Student Data

Common Sense Introduces Simpler Privacy Ratings

• By Dian Schaffhauser
• 02/27/18

Currently, Curriki is "not recommended," while Edmodo gets a "use with caution," and EduTone receives a "use responsibly." These are the simpler privacy ratings that Common Sense Media has begun using for the education technology apps it covers on its education websites. The goal, according to Bill Fitzgerald, the non-profit's Privacy Initiative director: "to make privacy and security more accessible."

The privacy evaluations have been underway since 2015. In that time, said Fitzgerald, Common Sense has "spoken with teachers, students, parents, developers, vendors, privacy advocates and industry representatives." Two common problems have surfaced in those conversations: how to make privacy evaluations easier and how to create levels of privacy that are "universally acceptable."

Under the new evaluation tiers, those apps receiving the "use responsibly" designation meet "minimum criteria for transparency and quality in their policies." For these, teachers and schools are "strongly advised to read the full privacy evaluation as a starting point for the process of vetting the service" and before any student data is shared with the service.

"Use with caution" apps, according to the rating system, either have problems with collecting data unassociated with education and/or using data to target advertising. As Fitzgerald explained, "Using data to profile students can potentially violate multiple state laws, and in some cases also violates federal law." This designation also is applied to apps and services that show "a lack of transparency around data use." He emphasized that landing in this tier isn't necessarily "a sign that a vendor is doing anything unethical or illegal." But based on the publicly posted policies, there's no guarantee that data won't be misused by either the vendor or third-parties to target advertising or build up individual profiles of users.

The "not recommended" designation is given to those apps that lack privacy policies altogether or that don't support or require HTTPS encryption for account creation or login activities. These are the "bare minimum" steps vendors can take to protect user privacy, Fitzgerald wrote. Those who ignore them could "potentially run afoul of state and federal privacy laws." And, again, he added, it's no sign that the vendor is doing something wrong; but there's also no sign that it's doing the right things to protect users.

The new ratings already show up on Common Sense Media's privacy evaluation site and its flagship education site.