How Ed-Tech Startups Are Navigating the Data-Privacy Maze

Managing Editor

State lawmakers and school district leaders have approved a raft of new policies over the past few years setting tougher expectations on ed-tech companies to protect student data privacy. It’s reasonable to assume that the biggest vendors working in K-12 schools have the legal and tech-based expertise to weigh those demands and gauge how to respond. But what about smaller, new ed-tech companies just beginning to find their way in the market?

New research by a group of graduate students at Carnegie Mellon University explores that question, probing how startup ed-tech companies craft their data-privacy policies and communicate them to the public. The research is based on in-depth interviews with six unnamed ed-tech startups who agreed to talk about their experiences. The researchers looked for common themes among what the companies told them.

A number of takeaways emerged from those interviews:

  • Aside from seeking to comply with federal and state policies, the ed-tech startups indicated they “do not prioritize” student data privacy protections, compared with trying to acquire customers and developing their products;
  • The companies drew initial ideas for their privacy policies from peers and competitors, and refined those policies later as they grew;
  • The startups generally did create formal strategies around “public-facing communications” about data privacy;
  • The startups perceived that investors did not seem to show a “meaningful interest” in student data privacy protections, which the researchers viewed as a missed opportunity, given the support those funders might lend to the cause; and
  • The startups did not believe that attempting to comply with privacy rules and guidance stymied opportunities for innovation.

The researchers from Carnegie Mellon were second-year candidates in the master’s of science program in public policy and management at Heinz College at Carnegie Mellon. The group began their work by looking at a database of 450 ed-tech startups, and whittled it down to 120. It then pared the list to 18 finalists based on factors such as student-data privacy risk, reputation, and staff size.

In the end, six startups agreed to participate in depth and took part in extensive interviews with project staff. Because of the focus on just six startups, the results are meant to be “exploratory, not conclusive,” the group says in its report.

Focus on ‘Under-Researched’ Sector

Joe Babler, one of the authors of the research, said the reasons the group focused on ed-tech startups rather than more established companies were both philosophical and practical.

“We thought this segment of the field was under-researched,” Babler explained in an e-mail. “Given how quickly the ed-tech space is growing and changing, we thought everyone would be better off if someone asked these newer companies how they dealt with these issues in a day-to-day sort of way.”

The researchers also reasoned that big companies would not be as interested in speaking candidly about their experiences navigating privacy regulations, said Babler.

(Investors’ perceived lack of interest in startups’ data-privacy protections, in one sense, is not surprising. Many venture capitalists are squarely focused on whether new education companies have the sort of high-quality products and business strategies that will notch sales in K-12 districts and ensure a startup’s survival—and other considerations can get shoved to the side. I recently reported in EdWeek Market Brief on how a lot of funders also aren’t that concerned with whether ed-tech products have research behind them. They want to see a business strategy first.)

The startups interviewed also did not see the imposition of privacy regulations as stifling their ability to make new products or pursue their vision, Babler said.

The researchers acknowledge a “missing counterfactual” on this point, he added. If a company was truly inhibited by privacy concerns, it might never have been founded, and thus wouldn’t have been interviewed for the report. But on the whole, the companies did not self-report that privacy concerns were “stopping them from pursuing their ongoing development goals.”

An executive summary of the report, “Building Effective Communications Around Student Data Privacy” is available here. A copy of the full report can be obtained by sending a request to

See also:

Leave a Reply