Definitions for Privacy Evaluation Questions
This guide provides the meaning of key terms used in the privacy evaluation questions in the context of edtech privacy and security.
- abuse: cruelty, violence, or insulting or offensive behavior directed at individuals or groups
- actual knowledge: a particular fact a vendor knows or has reason to know -- for example, when a user enters a birth date showing their age
- alternate dispute resolution (ADR): arbitration, mediation, or another method of resolving a dispute between parties other than filing a lawsuit
- analytics: computation or use of data or statistics
- anonymous: indicates that no personally identifying data is associated -- for example, name, address, or other data that could be used to reidentify or deanonymize
- application: software or a program written for a mobile device or computer that may or may not require login authentication
- assistive technology: tools designed to assist a user with one or more life functions -- for example, a tool that allows users with visual impairment to access larger fonts or one that allows users with hearing impairment to access read-aloud text
- audit: a third-party company review of the practices of a vendor
- authorized individual/user: a user who is permitted by a vendor to use a product, including a student, parent, guardian, or school official
- behavioral advertising: commercial messages displayed to a user by a vendor or third party based on data collected from that user's online activities
- behavioral data: information about a user's activities -- for example, how long the user has looked at a webpage or which webpages they have looked at
- biometric data: health and physical information from human bodies -- for example, fingerprints
- changelog: a record of changes made to a project, program, or policy
- class action lawsuit: a legal action brought by one or more individuals on behalf of a larger group of similarly situated individuals
- collection: as defined here, first-party collection of data or information from a user
- compliance: legal and/or regulatory rules and standards being followed
- consent: a user or responsible individual giving written or electronic agreement to an action -- for example, a user allowing collection of their information
- contextual advertising: commercial messages displayed to a user based on the surrounding content
- control: legal or physical power over an action
- cookie: message given to a web browser by a web server to facilitate the storage of information about a user
- persistent cookie: a cookie that stores information on a user's computer for longer periods, even after a user closes their web browser. This type of cookie remains on a user's hard drive until it reaches its expiration date or is deleted by the user
- session cookie: a cookie that is stored temporarily on a user's computer and lasts only as long as the web browser is open
- COPPA: the Children's Online Privacy Protection Act, a law created to protect the privacy of children under age 13
- COPPA Safe Harbor Program: a self-regulatory compliance program approved by a regulatory agency
- copyright license: permission given to use another's content
- cyberbullying: bullying that takes place over the internet on devices like phones, tablets, and computers. It can happen in social media, texts, or online games, where people can view, participate in, or share content. It typically includes sending, posting, or sharing negative or harmful content about someone else on purpose. It can include sharing private information about someone else to cause embarrassment or humiliation.
- data: raw unprocessed facts -- for example, that Tim is six feet tall
- data at rest: information stored or not in transit between software and/or devices
- data breach: unauthorized disclosure of information to a third party, voluntarily or involuntarily
- data controller: principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, securing, etc.
- data enhancement: adding information to existing data to improve, augment, or correct it
- data processor: person who processes or analyzes information on behalf of a data controller
- data-protection officer: person in a privacy and/or security leadership role at a company
- data-retention policy: a vendor's rules for how long user information is kept in its storage facility before it is deleted permanently
- data sunset: the phasing out, terminating, or deleting of information
- data transfer: any change of control of data, including a change of ownership of data
- de-identification: the processing of data to remove information that can directly or indirectly be used to identify an individual person
- direct control: legal and physical access -- to, for example, education information collected by a school or third party
- directory information: school lists of students, faculty, and/or parents that show names and/or addresses. This includes information contained in the education records of a student as defined under FERPA.
- disclosure practices: a vendor's activities relating to the public display or availability of user information
- Do Not Track: a policy used to indicate that, upon request of a user's web browser agent, a company should not monitor that user's behavior on websites or should stop monitoring them
- education record: information directly related to an individual K–12 student and maintained by their educational institution or by a third party acting as a school official on behalf of the educational institution
- educator: a teacher at an educational institution who uses curriculum to instruct students
- encryption: the process of encoding data or information to prevent unauthorized or unintended access
- federated identity: information provided to a vendor from another vendor's sign-in process that is used to authorize a user and provide for the exchange of information about that user among companies
- federated login: a process that allows user access to a product or application via another vendor's sign-in process
- FERPA: the Family Educational Rights and Privacy Act of 1974, a federal law that, among other things, protects the privacy of student education records
- filtered: processed (as of data or information) so that only a subset of the original data or information is included
- free/reduced lunch status: indicates a government program providing free or subsidized meals for lower-income students that also serves as a proxy for estimating the poverty level of students' families, which then is used to determine school district funding
- FTC: the Federal Trade Commission, a government agency responsible for regulating commerce and unfair and deceptive trade practices
- GDPR: the General Data Protection Regulation, effective as of May 2018, which is European laws protecting the privacy and security of personal information
- geolocation data: information related to the physical location of a user
- government request: indicates a federal, state, or local agency asking for information
- home page: the first page a user can view when linking to a company (includes App Store purchase page and landing pages for websites)
- HTTP: hypertext transfer protocol, the underlying instruction system used by the web to communicate information.
- HTTPS: a secure version of HTTP (hypertext transfer protocol secure)
- hyperlink: a connection to another website, usually accessed when clicking on a word that is underlined
- in-app purchase: the buying of something with real currency while logged into an application
- indexing: processing data in order to identify it, label it, or make it easier to search
- information: as defined here, data that has been processed, organized, or otherwise structured
- intellectual property: generally, creative work produced and owned by an individual or company, covered by copyright, trademark, or patent law
- interaction: social communication by text or posting, or information being passed from an individual to another individual or a group of individuals
- internal operations: operations used for the function of a company, not for disclosure or use outside the company
- IP address: internet protocol address, which identifies a computer or device's location on the internet
- jurisdiction: location where a legal action may be brought
- legacy contact: individual to whom an account may be assigned if that account becomes inactive
- legal request: a request for information from a court or attorney as part of a legal action or in preparation for a legal action
- logged: recorded electronically
- login page: a webpage where a user can input authentication information, often a username and password, to access a product
- machine crawling: programmed, automatic electronic searching for data or information
- markup length: character length of the HTML markup used to deliver a website or privacy policy
- material change: a change that affects a user's rights or responsibilities
- mobile device: standalone or hand-held electronic technology that can connect to a cellular telephone network and/or the internet
- moderate: to monitor and review information (as of by human or machine) for the purposes of controlling or filtering the content that is available to users
- monitored: indicates when content or communications channels are reviewed, watched, or listened to
- non-personally identifiable information: information that cannot be associated with an individual without the association of additional information or analysis
- notice: communication from a vendor to a user for the purpose of informing the user
- offline: not connected to the internet
- opt-in: when the user affirmatively indicates they agree to something before it is allowed to occur
- opt-out: when the user indicates they do not agree to something to continue to occur
- parent: parent or legal guardian of a minor child under the age of 18, or 13 with respect to COPPA regulation
- parental consent: a parent verifiably communicating to a vendor that they agree to a certain action performed by the vendor with respect to the parent's child
- password: a series of letters, numbers, phrases, or symbols allowing access to an account or other restricted materials
- persistent identifier: a unique electronic number used to identify a user or device on more than one application or website that allows tracking of an individual across multiple devices or sessions
- personal information: characteristics that are associated with a unique individual
- personally identifiable information (PII): characteristics associated with a unique individual that allow someone to identify that individual
- physical access controls: controls that grant or restrict individual access to facilities -- for example, doors, gates, or pass cards
- privacy certification: awarded when a vendor follows certain rules or affirms certain privacy practices in its privacy policy to receive approval from a government or privacy standards organization
- privacy pledge: pledge by which a vendor affirms it will agree to uphold certain privacy industry standards
- privacy policy: a document a vendor publicly posts explaining its data collection and use and disclosure practices associated with its protection of personal information
- privacy shield: indicates that a vendor follows a set of privacy principles from an agreement between the United States and the European Union to meet the EU's regulatory standards
- product: as defined here, an application or service offered by a vendor to the public for use
- profile: a set of information about a single individual that can be used for identification
- prohibited activities: actions that are not allowed in relation to a product or contract between vendor and user
- protective order: a court-issued document that requires that certain information remain secret
- reidentification: the taking of information that has been made anonymous and analyzing it or adding information so it can be associated with a particular individual
- safe interaction: communication with trusted users only
- screen reader: assistive technology used to aid in understanding the textual content of a page
- school: as defined here, an educational institution offering full or partial instruction from pre-K through 12th grade
- school district: a regional group of pre-K–12 schools under a central administration or authority
- school official: an individual with a legitimate educational interest in, and under direct control of, a school (in this context, regarding the use and maintenance of education records)
- security: as defined here, the practice of keeping personal data and information from discovery, disclosure, or use by unauthorized individuals
- sensitive information/sensitive personal information: information that contains categories that have been given strong legal protections; categories vary by region
- service: indicates an offering by a vendor to the public for use through a website that may or may not require login authentication
- sharing: affirmative allowing of access to information, including its selling, giving, and disclosing
- shouting index: amount of capital-letter text used to convey information relative to that of non-capitalized text
- signal-to-noise ratio: the amount of plaintext policy information (signal) relative to the markup length (noise). This can be used as an indication of how much extraneous detail is on a policy page
- social advertising: commercial activities designed to sell products or services using social media
- social login: the use of a username and/or password from a social media account to gain access to another product and to share information with that product
- student: a user enrolled in a level of school from pre-K to 12th grade
- successor vendor: a new vendor that purchases or acquires a named vendor
- teacher: a certified individual employed in pre-K–12 education
- terms of service: a legal document describing both a vendor's and a user's rights and responsibilities
- terms of use: a legal document describing a vendor's restrictions on a user's interactions with the product or service
- third party: an entity or person other than the vendor, specifically excluding a user's parent if the user is a minor and/or that user's teacher if the user is a student using a product for school
- third-party access: the allowing of third parties to access data on their own without it being affirmatively shared
- third-party affiliate: company associated with a vendor not involved in providing the primary service
- third-party subsidiary: legal business entity of a vendor not involved in providing the primary service
- tracking: the practice of observing and recording a user's activities on one or more products
- traditional advertising: advertising that is not generated by any particular user's data and is not targeted to an individual
- transit: the transference of data from one electronic device to another
- tracker: a cookie or other electronic mechanism used to observe and record user activities on one or more websites
- trusted user: an individual who has provided credentials to use a product on behalf of themselves or another user
- unauthorized user: an individual without credentials or permission to use a product on behalf of themselves or another user
- unique device ID: a number/letter/symbol code to point to a particular piece of electronics, often used to track that device and therefore a user
- URL: uniform resource locator, a location on the internet for a website
- user: an individual who engages or attempts to engage with a vendor's product
- user-created content: textual, visual, or audio information originating with an individual user rather than a vendor that may be uploaded or posted using the vendor's product
- username: a word that identifies an individual user and that may be used for login and identification
- vendor: a company that offers a product to the public, either for sale or free use
- verifiable parental consent: a method that is reasonably designed in light of available technology to ensure that the person giving consent is the child's parent
- waiver: an agreement to forgo a certain right
- web: connection of human-readable pages of information on the internet