Best practices (and common pitfalls) of edtech privacy policies


Today’s students are not just using technology in computer science classes, or sharing a tablet for the occasional math game. In many schools, educational technology tools and programs have become essential for completing classwork and homework. They are integral to logistical systems for school management, like online bulletin boards, private group calendars, practice schedules and research portals. These and other edtech resources provide many benefits for students, but as with all technology, they can raise accompanying concerns — particularly for the handling of students’ personal or educational data.

One key part of evaluating the privacy risks of an edtech product is analyzing the company’s privacy policy. But school administrators and teachers typically don’t have the time or expertise to parse the inscrutable legalese constituting most privacy policies. At the same time, many edtech companies don’t have the resources for in-house or outside legal counsel to write a clear, concise, comprehensive policy sufficiently attuned to the needs of the education sector. This is particularly challenging because educational technologies must comply with privacy laws that target children’s and educational data in addition to abiding by standard legal requirements that apply to all tech products. Edtech companies must consider their compliance with federal privacy laws like COPPA and FERPA; a variety of individual state student privacy laws; and standard legal obligations, such as providing users with reasonable notice of the company’s data collection practices.

In light of these complicating factors, edtech privacy policies end up being both hard to read and hard to write. Given the sensitivity of students’ personal information, responsible tech vendors are motivated to effectively communicate relevant information and build trust between schools, vendors and parents. Yet the practical challenges make clarity elusive.

Acknowledging these concerns, the Future of Privacy Forum and the Software & Information Industry Association founded the Student Privacy Pledge in 2014. The Pledge is a Federal Trade Commission-enforceable code of conduct for edtech vendors. Now with nearly 330 companies as signatories, the Pledge was designed to both raise awareness of best practices and facilitate their implementation.

Part of my role as a policy fellow at FPF is reviewing and evaluating the relevant policies of each new company that applies to join the Pledge. Over time, I’ve observed several challenges and issues crop up in multiple privacy policies. Below, I describe a few of the leading challenges and provide some guidance on how to avoid or mitigate them.

Dos and don’ts for edtech vendor privacy policies

Don’t obfuscate

Companies that make their privacy policies hard to read or hard to find aren’t doing themselves any favors, and may even be in violation of FTC guidance. If you’re trying to sell a product to a school administrator, school officials need to be able to quickly and easily evaluate your product. Making it difficult to find all the relevant policies can leave them irritated at best, and suspicious at worst — policies that make vague disclaimers in pale gray, size 10 text create the sense that the company has something to hide.

If there are separate policies with different terms for a company’s website, commercial accounts, and school-based accounts, that distinction should be made clear in the first, most prominent primary policy with clear hyperlinks to any additional policies. In particular, it should be clear which policies apply to student data, and what definitions or categories of personal information the company collects.

Do state your practices with specificity

A good privacy policy is not only clear, but granular. A broad statement like “we provide notice and choice” is only useful as a lead-in, not as a complete articulation of a company’s practices; what the notice includes and how the consent model is designed can span a broad spectrum of practices. Flesh out broad claims with specific references to how each policy is executed, such as particular security measures used, to make it easier for parents and administrators to understand what each claim actually means.

Don’t overstate the case

The most problematic privacy policies I come across are the ones that treat privacy like a liability to be avoided, rather than a reality of working with student data, or even an opportunity to build trust by establishing credible policies and mitigating risks. Some policies do this by framing data use practices through an intellectual property lens, succumbing to a nervous, lawyerly instinct by reserving license for every use of any possible scrap of data in perpetuity. Resist this impulse! Unlike a licensing agreement, a privacy policy taking this approach can create a negative impression — or even trigger legal concerns, as the U.S. Department of Education has started to scrutinize particularly capacious clauses in edtech contracts with schools.

Other policies attempt to shift the responsibility of compliance to the school or the individual user, such as those that include security provisions warning the reader that the internet is a scary place and the safety of their data can never be guaranteed. That may well be, but the existence of systemic security risks doesn’t absolve companies of their legal responsibilities to maintain reasonable security measures regarding personal data. Claiming otherwise is irresponsible, and in some cases, illegal. In all cases, attempting to shed the responsibility of keeping student data safe creates an aura of untrustworthiness.

Do take advantage of available guidance

As the edtech sector grows, a number of organizations are providing assistance to help companies effectively implement best practices and educating parents and administrators about how to identify privacy risks that can arise from technology use in the classroom.

The U.S. Department of Education maintains a terrific arsenal of resources through its Privacy Technical Assistance Center, from online webinars, to security best practices, legal guides and other resources sorted by target audience. FERPA Sherpa and the Data Quality Campaign have similar resources, including updates regarding legislative developments. Many of these tools are also targeted directly to the distinct concerns of parents, educators or companies.

Edtech companies that process student data in order to provide an educational service to a school can also sign the Student Privacy Pledge. While a company’s status as a signatory should never replace the full evaluation of an edtech product, it does provide parents and educators with a preliminary indication that the company has made baseline privacy commitments.

Do be optimistic about the benefits, realistic about the risks and committed to building trust

Games, apps, calendars, school database management systems and other applications of technology within the educational ecosystem can add many capabilities and opportunities, provide efficiency, and streamline school operations from the individual classroom level to the management of entire districts. But for schools and parents to fully harness those opportunities, they need to be able to make meaningful choices about student privacy when considering edtech products — and in order to make informed decisions, schools and parents need to be able to quickly and easily understand how a company will handle and protect student data. This process can almost always benefit from the establishment of a well-written privacy policy.

Edtech companies should set the right example as an industry by having policies that are as clear and communicative as possible. While a good privacy policy can’t guarantee the protection of student data, it goes a long way toward generating trust and can show that companies are serious about privacy principles like transparency and choice. Ultimately, edtech companies must never lose sight of the fact that the data they’re charged with protecting is attached to individual children who deserve the best care and protection for their information that the company can provide.

Lindsey Barrett is the Georgetown Policy Fellow at Future of Privacy Forum, where she works closely with the Student Data Privacy Project. Previously, she worked for Facebook’s Privacy & Public Policy group, the Office of Management and Budget, the Department of Justice, and EPIC. She will be speaking about these and other K-12 privacy issues during an EdScoop-moderated panel on Tuesday, March 6, at SXSW EDU in Austin, Texas. Click here for details.