Today’s students are not just using technology in computer science classes, or sharing a tablet for the occasional math game. In many schools, educational technology tools and programs have become essential for completing classwork and homework. They are integral to logistical systems for school management, like online bulletin boards, private group calendars, practice schedules and research portals. These and other edtech resources provide many benefits for students, but as with all technology, they can raise accompanying concerns — particularly for the handling of students’ personal or educational data.
In light of these complicating factors, edtech privacy policies end up being both hard to read and hard to write. Given the sensitivity of students’ personal information, responsible tech vendors are motivated to effectively communicate relevant information and build trust between schools, vendors and parents. Yet the practical challenges make clarity elusive.
Acknowledging these concerns, the Future of Privacy Forum and the Software & Information Industry Association founded the Student Privacy Pledge in 2014. The Pledge is a Federal Trade Commission-enforceable code of conduct for edtech vendors. Now with nearly 330 companies as signatories, the Pledge was designed to both raise awareness of best practices and facilitate their implementation.
Part of my role as a policy fellow at FPF is reviewing and evaluating the relevant policies of each new company that applies to join the Pledge. Over time, I’ve observed several challenges and issues crop up in multiple privacy policies. Below, I describe a few of the leading challenges and provide some guidance on how to avoid or mitigate them.
Dos and don’ts for edtech vendor privacy policies
Companies that make their privacy policies hard to read or hard to find aren’t doing themselves any favors, and may even be in violation of FTC guidance. If you’re trying to sell a product to a school administrator, school officials need to be able to quickly and easily evaluate your product. Making it difficult to find all the relevant policies can leave them irritated at best, and suspicious at worst — policies that make vague disclaimers in pale gray, size 10 text create the sense that the company has something to hide.
If there are separate policies with different terms for a company’s website, commercial accounts, and school-based accounts, that distinction should be made clear in the first, most prominent primary policy with clear hyperlinks to any additional policies. In particular, it should be clear which policies apply to student data, and what definitions or categories of personal information the company collects.
Do state your practices with specificity
Don’t overstate the case
Other policies attempt to shift the responsibility of compliance to the school or the individual user, such as those that include security provisions warning the reader that the internet is a scary place and the safety of their data can never be guaranteed. That may well be, but the existence of systemic security risks doesn’t absolve companies of their legal responsibilities to maintain reasonable security measures regarding personal data. Claiming otherwise is irresponsible, and in some cases, illegal. In all cases, attempting to shed the responsibility of keeping student data safe creates an aura of untrustworthiness.
Do take advantage of available guidance
As the edtech sector grows, a number of organizations are providing assistance to help companies effectively implement best practices and educating parents and administrators about how to identify privacy risks that can arise from technology use in the classroom.
The U.S. Department of Education maintains a terrific arsenal of resources through its Privacy Technical Assistance Center, from online webinars, to security best practices, legal guides and other resources sorted by target audience. FERPA Sherpa and the Data Quality Campaign have similar resources, including updates regarding legislative developments. Many of these tools are also targeted directly to the distinct concerns of parents, educators or companies.
Edtech companies that process student data in order to provide an educational service to a school can also sign the Student Privacy Pledge. While a company’s status as a signatory should never replace the full evaluation of an edtech product, it does provide parents and educators with a preliminary indication that the company has made baseline privacy commitments.
Do be optimistic about the benefits, realistic about the risks and committed to building trust
Lindsey Barrett is the Georgetown Policy Fellow at Future of Privacy Forum, where she works closely with the Student Data Privacy Project. Previously, she worked for Facebook’s Privacy & Public Policy group, the Office of Management and Budget, the Department of Justice, and EPIC. She will be speaking about these and other K-12 privacy issues during an EdScoop-moderated panel on Tuesday, March 6, at SXSW EDU in Austin, Texas. Click here for details.