Most Ed Tech Fails at Data and Privacy Policy Practices

• By Dian Schaffhauser
• 06/14/18

Common Sense found that just one in 10 of the education tech programs it has evaluated met minimum criteria for transparency and quality in their policies. The three-year assessment of the most-used applications and services for education found a "widespread lack of transparency" and inconsistency among their privacy and security practices. The "2018 State of EdTech Privacy Report" offers an analysis of how student information is collected, used and disclosed, including third-party marketing, advertising, tracking and profiling.

These findings come just months after EdTech Strategies released its own set of reports examining ed tech security and privacy practices among state departments of education and selected district websites, which came to similar dismal conclusions.

The Common Sense privacy review looked at the data usage and privacy policies behind 100 products using two broad criteria: transparency and quality. Researchers found that nearly all of the software lacked either clearly defined safeguards to protect student information or detailed privacy policies. Just 10 percent of the applications or services met the minimum criteria.

The organization emphasized that the findings weren't "a sign that a vendor is doing anything unethical"; however, it could mean that "based on how the application or service is used," it might be violating federal or state laws, putting the data for "tens of millions of children" at risk "on a daily basis."

The project used 25 indicators to test programs for safety, privacy, security and compliance. Among the findings:

• 38 percent of ed tech indicated that their companies "may use children's personal and nonpersonal information for third-party marketing";
• 40 percent might "display contextual ads based on website content," and 29 percent might display behavioral ads based on information collected through the service;
• Among web-based services, 37 percent could make collected information available to tracking technologies and third-party advertisers; 21 percent could use the collected data to track visitors after they left the site; and 30 percent could "ignore 'do not track' requests or other mechanisms to opt out."
• 10 percent may create or target profiles of users;
• 50 percent may allow children's information to be made visible publicly; and
• 74 percent may maintain the right to transfer personal information collected to another company if the first one was acquired or merged or filed for bankruptcy.

On the positive side, the researchers noted, most of the products in the review (92 percent) suggested that they use "reasonable security standards to protect their users' information." And two-thirds (65 percent) "affirm that they do not sell, rent, lease or trade users' personally identifiable information."

"The overall lack of transparency, which was pervasive across nearly all indicators we examined, is especially troubling," the report's authors stated. "In our analysis, transparency was a reliable indicator of quality; applications and services that were more transparent also tended to engage in qualitatively better privacy and security practices." Without transparency, they added, "there can be no future expectation or trust on behalf of parents, teachers, schools or districts about how collected information from children and students will be handled to meet their expectations of privacy."

Common Sense, a non-profit focused on children's media usage, said it would follow up with another report next year that would cover a larger group of ed tech applications and services. The organization makes privacy evaluation scores available for specific products on a privacy website. Programs are given one of three ratings: "use responsibly," "use with caution" and "not recommended."

The report is openly available on the Common Sense website.