Edtech software providers fall short on privacy practices and guidelines, report says

Nearly 90 percent of the most popular edtech services fail to meet the minimum criteria for transparency and privacy, Common Sense finds.

Edtech software providers do not meet basic standards for transparency and consistent privacy and security practices, according to a recent report from Common Sense, a nonprofit that promotes safe media habits.

The report, which was based on a three-year analysis, found that just 10 percent of more than 100 of the most-used edtech applications and services met Common Sense’s standards for transparency and quality. The nonprofit said it based its process on “existing federal and state law, as well as privacy and security universal principles.”

A vast majority of the edtech services surveyed either do not explicitly define safety measures around student information, or lack a robust privacy policy, Common Sense said.

Jeff Graham, senior engineer for education and privacy at the nonprofit and one of the report’s authors, told EdScoop that the results were unexpected given the expansive legislation in place to protect student data from being used inappropriately or scooped up by a third party.


“It is surprising in the sense that, in some places, there are
federal and state laws that say this is not appropriate behavior,” Graham said. “We need closer
inspection on what vendors are actually doing, because it’s on the edge of
questionable. But it’s clear from what we found
that maybe those [laws] aren’t being enforced or understood very well among industry.”

The report grew out of a larger undertaking called the Privacy Evaluation Initiative, which categorizes specific edtech software companies as safe to use, use with caution, or not recommended. Popular programs and games like Angry Birds, Canvas,, Quizlet and Pinterest are designated as “use with caution.”

Common Sense reports that “the terms are unclear about whether or not personal information is sold or rented to third parties,” and “data are shared for advertising or marketing” for services in this category.

Massive companies like Google and Microsoft are taking steps to comply with specific state privacy laws for students, but the smaller vendors are also becoming increasingly popular in schools. Graham said the findings may have greater implications for students and teachers.

“For teachers and district technology coordinators and parents, there is a lot more effort required to figure out what those practices are
and figure out whether they’re appropriate,” he said. “There’s a little more work required
of everyone else since vendors aren’t being transparent.”


According to the report, 38 percent of edtech services may use kids’ personal information for third-party marketing while 40 percent indicate they may display ads based on students’ online searches. Students are also at a high risk for their information to be traced — 37 percent of software providers indicate that data can be used by tracking technologies and third-party advertisers, and 21 percent said the data could be used to track visitors even after they leave the site.

About 70 percent maintain the right to transfer any collected personal information to a third party if the company is acquired, merges or files for bankruptcy. Graham, who called this the “onward transfer of data,” said this is a major point of concern.

“If a company goes out of business or is acquired or merges with something else, all bets are off on student data at that point until we get more clarity from vendors about what they’re going to do,” he said. “That’s pretty alarming.”

While most of the results proved grim, there were areas in which vendors scored well. Encryption is implemented at a higher level — 92 percent of providers said they use reasonable security standards to protect their users’ information, and 65 percent maintained that they do not sell, rent, lease or trade users’ personally identifiable information.

Graham said he is optimistic about the future, but there is more work to be done now in order to shore up privacy practices.


“With current trends and pressures, I think we’ll see this
getting better over time,” he said. “But it is a complex space. The adtech-driven business model is an accepted norm in the commercial
space, but maybe in the education space that’s not an appropriate fit.”

Reach the reporter at and follow her on Twitter @clestch and @edscoop_news.

Latest Podcasts