Study: Edtech startups must prioritize student data privacy


Edtech startups need to shift attention to dynamic, comprehensive privacy practices and public-facing communications, a new study says.

Educational institutions are no strangers to the increasing concern surrounding data privacy. But while school districts are asking for more from edtech startups in terms of privacy protections, the investors that fuel these ventures are largely silent on the issue, according to the study by graduate student researchers at Carnegie Mellon University’s Heinz College. They drew their conclusions from multiple interviews with six edtech startups in the K-12 space.

“By employing a more proactive strategy to student data protection from day one, edtech startups can position their vigilance as a key differentiator for their product, capture a broader market share, and share in the responsibility for protecting sensitive student data,” the report concludes.

With their limited resources and need to drum up business, edtech startups tend to emphasize innovation while prioritizing customer acquisition and product development in their first five years. As a result, many use basic and often open-source privacy policy to comply with relevant federal and state privacy requirements, simply adapting these policies to fit changing requirements or demands from customers.

Startups aren’t hearing about it from their funders, either, the study says. The researchers found that edtech investors seldom stress student data privacy as a major interest, despite their potential for influence. Instead, school districts, which may not have the capacity to evaluate these technologies, are leading the charge for improved privacy protections and standards.

“This report shows the vital role that school districts play in incentivizing edtech companies to adopt better privacy protections, and it emphasizes that investors and incubators need to prioritize privacy when funding companies,” said Amelia Vance, policy counsel at the nonprofit Future of Privacy Forum, said in a statement. “Privacy needs to be built into edtech products from the beginning, and investors are ideally situated to insist that start-ups have a culture of privacy.”

The researchers recommend that startups consider creating dynamic, front-end privacy processes that could increase flexibility in later years. They also recommend shared responsibility for data security amongst team members and established practices of only collecting and storing student data if it is necessary.