Full privacy evaluation | See all
Thumbnail
Updated April 18, 2018

Canvas

  • Privacy polices do indicate a version or effective date.
  • Unclear whether data are sold or rented to third parties.
  • Data are shared for advertising or marketing.
  • Behavioral or contextual advertising is displayed.
  • Data are collected by third-party advertising or tracking services.
  • Unclear whether this product uses data to track and target advertisements on other third-party websites or services.
  • Unclear whether this product allows third parties to use data to create ad profiles, data enhancement, and/or targeted advertisements.
The criteria for "Use with Caution" are narrowly focused around data uses related to creating profiles that aren't related to any educational purpose, and using data to target ads. We include both first party (ie, the vendor that builds the service) and third party (any company given access by the vendor) data use. It's worth highlighting that using data to profile students violates multiple state laws, and in some cases also violates federal law.

A service can be designated "Use with Caution" for either a lack of transparency around data use -- which creates the potential for profiling and behavioral targeting -- or for clearly stating that they use data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their state laws and school policies.

As with the "Not Recommended" criteria, a "Use with Caution" designation is NOT a sign that a vendor is necessarily doing anything unethical or illegal. It is a sign that, based on publicly available policies,  we do not have adequate guarantees that data will not be used by first or third parties to create non-educational profiles or to target behavioral ads.
Use with Caution
Full evaluation
36
Overall Scoreinfo-bubble

This overall score represents how the service addressed all our evaluation questions. A higher score (up to 100) means the service provides more transparent and comprehensive policies.

Overview

Canvas by Instructure provides a cloud-based learning management system (LMS) that connects digital tools and resources for teachers. This evaluation covers the cloud based service offered by the vendor, not the open source codebase available on Github. The terms state Canvas collects a wide range of information about students from work submissions, assessment scores, content feedback, and learning tools. The terms state Canvas does not display advertising to a user, but automatically collects data analytics about a student's usage of the service and shares a student's personal information with third-party service providers in order to offer its services. The terms state Canvas requires verifiable parental consent, managed by the school or district, for any child under 13 in order to collect, use, or disclose personal information. In addition to its LMS, the terms state Canvas provides forums for users to post messages and respond to other user’s messages. Any forum posts or comments will show usernames, and any information posted by a user can be read, collected, and shared by others who access them.

Canvas can be accessed through its website. Canvas Teacher is available for download at the iOS App Store, and the Google Play Store. Canvas Student is available for download at the iOS App Store, and the Google Play Store. Canvas Parent is available for download at the iOS App Store, and the Google Play Store.

The Privacy Policy and Terms of Use accessed for this evaluation can be found on Canvas' website, and iOS App Store. However, there is no Privacy Policy available from the link provided in the Google Play Store. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Read the Common Sense standard privacy report (SPR)arrow
The standard privacy report (SPR) displays the most important privacy practices from a product’s polices in a single easy-to-read outline. The report displays an alert when a particular privacy practice is risky, unclear, or not evaluated. This alert indicates more time should be focused on these particular details prior to use.
SafetyPromoting responsible use
arrow
Evaluating safety takes into consideration best practices that protect a user's physical and emotional health. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to safety.
6

The terms of Canvas state they provide a learning management system (LMS) for students and teachers that includes forums for users to post messages and respond to other user’s messages. The terms state any forum posts or comments will show usernames, and any information posted by a user can be read, collected, and shared by others who access them. In addition, the terms state the Service may, but is not obligated to, monitor or review a user’s interactions with other users and content.

PrivacyProtecting collected information
arrow
Evaluating privacy takes into consideration best practices that protect the disclosure of a user's personal information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to privacy.
31

The terms of Canvas state they collect personal information about a student and teacher to provide its cloud-based learning management system (LMS) to teachers and schools. The terms state the Service collects a wide range of information about students from work submissions, assessment scores, content feedback, and other learning tools. The Service does not display advertising to a user, but automatically collects data analytics about a student's usage of the service and shares a student's personal information with third-party service providers in order to offer its services to a user. In addition, the vendor uses de-identified data and anonymized data for its own internal purposes. The terms specify that Canvas may share de-identified and aggregated data with other third parties.

SecurityProtecting against unauthorized access
arrow
Evaluating security takes into consideration best practices that protect the integrity and confidentiality of a user's data. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to security.
42

The terms specify that Canvas takes reasonable steps to help protect a user’s personal information from unauthorized access, use, or disclosure. The terms specify that users must notify the vendor immediately of any unauthorized use of their password or any other breach of security. However, the terms do not provide any detailed information about security, data protection practices, or breach notifications.

ComplianceFollowing statutory laws and regulations
arrow
Evaluating compliance takes into consideration best practices of companies that collect personal information from children or students and the legal obligations for the privacy and security of that information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to compliance.
54

The terms of Canvas state they provide a user account and a special child account, for a student under the age of 13. The terms state they require verifiable parental consent, managed by the school or district, for any child under 13 in order to collect, use, or disclose personal information. The terms specify a parent has the right to access, update, review, or delete a child’s personal information by contacting the child’s school, which will then request the changes from the vendor. In addition, the terms state Canvas requires schools, districts, or educational institutions to obtain consent for the online collection of a student's personal information.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to streamline making an informed decision about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria are freely available and will remain freely available. People are encouraged to read the questions we use and the information security primer we released. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process.

Please be in touch with any questions or feedback.