Student Privacy Pledge delivers neither privacy nor enforcement

Riddle me this: Which is more binding, the Student Privacy Pledge or a pinky promise?

Sadly, as of today, the answer is the pinky promise.

With the most recent “Trolls” movie – “Trolls World Tour” – prominently highlighting the binding significance of the “pinky promise,” the same cannot be said of the Student Privacy Pledge — a pledge taken by 400-plus educational technology (Ed Tech) companies stating a commitment to “carry out responsible stewardship and appropriate use of student personal information.” 

Consider the recent Consumer Reports story about the College Board tracking students and sharing that information with Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and advertising network AdMedia — despite the pledge’s commitment to “[n]ot use or disclose student information collected through an educational/school service . . . for behavioral targeting of advertisements to students.” Yet when the Future of Privacy Forum, the group that administers the pledge, was asked about this violation, its response was that it was looking into the findings to ensure that the College Board is living up to its promises.

But how does one “ensure” anything, if there is no enforcement?

A 2018 Duke Law & Technology Review article entitled “Peeling Back the Student Privacy Pledge,” posited the same question when analyzing whether signatory companies were complying with the pledge, or “just paying lip service to its goals,” given the toothless nature of a pledge devoid of oversight or enforcement.

Perhaps the poster-child for the lack of accountability to which pledge signatories are held is Naviance by Hobsons — an Ed-Tech provider used by middle, high school, and college students that collects dates of birth, ethnicity, and other sensitive data — having reported at least three data breaches in 2019 alone. The first was a data breach in Virginia, involving sensitive information of 21 former students; the second was a breach in Pennsylvania involving 12,000 students, and the third involved close to 6,000 students attending Montgomery County, Md., public schools. With three breaches in a single year, one could argue that Naviance is not compliant with the pledge’s commitment to “[m]aintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks.”

Yet, almost a year later, Naviance is still displayed as a pledge signatory. No penalties. No suspension. Not even probation.

Another pledge signatory is Canvas by Instructure, which received a “warning” grade of 63 for its privacy practices from Common, “the nation’s leading nonprofit organization dedicated to improving the lives of all kids and families by providing the trustworthy information, education, and independent voice they need.”  When one looks at Canvas by Instructure’s privacy policy, it’s not hard to see why. Canvas shares student data with third parties, including advertising providers, “to deliver adverts more relevant to you and your interests” (i.e., targeted advertising). This, despite agreeing in the pledge to “[n]ot use or disclose student information . . . for behavioral targeting of advertisements to students.” And while Canvas does allow a user to opt-out of receiving “targeting cookies,” that doesn’t change the fact that it already committed under the pledge to not disclose such information in the first place. 

Relatedly, pledge signatories also agree to “[n]ot sell student personal information.” But given that Canvas partners with ad networks, ad serving providers and other third parties to send surveys, promotional communications about products and services, etc., it’s also questionable whether Canvas is living up to this commitment. Presumably, Canvas is receiving some renumeration for such sharing. And it’s likely that such benefit would be deemed a “sale” under the California Consumer Privacy Act, which defines a sale as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information . . . to another business or a third party for monetary or other valuable consideration.”  

Even Google is a pledge signatory. Google is being sued by the New Mexico attorney general for sharing student’s personal information with other parts of its business, in apparent contravention of the pledge. Yet Google proudly boasts of its “compliance with rigorous standards,” to include the Student Privacy Pledge. A Google spokesman said the New Mexico attorney general’s claims were “factually wrong.”

To be clear, there are responsible Ed tech companies that have signed the pledge and that genuinely care about student data privacy. But unless all signatories are held responsible for complying with the pledge, the pledge becomes nothing more than a…

Read More: Student Privacy Pledge delivers neither privacy nor enforcement

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.