Thumbnail

Privacy Evaluation for EDpuzzle

Last updated November 13, 2020

Overview

Edpuzzle is a way to make a video interactive and student-centered. EDPuzzle's terms say they ensure no student profile is made available or visible to the public, or to any other students, but teacher profiles may be viewed by other teachers in the same school. In addition, EDpuzzle's terms say they collect only the minimal amount of personal information from students necessary to create accounts on the service. EDPuzzle's terms say they test their own systems against vulnerabilities, review security practices, encrypt information in transit, and store information using encryption and salted hashes. Lastly, EDPuzzle's terms say they require a child user under 13 years of age to have parental consent in order to use the service, and if they discover that they have collected information from a child in a manner inconsistent with COPPA, they will take appropriate steps to either delete the information, or immediately seek the parent’s consent for that collection.

EDPuzzle can be accessed through its website, and is available for download at the iOS App Store, and the Google Play Store. The Privacy Policy and Terms of Use accessed for this evaluation can be found on EDPuzzle’s website, iOS App Store, and the Google Play Store. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Safety

The terms of EDPuzzle say they allow teachers to share information about student feedback with others teachers at the same school. The terms specify that student profile information is not publicly visible on the web. EDPuzzle supports an optional classroom view, which displays student names and total points that teachers could elect to use in the physical classroom. In addition, the terms say teacher class rosters may be seen by other teachers in the same school if associated with each other, but no teacher, parent, or student profile is made available or visible to the general public.

Privacy

The terms of EDpuzzle say they collect information from a user based on account type. The types and amounts of information collected from a user vary depending on whether the user is a teacher or student. EDpuzzle's terms say they collect only the minimal amount of information from students necessary to create accounts on the service and a student account does not allow a child under the age of 13 to upload any other content to their account, or enter any other personal information.

In addition, EDpuzzle's terms say they do not share any personal information about a child under 13 with third parties, except to trusted affiliates and service providers necessary to provide the service. EDpuzzle's terms say they share aggregated non-personally identifiable information publicly and with partners that does not contain any user’s personal information. Lastly, EDpuzzle's terms say they do not sell or rent a user’s personal information to third parties, including marketers or advertisers, and will never disclose a user’s personal information for any kind of first or third-party behaviorally targeted advertising.

Security

The terms of EDPuzzle say they allow students to create their own account, but can only associate that account to a class after they receive a unique code from their teacher. In addition, EDPuzzle's terms state they maintain administrative, technical, and physical safeguards designed to protect against unauthorized use. EDPuzzle's terms say they test their own systems against vulnerabilities, review security practices, encrypt information in transit, and store information using encryption and salted hashes. In the event of a data breach EDPuzzle's terms say they will provide notice on its homepage or elsewhere on the service, and will provide notice of the breach to a user at their email address, and depending on the jurisdiction, in writing.

Compliance

EDPuzzle's terms say they require a child user under 13 years of age to have verifiable parental consent in order to use the service, and if they discover that they have collected information from a child in a manner inconsistent with COPPA, they will take appropriate steps to either delete the information, or immediately seek the parent’s consent for that collection. In addition, the terms say a parent can delete a child’s account at any time by logging into the account or submit a request to the vendor to delete the information, and a teacher can access and control the account of an associated student in their class.

EDPuzzle's terms say they require a participating school to comply with the “school official” and "directory" exception to FERPA, by providing an annual notice to parents and eligible students about what information is directory information, and the option to provide opt-out consent. Lastly, EDPuzzle's terms say they will not share an education record with a third party without consent from the school or teacher, and require that a parent or guardian provide acceptable forms of personal identification when providing parental consent. A parent or legal guardian of a child who has created a EDpuzzle account should receive an email plus parental consent notification.

Data Collection
SCORE: 55%

What data does it collect?

  • Personally identifiable information (PII) is collected.
  • The categories of collected personally identifiable information are indicated.
  • Collection or use of data is limited to product requirements.
  • Geolocation data are collected.
  • Unclear whether this product collects biometric or health data.
  • Interactions, behaviors, or usage analytics data are collected.
  • Unclear whether this product collects sensitive data.
  • Data is automatically collected.
  • Opt-in consent is requested from users at the time personal information is collected.
  • Personal information of users is collected by a third party.
Data Sharing
SCORE: 85%

What data does it share?

  • Collected information is shared with third parties.
  • The categories of information shared with third parties are indicated.
  • The purpose for sharing a user's personal information with third parties is indicated.
  • The categories of third parties that receive data are indicated.
  • Data are shared for analytics.
  • Unclear whether data are shared for research and/or product improvement.
  • Third-party services are used to support the product.
  • The roles of third-party service providers are indicated.
  • Third-party login is supported.
  • Contractual limits are placed on third-party data use.
Data Security
SCORE: 75%

How does it secure data?

  • A user's identity is verified with additional personal information.
  • Account creation is required.
  • Managed accounts are available.
  • Unclear whether multi-factor account protection is available.
  • Unclear whether third-parties with access to information are required to provide the same security protections as the company.
  • Reasonable security practices are used to protect data.
  • Employee or physical access to user information is limited.
  • All data in transit are encrypted.
  • All data are stored in an encrypted format.
  • Notice is provided in the event of a data breach.
Data Rights
SCORE: 95%

What rights do I have to the data?

  • Users can create or upload content.
  • Users retain ownership of their data.
  • Processes to access or review user data are available.
  • Processes to modify data are available for authorized users.
  • A data-retention policy is available.
  • Processes for authorized users to delete data are available.
  • A user's data are deleted upon account cancellation or termination.
  • Data are deleted when no longer necessary.
  • Methods are available to restrict who has access to data.
  • Processes to download user data are available.
Data Sold
SCORE: 85%

Is the data sold?

  • Personal information is not sold or rented to third parties.
  • Users can opt out from the disclosure or sale of their data to a third party.
  • User information can be transferred to a third party in the event of a merge, acquisition, or bankruptcy.
  • Users are notified if their information is transferred to a third party.
  • User information can be deleted prior to its transfer to a third party.
  • Third-party transfer is contractually required to use the same privacy practices.
  • User information that is shared is shared in an anonymous or de-identified format.
  • The company describes their de-identification process of user information.
  • Unclear whether data are shared for research and/or product improvement.
  • Contractual limits prohibit third parties from reidentifying or de-identified information.
Data Safety
SCORE: 55%

How safe is this product?

  • Users can interact with trusted users.
  • Users cannot interact with untrusted users, including strangers and/or adults.
  • Profile information must be shared for social interactions.
  • Personal information can be not displayed publicly.
  • Users can control how their data are displayed to others.
  • User-created content is not reviewed, screened, or monitored by the company.
  • Unclear whether user-created content is filtered for personal information before being made publicly visible.
  • Social interactions between users are not moderated.
  • Unclear whether social interactions of users are logged.
  • Unclear whether users can report abuse or cyberbullying.
Ads & Tracking
SCORE: 65%

Are there advertisements or tracking?

  • Personal information is not shared for third-party marketing.
  • Traditional or contextual advertisements are not displayed.
  • Personalised advertising is not displayed.
  • Data are not collected by third-parties for their own purposes.
  • Users's information is not used to track and target advertisements on other third-party websites or services.
  • Data profiles are not created and used for personalised advertisements.
  • The company can send marketing messages.
  • Unclear whether this company provides promotional sweepstakes, contests, or surveys.
  • Unclear whether this product provides users the ability to opt-out of contextual, or personalised advertising.
  • Unclear whether users can opt out or unsubscribe from marketing communications.
Parental Consent
SCORE: 75%

Can I provide parental consent?

  • Intended for children under 13.
  • Personal information from children under 13 years of age is collected.
  • Unclear whether intended for parents or guardians.
  • Company does have actual knowledge that personal information from users under 13 years of age is collected.
  • The company does provide a section, heading, or separate policy for children in their policies.
  • Parental consent is required before personal information is collected or disclosed.
  • Unclear whether this product limits parental consent with respect to third parties.
  • Parents can withdraw consent for the further collection of their child's information.
  • Children's personal information is deleted if collected without parental consent.
  • Parental consent notice and method for submission are provided.
School Purpose
SCORE: 88%

Is the product intended for school?

  • Intended for students.
  • Personal information or education records are collected from preK-12 students.
  • Intended for teachers.
  • Product is primarily used by, designed for, and marketed toward students in grades preK–12.
  • Processes to enter education records into the product are described.
  • Additional rights or protections may be provided with an additional school contract.
  • Company is designated as a school official.
  • Parental consent obligations are transferred to the school or district.
Individual Control
SCORE: 75%

Can I control the use of my data?

  • Users can control the use of their information through privacy settings.
  • Use of information is limited to the purpose for which it was collected.
  • The context or purpose for which data are collected is indicated.
  • Company may combine data with additional data from third-party sources.
  • Combined information is treated as personally identifiable information (PII).
  • Notice is provided if the context in which data are collected changes.
  • Consent is obtained if the practices in which data are collected change.
  • A grievance or remedy mechanism is available for users to file a complaint.
  • Unclear whether users can request to know what personal information has been shared with third parties.
  • Unclear whether notice is provided in the event the company receives a government or legal request for a user's information.

Common Sense Standard Privacy Report (SPR)

The standard privacy report (SPR) displays all the privacy practices from a product's policies in a single, easy-to-read outline. The report shows a green check mark for better privacy practices and an orange alert for risky or unclear practices. This alert indicates that more time should be focused on these particular details prior to use.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to help educators make informed decisions about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria will always be freely available. People are encouraged to read the questions we use and our information security primer. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process. Please be in touch with any questions or feedback.