Full privacy evaluation | See all
Thumbnail
Updated June 14, 2019

Instagram

  • Privacy polices do indicate a version or effective date.
  • Data are not sold or rented to third parties.
  • Data are shared for advertising or marketing.
  • Behavioral or contextual advertising is displayed.
  • Data are collected by third-party advertising or tracking services.
  • Data are used to track and target advertisements on other third-party websites or services.
  • Third parties can use data to create ad profiles, data enhancement, and/or targeted advertisements.
The criteria for "Use with Caution" are narrowly focused around data uses related to creating profiles that aren't related to any educational purpose, and using data to target ads. We include both first party (ie, the vendor that builds the service) and third party (any company given access by the vendor) data use. It's worth highlighting that using data to profile students violates multiple state laws, and in some cases also violates federal law.

A service can be designated "Use with Caution" for either a lack of transparency around data use -- which creates the potential for profiling and behavioral targeting -- or for clearly stating that they use data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their state laws and school policies.

As with the "Not Recommended" criteria, a "Use with Caution" designation is NOT a sign that a vendor is necessarily doing anything unethical or illegal. It is a sign that, based on publicly available policies,  we do not have adequate guarantees that data will not be used by first or third parties to create non-educational profiles or to target behavioral ads.
Use with Caution
Full evaluation
42
Overall Scoreinfo-bubble

This overall score represents how the service addressed all our evaluation questions. A higher score (up to 100) means the service provides more transparent and comprehensive policies.

Overview

Instagram is a platform for users to post content, including photos, videos, comments and other information. Instagram provides social interactions between users who can post comments, likes or other messages on a user's content. These interactions include direct messages between individual users, and "disappearing" messages. Instagram's terms state they collect a broad range of personal information from people using the site, and about friends and contacts of people using Instagram. Instagram's terms state they use commercially reasonable safeguards to secure a user's information collected through the Service. Instagram's terms state they use commercially reasonable safeguards to help secure a user's information collected through the service. In addition, the terms state that if Instagram learns they have collected personal information from a child under the age of 13 without parental consent, they will delete that information as quickly as possible. However, it is unclear how Instagram would learn if a user is under 13 years of age without an age-gate or collection of other birth-date information, or how a parent or guardian could even provide consent.

Instagram can be accessed through its website, and is available for download at the iOS App Store, the Google Play Store, and Amazon Appstore. The Privacy Policy and Terms of Use accessed for this evaluation can be found on Instagram’s website, iOS App Store, the Google Play Store, and Amazon Appstore. Additionally, other policies used for this evaluation include: Community Guidelines. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Read the Common Sense standard privacy report (SPR)arrow
The standard privacy report (SPR) displays the most important privacy practices from a product’s polices in a single easy-to-read outline. The report displays an alert when a particular privacy practice is risky, unclear, or not evaluated. This alert indicates more time should be focused on these particular details prior to use.
SafetyPromoting responsible use
arrow
Evaluating safety takes into consideration best practices that protect a user's physical and emotional health. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to safety.
56

Instagram's terms state it is a platform for users to post content, including photos, comments and other materials to the service and to share user content publicly. This means that other users may search, see, use, or share any user content that is posted and made publicly available through the service. In addition, Instagram's terms state they provide social interactions between users who can post comments, likes or other messages on a user's content. These interactions include direct messages between individual users, and "disappearing" messages.

PrivacyProtecting collected information
arrow
Evaluating privacy takes into consideration best practices that protect the disclosure of a user's personal information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to privacy.
42

Instagram's terms state they collect a broad range of personal information from people using the site, and about friends and contacts of people using Instagram. Users of Instagram can choose to allow Instagram access to their contacts, and their Facebook friends. Instagram also provides a feature that allows people to be "found" by other users on Instagram. Instagram's terms state that users can post content such as photos, comments, and other information to the service. Users can also add information to their user content, including a specific geo-location, or an open comment. Instagram's terms state they will not rent or sell a user’s information without consent, but may share non-personal information with third-party organizations, service providers, affiliates, and advertising partners that help Instagram provide the service.

Instagram's terms state that they may combine a user’s information with other information and share de-identified and aggregated information with third-parties. Instagram may display advertisements and promotions on the service. In addition, Instagram's terms describe that a person's distinct mobile device identifier and other device-specific information may be collected and stored. This distinct identifier could be used by Instagram or third party affiliates to track and target content and advertising to users.

SecurityProtecting against unauthorized access
arrow
Evaluating security takes into consideration best practices that protect the integrity and confidentiality of a user's data. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to security.
49

Instagram's terms state they use commercially reasonable safeguards to help secure a user's information collected through the service. The terms also state that Instagram takes reasonable steps to verify a user's identity before granting them access to an account. However, the policies do not clearly indicate whether or not a user's data is encrypted while in transit or at rest. Instagram's terms also do not disclose how they would notify users in the event of a data breach.

ComplianceFollowing statutory laws and regulations
arrow
Evaluating compliance takes into consideration best practices of companies that collect personal information from children or students and the legal obligations for the privacy and security of that information. A higher score (up to 100) means the service provides more transparent and comprehensive responses related to compliance.
28

Instagram's terms state the application is not intended for, or directed to children under the age of 13, but does not state who the intended audience for its service should be. In addition, Instagram's terms state they do not knowingly collect or solicit any information from anyone under the age of 13. However, the service would likely appeal to children under 13 years of age, which would take into account several factors that include the subject matter, visual content, and activities provided. The terms also state that if Instagram learns they have collected personal information from a child under the age of 13 without parental consent, they will delete that information as quickly as possible. However, it is unclear how Instagram would learn if a user is under 13 years of age without an age-gate or collection of other birth-date information, or how a parent or guardian could even provide consent. Lastly, if Instagram is used within an educational context information stored in the app could be considered an education record under FERPA. Any educator using Instagram in an educational context should be aware of their obligations under FERPA, and of their school or district's policies around parental consent and educational records.

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to streamline making an informed decision about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria are freely available and will remain freely available. People are encouraged to read the questions we use and the information security primer we released. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process.

Please be in touch with any questions or feedback.