Thumbnail

Privacy Evaluation for EDpuzzle

Last updated November 13, 2020

Overview

Edpuzzle is a way to make a video interactive and student-centered. EDPuzzle's terms say they ensure no student profile is made available or visible to the public, or to any other students, but teacher profiles may be viewed by other teachers in the same school. In addition, EDpuzzle's terms say they collect only the minimal amount of personal information from students necessary to create accounts on the service. EDPuzzle's terms say they test their own systems against vulnerabilities, review security practices, encrypt information in transit, and store information using encryption and salted hashes. Lastly, EDPuzzle's terms say they require a child user under 13 years of age to have parental consent in order to use the service, and if they discover that they have collected information from a child in a manner inconsistent with COPPA, they will take appropriate steps to either delete the information, or immediately seek the parent’s consent for that collection.

EDPuzzle can be accessed through its website, and is available for download at the iOS App Store, and the Google Play Store. The Privacy Policy and Terms of Use accessed for this evaluation can be found on EDPuzzle’s website, iOS App Store, and the Google Play Store. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Safety

The terms of EDPuzzle say they allow teachers to share information about student feedback with others teachers at the same school. The terms specify that student profile information is not publicly visible on the web. EDPuzzle supports an optional classroom view, which displays student names and total points that teachers could elect to use in the physical classroom. In addition, the terms say teacher class rosters may be seen by other teachers in the same school if associated with each other, but no teacher, parent, or student profile is made available or visible to the general public.

Privacy

The terms of EDpuzzle say they collect information from a user based on account type. The types and amounts of information collected from a user vary depending on whether the user is a teacher or student. EDpuzzle's terms say they collect only the minimal amount of information from students necessary to create accounts on the service and a student account does not allow a child under the age of 13 to upload any other content to their account, or enter any other personal information.

In addition, EDpuzzle's terms say they do not share any personal information about a child under 13 with third parties, except to trusted affiliates and service providers necessary to provide the service. EDpuzzle's terms say they share aggregated non-personally identifiable information publicly and with partners that does not contain any user’s personal information. Lastly, EDpuzzle's terms say they do not sell or rent a user’s personal information to third parties, including marketers or advertisers, and will never disclose a user’s personal information for any kind of first or third-party behaviorally targeted advertising.

Security

The terms of EDPuzzle say they allow students to create their own account, but can only associate that account to a class after they receive a unique code from their teacher. In addition, EDPuzzle's terms state they maintain administrative, technical, and physical safeguards designed to protect against unauthorized use. EDPuzzle's terms say they test their own systems against vulnerabilities, review security practices, encrypt information in transit, and store information using encryption and salted hashes. In the event of a data breach EDPuzzle's terms say they will provide notice on its homepage or elsewhere on the service, and will provide notice of the breach to a user at their email address, and depending on the jurisdiction, in writing.

Compliance

EDPuzzle's terms say they require a child user under 13 years of age to have verifiable parental consent in order to use the service, and if they discover that they have collected information from a child in a manner inconsistent with COPPA, they will take appropriate steps to either delete the information, or immediately seek the parent’s consent for that collection. In addition, the terms say a parent can delete a child’s account at any time by logging into the account or submit a request to the vendor to delete the information, and a teacher can access and control the account of an associated student in their class.

EDPuzzle's terms say they require a participating school to comply with the “school official” and "directory" exception to FERPA, by providing an annual notice to parents and eligible students about what information is directory information, and the option to provide opt-out consent. Lastly, EDPuzzle's terms say they will not share an education record with a third party without consent from the school or teacher, and require that a parent or guardian provide acceptable forms of personal identification when providing parental consent. A parent or legal guardian of a child who has created a EDpuzzle account should receive an email plus parental consent notification.

Data Collection
SCORE: 55%

What data does it collect?

  • Personally identifiable information (PII) is collected.
  • The categories of collected personally identifiable information are indicated.
  • Collection or use of data is limited to product requirements.
  • Geolocation data are collected.
  • Unclear whether this product collects biometric or health data.
  • Behavioral data are collected.
  • Unclear whether this product collects sensitive data.
  • Non-personally identifiable information is collected.
  • Combined information is treated as personally identifiable information (PII).
  • Personal information from children under 13 years of age is collected online.
Data Sharing
SCORE: 85%

What data does it share?

  • Collected information is shared with third parties.
  • The categories of information shared with third parties are indicated.
  • The purpose for sharing a user's personal information with third parties is indicated.
  • Use of information is limited to the purpose for which it was collected.
  • Data are shared for analytics.
  • Unclear whether data are shared for research and/or product improvement.
  • Data are shared with third-party service providers.
  • The roles of third-party service providers are indicated.
  • Social or federated login is supported.
  • Contractual limits are placed on third-party data use.
Data Security
SCORE: 75%

How does it secure data?

  • A user's identity is verified with additional personal information.
  • Account creation is required.
  • Parental controls or managed accounts are available.
  • Unclear whether two-factor account protection is available.
  • Unclear whether third-party contractual security protections are required.
  • Industry best practices are used to protect data.
  • Employee or physical access to user information is limited.
  • All data in transit are encrypted.
  • All data at rest are encrypted.
  • Notice is provided in the event of a data breach.
Data Rights
SCORE: 95%

What rights do I have to the data?

  • Opt-in consent is requested from users at the time personal information is collected.
  • Users can control their information through privacy settings.
  • Users can create or upload content.
  • Users retain ownership of their data.
  • Processes to access and review user data are available.
  • Processes to modify inaccurate data are available.
  • A data-retention policy is available.
  • Processes for the school, parents, or students to delete data are available.
  • Processes to delete user data are available.
  • Processes to download user data are available.
Data Sold
SCORE: 85%

Is the data sold?

  • Data are not sold or rented to third parties.
  • Users can opt out from the disclosure or sale of their data to a third party.
  • User information can be transferred to a third party.
  • Users are notified if their information is transferred to a third party.
  • User information can be deleted prior to its transfer to a third party.
  • Third-party transfer is contractually required to use the same privacy practices.
  • User information is shared in an anonymous or deidentified format.
  • The vendor describes their deidentification process of user information.
  • Unclear whether data are shared for research and/or product improvement.
  • Contractual limits prohibit third parties from reidentifying deidentified information.
Data Safety
SCORE: 55%

How safe is this product?

  • Users can interact with trusted users and/or students.
  • Users cannot interact with untrusted users, including strangers and/or adults.
  • Profile information is shared for social interactions.
  • Personal information is not displayed publicly.
  • Users can control how their data are displayed.
  • User-created content is not reviewed, screened, or monitored by the vendor.
  • Unclear whether user-created content is filtered for personal information before being made publicly visible.
  • Social interactions between users are not moderated.
  • Unclear whether social interactions of users are logged.
  • Unclear whether users can report abuse or cyberbullying.
Ads & Tracking
SCORE: 65%

Are there advertisements or tracking?

  • Data are not shared for third-party advertising and/or marketing.
  • Traditional or contextual advertisements are not displayed.
  • Behavioral or targeted advertising is not displayed.
  • Data are not collected by third-party advertising or tracking services.
  • Data are not used to track and target advertisements on other third-party websites or services.
  • Data profiles are not created and used for data enhancement, and/or targeted advertisements.
  • The vendor can send marketing messages.
  • Unclear whether this vendor provides promotional sweepstakes, contests, or surveys.
  • Unclear whether this product provides users the ability to opt-out of traditional, contextual, or behavioral advertising.
  • Unclear whether this product provides users the ability to opt out or unsubscribe from marketing communications.
Parental Consent
SCORE: 70%

Can I provide parental consent?

  • Intended for children under 13.
  • Unclear whether intended for parents or guardians.
  • Vendor does have actual knowledge that personal information from users under 13 years of age is collected.
  • Children's privacy is applicable.
  • Unclear whether this product indicates COPPA parental consent exceptions.
  • Parental consent is required.
  • Unclear whether this product limits parental consent with respect to third parties.
  • Parents can withdraw consent for the further collection of their child's information.
  • Children's personal information is deleted if collected without parental consent.
  • Parental consent notice and method for submission are provided.
School Purpose
SCORE: 85%

Is the product intended for school?

  • Intended for students.
  • Personal information or education records are collected from preK-12 students.
  • Intended for teachers.
  • Product is primarily used by, designed for, and marketed toward students in grades preK–12.
  • Product does create education records.
  • Notification of a contract or additional rights is provided.
  • Vendor is designated as a school official.
  • Parental consent obligations are transferred to the school or district.
  • FERPA parental consent exceptions are indicated.
  • Directory information is disclosed.

Common Sense Standard Privacy Report (SPR)

The standard privacy report (SPR) displays all the privacy practices from a product's policies in a single, easy-to-read outline. The report shows a green check mark for better privacy practices and an orange alert for risky or unclear practices. This alert indicates that more time should be focused on these particular details prior to use.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to help educators make informed decisions about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria will always be freely available. People are encouraged to read the questions we use and our information security primer. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process. Please be in touch with any questions or feedback.