or integrity of the user, website, or online service; ensure legal or regulatory compliance; or fulfill a request of a child. See 16 C.F.R. 312.2; See also FTC, Complying with COPPA: Frequently Asked Questions, q. 5,
  13. Do the policies clearly indicate the forum or legal process used to settle disputes?
    • The vendor's policies should describe the legal process to determine how disputes will be resolved. Any dispute arising out of an alleged breach of the policies, will likely be settled by Alternative Dispute Resolution (ADR) through binding arbitration before judicial arbitration or mediation services, such as the American Arbitration Association, or a similar arbitration service.

More information on Compliance

Licensing and Attribution

The Privacy Evaluation Questions are released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License. If you use these questions in your non-commercial project, please credit Common Sense Media as the author, and link back to the announcement post.

This is an example of proper attribution for the Questions: The Privacy Evaluation Questions were authored by Common Sense Media, and are reusable under the terms of a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License.

Privacy Evaluation Question Navigation and Information