At home and in schools and districts, parents and educators make decisions about privacy based on their specific needs—and these needs can vary between children and students. The privacy evaluation process is designed to support parents and educators making an informed decision, not replace it. Our evaluation process incorporates the specific needs and the decision-making process of parents, educators, schools, and districts into the following three ratings:
Every privacy rating includes an overall evaluation score. A higher score (up to 100%) means the product provides more transparent and comprehensive privacy policies with better practices to protect user data. The score is best used is as an indicator of how much additional work a person will need to do to make an informed decision about a product. This use is directly related to the core work driving the evaluations: to help people make informed decisions about a service with less effort. The higher the number, the less effort required to make an informed and appropriate decision.
The following list displays all the possible evaluation ratings a product could receive:
Meets our minimum requirements for privacy and security practices.
Applications and services that recieved a Pass rating have met a minimum criteria for transparency and qualitatively better practices in their policies. Before using an application or service in this rating, parents, teachers, schools, and districts are strongly advised to read the full privacy evaluation as a starting point for the process of vetting the application or service. In addition, a more detailed review should happen before any child or student data is shared with a service. In 2019, approximately 20% of applications and services are rated Pass, which is a 10% increase in the percentage of products with overall better rating question practices since 2018.
Does not meet our recommendations for privacy and security practices.
Applications and services that recieved a Warning rating have risks narrowly focused around data use related to selling data, third-party marketing, creating profiles that are not associated with any educational purpose, and/or using data to target advertisements. We include data use from both the first party (i.e., the vendor that builds the service) and third parties (any company given access to data by the vendor). Using data to profile students for advertising purposes can potentially violate multiple state laws and in some cases federal law. An application or service can be given a Warning rating for either a lack of transparency around data use—which creates the potential for profiling and behavioral targeting—or for clearly stating the service uses data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their state laws and school policies. Unclear or qualitatively worse responses to the questions listed below trigger inclusion in the Warning rating:
In 2019, approximately 60% of applications and services are rated Warning, which is a 20% decrease from 2018 in the percentage of products rated Warning. However, this decrease was due to a respective 10% increase in the number of applications and services rated Pass and Fail. On the bright side, a majority of applications and services (68%) disclosed that they do not rent, lease, trade, or sell data. However, a majority of applications and services are unclear or explicitly allow third-party marketing, behavioral advertising, and third-party tracking, track users across other websites, or allow the creation of data profiles. This use of educational data for noneducational purposes, even if legal, is contrary to user expectations about edtech.
Do the account-creation page, the login page, and all pages accessed while a user is logged in support encryption with HTTPS?
Do the account-creation page, the login page, and all pages accessed while a user is logged in require encryption with HTTPS?'
Does the product use trackers on its homepage, on its registration page, or while a user is logged in?