Full privacy evaluation | See all
Thumbnail
Updated January 10, 2018

Canva - Graphic Design & Photo Editing

  • Privacy polices do indicate a version or effective date.
  • Data are not sold or rented to third parties.
  • Data are shared for advertising or marketing.
  • Behavioral or contextual advertising is displayed.
  • Data are collected by third-party advertising or tracking services.
  • Unclear whether this product uses data to track and target advertisements on other third-party websites or services.
  • Third parties can use data to create ad profiles, data enhancement, and/or targeted advertisements.
The criteria for "Use with Caution" are narrowly focused around data uses related to creating profiles that aren't related to any educational purpose, and using data to target ads. We include both first party (ie, the vendor that builds the service) and third party (any company given access by the vendor) data use. It's worth highlighting that using data to profile students violates multiple state laws, and in some cases also violates federal law.

A service can be designated "Use with Caution" for either a lack of transparency around data use -- which creates the potential for profiling and behavioral targeting -- or for clearly stating that they use data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their state laws and school policies.

As with the "Not Recommended" criteria, a "Use with Caution" designation is NOT a sign that a vendor is necessarily doing anything unethical or illegal. It is a sign that, based on publicly available policies,  we do not have adequate guarantees that data will not be used by first or third parties to create non-educational profiles or to target behavioral ads.
Use with Caution
Full evaluation
35
Overall Scoreinfo-bubble

This overall score represents how the service addressed all our evaluation questions. A higher score (up to 100) means the service provides more transparent and comprehensive policies.

Overview

Canva operates an online design platform and media licensing service that allows users to share designs and artwork. Canva's terms state they allow for interactions between users in the form of comments and responses on publicly shared designs. However, Canva's terms do not clearly indicate the version or effective date of its policies, which violates CalOPPA. In addition, Canva's terms state that the company encrypts all user data while in transit and while at rest. Canva's terms state that they do not knowingly collect or solicit personal information from children under the age of 13. However, the service would appeal to children under the age of 13.

Canva - Photo Editor & Design can be accessed through its website, and is available for download at the iOS App Store, and the Google Play Store. The Privacy Policy and Terms of Use accessed for this evaluation can be found on Canva’s website, iOS App Store, and the Google Play Store. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Read the Common Sense standard privacy report (SPR)arrow
The standard privacy report (SPR) displays the most important privacy practices from a product’s polices in a single easy-to-read outline. The report displays an alert when a particular privacy practice is risky, unclear, or not evaluated. This alert indicates more time should be focused on these particular details prior to use.
SafetyPromoting responsible use
arrow
Evaluating safety takes into consideration best practices that protect a user's physical and emotional health. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to safety.
8

The terms of Canva state they allow for interactions between users in the form of comments and responses on publicly shared designs. The terms state the Service also allows users to submit and publish content such as profile information, comments, questions, photographs, illustrations, fonts, designs, and other content or information.

The terms specify any information or user content that a user voluntarily posts to the Service can become visible over the web, and is subject to visibility settings. The default visibility setting for a user's designs is private. Subject to a user's profile and privacy settings, any user content made publicly visible is searchable by other users, or over the open web.

PrivacyProtecting collected information
arrow
Evaluating privacy takes into consideration best practices that protect the disclosure of a user's personal information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to privacy.
41

The terms of Canva do not clearly indicate the version or effective date of its policies, which violates CalOPPA. Canva's terms state that the service collects personally identifiable information and non-personal information that includes name, email, birthdate, and geolocation information if used on a mobile device.

The terms specify that Canva may aggregate or otherwise strip data of all personally identifying characteristics and may share aggregated or anonymized data with third parties. The terms also specify that Canva may share information such as a user's location, browser and cookie data with business partners to deliver advertisements. The terms also state that Canva may allow third-party ad servers or ad networks to serve advertisements on the Service and these third-party ad networks use technology to send the ads and ad links that appear on the Service.

The terms also state that if a user logs in via another service like Facebook, Canva can access a person's user ID from that service, and other personal information from that service. The specific information shared with Canva via social login depends on the settings of the other service.

SecurityProtecting against unauthorized access
arrow
Evaluating security takes into consideration best practices that protect the integrity and confidentiality of a user's data. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to security.
57

Canva's terms state the company encrypts all user data while in transit and while at rest. The terms also specify Canva uses commercially reasonable safeguards to preserve the integrity and security of all information collected through the Service.

The terms state that in the event a user's information is compromised as a result of a breach of security, Canva will take reasonable steps to investigate the situation. This investigation can include notifying people whose information may have been compromised. The terms state that Canva will follow all applicable breach notification laws, but the terms stop short of specifying a time frame within which people would be notified.

ComplianceFollowing statutory laws and regulations
arrow
Evaluating compliance takes into consideration best practices of companies that collect personal information from children or students and the legal obligations for the privacy and security of that information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to compliance.
25

Canva's terms state that they do not knowingly collect or solicit personal information from children under the age of 13. However, the service would likely appeal to children under the age of 13. Canva's terms clearly state that a user must be 13 years old or older to use the service unless they are directly supervised by a parent, guardian or another authorized adult such as a teacher.

If this application is being used within a school context, teachers should be aware of whether or not work created and stored within Canva would considered an educational record under FERPA. Before assigning work to students in Canva, teachers are strongly encouraged to review their school or district requirements for parental consent.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to streamline making an informed decision about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria are freely available and will remain freely available. People are encouraged to read the questions we use and the information security primer we released. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process.

Please be in touch with any questions or feedback.