A newly published analysis says that ed-tech companies have upped their game on some measures of data-privacy, security, and online-safety over the past year, but that the vast majority still do not meet a baseline set of policies meant to safeguard students.
The analysis, released recently by the nonprofit advocacy group Common Sense Media, is based on an evaluation of 150 different privacy and safety policies used for popular ed-tech company applications and services.
On the whole, the share of education applications that met minimum criteria established by the organization doubled from 10 percent to 20 percent from 2018, a jump the authors believe has been driven partly by tougher data-privacy policies in Europe and California.
That 20 percent figure is a median score across all the company products evaluated. That means 80 percent of products still do not meet the threshold.
Common Sense judged the companies on a series of metrics, many of them focused on whether data-privacy policies are transparent, whether they allow children’s personal and nonpersonal information to be used for third-party marketing, and other metrics. One hundred products were reviewed last year. In choosing the products, Common Sense talked with teachers, district administrators, students, and did its own searches for popular apps and other products.
The ed-tech companies producing those products are working across the ed-tech sector, in areas such as assessment, content delivery, games, and communication and collaboration tools.
The improvements in ed-tech vendors’ practices have almost certainly been driven by their efforts to comply with the sweeping, two-year-old European data-privacy regulation, GDPR, as well as with California’s Consumer Privacy Act, among other recent data-privacy overhauls, said Girard Kelly, the counsel and director of privacy review at Common Sense.
Many ed-tech companies are doing business in Europe, so getting in step with GDPR is essential, he said. But vendors have also felt compelled to act because they see where policy and public sentiment are headed, and they want to get in front of privacy concerns, he argued.
“What this means is that laws matter. Advocacy matters,” said Kelly. Ed-tech businesses increasingly believe it makes financial and legal sense to set strong “baseline on privacy protections for all of their users,” he said, rather than trying to go about it piecemeal.
Missing the Privacy Mark
But companies also continue to fall short on myriad protections, in Common Sense Media’s judgement. For instance, the portion of ed-tech companies that say they create advertising profiles of their users jumped from 10 percent to 23 percent in 2019.
Over the past year, more companies have stopped collecting information that is used for behavioral advertising, in what Kelly sees as a positive step. In doing so, they’ve probably been influenced by parents and educators becoming more privacy-conscious and hostile to “targeted marketing messages” aimed at students.
Yet many vendors are still creating profiles of students. Those profiles may not necessarily be based on “personally identifiable information” as defined by federal law, but rather on a student’s clicks, search terms, and other indications of how they’re consuming information, he said.
Other findings from the report:
- 33 percent of companies disclose to the public that they show behavioral ads based on children’s use of a service. That’s an improvement in transparency, from just 29 percent in 2018.
- 41 percent of web-based services say they disclose that they collect information that can be used by tracking technologies and third-party advertisers, an increase from 37 percent a year ago.
- 15 percent say they moderate social interactions between users, compared with 11 percent the year before.
- 32 percent of ed-tech companies reviewed say they can use children’s personal and nonpersonal information for third-party marketing. The number fell from 38 percent in 2018.
The report puts a big emphasis on judging ed-tech providers on the transparency of their policies, because the parents and students deserve to know what information is being collected from them.
“We want companies to say what they actually do, in terms of privacy practices,” Kelly said. When information about data-privacy and student security is opaque, he added, “There’s no future expectation on behalf of parents or students for how companies will engage in these practices.”