2019 State of Edtech Privacy Report

The 2019 State of EdTech Privacy Report represents the culmination of our research over the past three years in evaluating hundreds of education technology‐related applications and services. The report includes findings from evaluations of 150 privacy policies from the most popular edtech applications and services in 2019, as determined from interviews with various teachers, schools, and districts, as well as total App Store downloads during the past 12 months. The 2019 data is compared to our findings from 100 evaluations completed in 2018.

In addition, 2018 was a landmark year for privacy with a monumental shift in the focus and attention on the privacy practices of products used by consumers. Legislative initiatives such as the European‐based General Data Protection Regulation (GDPR) and the corresponding California Consumer Privacy Act (CCPA) created a new narrative that highlighted the privacy shortcomings of big tech and social media companies, which led consumers to look more closely at the privacy practices of the products they use. These factors prompted vendors to update their policies at an unprecedented rate. Over half of the 100 most popular applications in 2018 had to be completely reevaluated due to these changes.

The good news is that the overall full evaluation median scores increased since 2018. There were also increases in the median scores for the privacy and security concerns of data collection, data sharing, data security, data rights, parental consent, and school purposes. In addition, there were increases in the median scores of privacy and security concerns that prohibit selling data, displaying advertisements, and tracking users. The following charts summarize our key findings:

2019 State of EdTech Key Findings

While these increases in better practices are promising, there is still considerable work that needs to be done. There is a widespread lack of transparency and inconsistent and unclear practices for educational applications and other services targeted toward children and students. The majority of educational technology applications and services evaluated either do not ade‐ quately and clearly define safeguards taken to protect child or student information, or they lack a detailed privacy policy. While the number of products in our Use Responsibly Tier doubled from 10% to 20% since 2018 to meet our minimum safeguards, that still leaves 80% of applications and services not meeting this important threshold.

2019 State of EdTech Tier Key Findings

The overall lack of transparency, which was pervasive across nearly all indicators we examined, is especially troubling. In our analysis, transparency is a reliable indicator of quality; applications and services that are more transparent also tend to engage in qualitatively better privacy and security practices. When these practices are not disclosed, there can be no standard of trust from parents, teachers, schools, or districts about how collected information from children and students will be handled to meet their expectations of privacy. We fully recognize that a number of factors conspire to make the privacy landscape a particularly thorny one, marred by complex laws and statutes, technical issues and legacies, and keeping up with the changing needs of educators, students, and parents. Nevertheless, educational technology platforms serve an especially vulnerable population. Unfortunately, there is still far less attention paid to the privacy and security practices of technology platforms that affect tens of millions of children on a daily basis: educational software and other applications used in schools and by children outside the classroom. It is vital that educators, parents, and policymakers engage in an open dialogue with vendors to build solutions that strengthen our children’s privacy and security protections. This report updates and informs that critical conversation, and we intend to continue our research with annual updates and resources for the educational community on the state of edtech privacy.