Riddle me this: Which is more binding, the Student Privacy Pledge or a pinky promise?
Sadly, as of today, the answer is the pinky promise.
With the most recent “Trolls” movie – “Trolls World Tour” – prominently highlighting the binding significance of the “pinky promise,” the same cannot be said of the Student Privacy Pledge — a pledge taken by 400-plus educational technology (Ed Tech) companies stating a commitment to “carry out responsible stewardship and appropriate use of student personal information.”
Consider the recent Consumer Reports story about the College Board tracking students and sharing that information with Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and advertising network AdMedia — despite the pledge’s commitment to “[n]ot use or disclose student information collected through an educational/school service . . . for behavioral targeting of advertisements to students.” Yet when the Future of Privacy Forum, the group that administers the pledge, was asked about this violation, its response was that it was looking into the findings to ensure that the College Board is living up to its promises.
But how does one “ensure” anything, if there is no enforcement?
A 2018 Duke Law & Technology Review article entitled “Peeling Back the Student Privacy Pledge,” posited the same question when analyzing whether signatory companies were complying with the pledge, or “just paying lip service to its goals,” given the toothless nature of a pledge devoid of oversight or enforcement.
Perhaps the poster-child for the lack of accountability to which pledge signatories are held is Naviance by Hobsons — an Ed-Tech provider used by middle, high school, and college students that collects dates of birth, ethnicity, and other sensitive data — having reported at least three data breaches in 2019 alone. The first was a data breach in Virginia, involving sensitive information of 21 former students; the second was a breach in Pennsylvania involving 12,000 students, and the third involved close to 6,000 students attending Montgomery County, Md., public schools. With three breaches in a single year, one could argue that Naviance is not compliant with the pledge’s commitment to “[m]aintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks.”
Yet, almost a year later, Naviance is still displayed as a pledge signatory. No penalties. No suspension. Not even probation.
Relatedly, pledge signatories also agree to “[n]ot sell student personal information.” But given that Canvas partners with ad networks, ad serving providers and other third parties to send surveys, promotional communications about products and services, etc., it’s also questionable whether Canvas is living up to this commitment. Presumably, Canvas is receiving some renumeration for such sharing. And it’s likely that such benefit would be deemed a “sale” under the California Consumer Privacy Act, which defines a sale as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating . . . a consumer’s personal information . . . to another business or a third party for monetary or other valuable consideration.”
Even Google is a pledge signatory. Google is being sued by the New Mexico attorney general for sharing student’s personal information with other parts of its business, in apparent contravention of the pledge. Yet Google proudly boasts of its “compliance with rigorous standards,” to include the Student Privacy Pledge. A Google spokesman said the New Mexico attorney general’s claims were “factually wrong.”
To be clear, there are responsible Ed tech companies that have signed the pledge and that genuinely care about student data privacy. But unless all signatories are held responsible for complying with the pledge, the pledge becomes nothing more than a…