Majority of School Apps Advertising to Kids Even In SOPIPA States, ISL Data Shows

A new in-depth analysis from Internet Safety Labs’ 2022 K–12 EdTech Safety Benchmark Findings reveals alarming data about advertising in apps widely used by schools and finds that state privacy laws and third-party certifications claiming to keep students’ data private are often not making kids any safer.

For its research, ISL conducted a test of all the apps — not including browser-based ed tech platforms — used by 663 K–12 schools across the United States; the sample included 13 schools in each state and Washington, D.C., according to the report from ISL. 

The research team identified and tested over 1,700 unique technologies that are required or recommended by the schools in the sample, ISL said. The research amassed 29,000 data points about schools and school technology behaviors; 88,000 data points on the apps used by the sample schools; and over 1,200 apps’ worth of network traffic flows.

ISL’s new report on the research covers school technology practices and whether the apps’ safety promises or third-party certifications actually follow recommended best practices for protecting students’ privacy. 

Its conclusions were less than encouraging for privacy advocates: “Most apps used by K–12 students are unsafe for children,” ISL said. 

  • 23% of apps used by K–12 students include ads.

  • 13% include retargeting ads.

  • 79% of apps access the student’s location.

  • Apps without certifications or promises were 8.9% more likely to have a DNU score than certified/promising apps. 

  • Apps without certifications or promises were 1.34 times as likely to have digital ads and 5 times as likely to have retargeting ads than certified/promising ads. 

School Apps, Advertising, and Privacy Compliance 

Custom “community engagement platform” apps, or branded school utility apps, were deemed the least safe — so unsafe, in fact, that ISL had to exclude these from the overall analysis because their low scores distorted the overall scoring rubric, ISL said. “School Utility Apps (part of Community Engagement Platforms) are extremely unsafe and should not be certified or signing promises until they’re made safer,” the report said.

Advertising is still common, even in states with laws modeled after California’s SOPIPA privacy law, considered “the gold standard for student data privacy protection and the model for regulation passed in 24 states” by the end of 2022, ISL said. A key provision in these regulations is a ban on targeted advertising which includes retargeting advertising. 

ISL found that states without SOPIPA-like laws were nearly twice as likely to have schools using apps with retargeting ads. 

“Thus, it seems SOPIPA-like laws are reducing the likelihood of retargeting ads in ed tech apps in those states,” ISL said. 

About 54% of apps tested in states with SOPIPA-like laws delivered ads to students, compared to 69.2% of apps tested in states without SOPIPA laws. More alarming, ISL said, was the finding that 25% of apps tested in states with SOPIPA-like laws used retargeting ads, according to ISL, compared to 46.2% of apps tested in states without such laws. 

Bar graphs compare the percentage of K-12 school app with ads and with retargeting ads in states with SOPIPA-like privacy laws versus states without such laws

“This is a disturbingly high percentage when coupled with the fact that our sample was relatively small, and the method of finding retargeting ads was somewhat opportunistic,” the report said. “ISL believes it is likely that the actual percentage of SOPIPA-law states with schools using ed tech with retargeting ads is significantly higher.” 

Effectiveness of Safety Certifications and Promises

The set of apps with third-party certifications or promises were found to be overall safer than apps with no certifications or promises, ISL said.

COPPA Safe Harbor certifications were “very effective in eliminating retargeting ads in apps,” but Safe Harbor-certified apps also included a substantially higher percentage of Do Not Use scores at 73.8% than the overall sample at 54.6% — and were overall more dangerous than the group of apps with no certification or promise at all, ISL said. 

ISL also noted that 21.6% of COPPA Safe Harbor-certified apps delivered ads to students — more than the apps without any certification or promise (18.6%). None of those ads in Safe Harbor-certified apps were retargeting ads, ISL said.

Of all third-party certifications and promises, 1EdTech, a proprietary privacy certification, resulted in the best safety metrics, ISL said. Of the apps certified by 1EdTech, none had digital ads and none had retargeting ads. 

Overall, ISL found that “apps with self-asserted COPPA compliance performed better than the overall sample and apps with no certifications or promises,” the report said. “Going into the benchmark, we expected vendor-asserted COPPA compliance to be ineffectual, but self-asserted COPPA compliance appears to be somewhat meaningful, resulting in somewhat safer apps than uncertified and the overall sample set.” 

Chart from Internet Safety Labs compares school app safety scores among various third-party certifications and promises, with vendors bearing the 1EdTech certification receiving the highest overall safety scores

School Technology Practices

Most schools do not provide technology notice, consent, or vetting as a routine practice, according to the report; ISL found that just 45% of schools provide a technology notice listing all technology used.

ISL found that schools are often overusing or misusing the ability to consent on behalf of students and parents, as spelled out in the federal Children’s Online Privacy Protection Act.

In some cases, the list of technology that schools consented to on behalf of students and parents contained hundreds of websites and apps, ISL said. “These lists included ‘off the shelf’ technologies that students provision and use independently of the school (or don’t require a login at all),” ISL said.

Pie chart and bar graph shows the tech consent practices in U.S. K-12 schools revealing most schools do not get consent from parents for ed tech their kids use

ISL researchers said they “had difficulty in finding complete and accurate lists of all the technologies used by students for a school or district. It’s likely that parents are having a very difficult time knowing all the technologies their children are using for school,” the report said.

Of all the technologies required or recommended by schools, only 19.3% are licensed by the school/LEA, and 80.7% are off-the-shelf technologies, said ISL, which “recommends that LEAs not consent to off the shelf technologies — particularly technologies that are not designed for education or children.”

Among schools that do systemically vet the technology used by students, there was no difference in ISL Safety Scores when compared to schools that don’t although those schools did have slightly less ads in their apps — indicating that a vetting policy may be providing a “false sense of security” for student safety and data privacy, ISL said. Additionally, schools with systemic vetting in place generally required students to use about 25% more apps and platforms than schools with no vetting.

Learn more and download the full report at InternetSafetyLabs.org.

Featured