Student Data Privacy and Security: Red Flags in Terms-of-Service Agreements
Have you ever looked closely at your favorite app’s terms-of-service agreement? The pages of often-dense legalese can make it tempting to simply scroll to the bottom and click “OK,” but for educators and education leaders, some of that jargon should raise red flags with regard to students’ privacy and security. Here are a few commonly used provisions and why they should give users pause.
Terms-of-Service Agreement
"Data covered under this agreement include only user information knowingly provided while using this service."
What’s wrong: Increasingly, education applications collect all kinds of data without the user being aware of it: keystrokes, time on task, browser searches, even location information. If those data aren’t included in the definition, you have no way of knowing
what data are collected and how they are used.
"Provider may use de-identified data for product development, research, or other purposes. De-identified data will have all names and ID numbers removed."
What’s wrong: Many companies use de-identified student data, but removing a student’s name or school ID is not enough to prevent the data from being reconnected to the student. The company should specify exactly how it will
de-identify the data, both basic student identification and demographic information, school location, or other items that could be used to identify the student.
"Provider may use data to market or advertise to students or their parents." Or it might say, "Provider may mine data for advertising."
What’s wrong: Using either data or metadata—the information about data, such as categories or time stamps—to create profiles of students or their parents would violate the
Family Educational Rights and Privacy Act, and it should be explicitly barred.
"Provider may modify the terms of this agreement at any time without notice to or consent from the [school/district]," or any term including "without providing notice to users."
What’s wrong: This can make any protections or restrictions on the data basically toothless. The school or district should
keep control of the data and should get clear notice of any changes.
"Providing data or user content through this service grants provider an irrevocable right to license, distribute, transmit, or publicly display data or user content."
What’s wrong: The agreement should make it clear that the company can use the data only to provide the service; it should
not keep student data after the district is no longer using the service or take away intellectual-property rights from teachers or schools creating content through the service.
"This service is not intended for children under age 13."
What’s wrong: It seems pretty straightforward, but experts say schools often
overlook age restrictions when the content seems suitable for young students. (Did you know YouTube is not intended for younger than 13?) It can be a clue that the app collects data or uses social media in ways that require parental consent.
Source: U.S. Department of Education’s Privacy Technical Assistance Center