Statute Questions

Each statute or regulation is associated with one or more privacy evaluation questions. As such, we can calculate scores for each statute or regulation using only those questions associated with the statute or regulation. This statute score calculation is similar to our evaluation scores. Each specific statute or regulation's score serves as an indirect proxy indicating the likelihood of the application or service satisfying all of its compliance obligations. These privacy evaluation questions are used in our full evaluation process. Applications and services that receive a full evaluation are included in our 2019 State of EdTech Privacy Report. The following state, federal, and International privacy-related statutes indicate which privacy evaluation questions are associated with that particular statute's score:

California Online Privacy Protection Act (CalOPPA)

  • 1.1.1: Effective Date (BASIC): Do the policies clearly indicate the version or effective date of the policies?

  • 1.2.1: Change Notice: Do the policies clearly indicate whether or not a user is notified if there are any material changes to the policies?

  • 1.2.2: Method Notice: Do the policies clearly indicate the method used to notify a user when policies are updated or materially change?

  • 1.3.1: Review Changes: Do the policies clearly indicate whether or not any updates or material changes to the policies will be accessible for review by a user prior to the new changes being effective?

  • 1.3.2: Effective Changes: Do the policies clearly indicate whether or not any updates or material changes to the policies are effective immediately and continued use of the product indicates consent?

  • 1.4.1: Services Include: Do the policies clearly indicate the products that are covered by the policies?

  • 1.5.1: Vendor Contact: Do the policies clearly indicate whether or not a user can contact the vendor about any privacy policy questions, complaints, and material changes to the policies?

  • 2.1.1: Collect PII (BASIC): Do the policies clearly indicate whether or not the vendor collects personally identifiable information (PII)?

  • 2.1.2: PII Categories: Do the policies clearly indicate what categories of personally identifiable information are collected by the product?

  • 2.1.3: Geolocation Data: Do the policies clearly indicate whether or not precise geolocation data are collected?

  • 2.1.7: Usage Data: Do the policies clearly indicate whether or not the product automatically collects any information?

  • 3.3.1: Exclude Sharing: Do the policies specify any categories of information that will not be shared with third parties?

  • 3.5.1: Data Acquired: Do the policies clearly indicate whether or not the vendor may acquire a user's information from a third party?

  • 3.7.1: Authorized Access: Do the policies clearly indicate whether or not a third party is authorized to access a user's information?

  • 3.8.1: Third-Party Collection: Do the policies clearly indicate whether or not a user's personal information is collected by a third party?

  • 3.11.1: Third-Party Categories: Do the policies clearly indicate the categories of related third parties, such as subsidiaries or affiliates with whom the vendor shares data?

  • 6.1.1: Access Data (BASIC): Do the policies clearly indicate whether or not the vendor provides authorized individuals a method to access a user's personal information?

  • 6.1.3: Review Data: Do the policies clearly indicate whether or not the vendor provides a process available for the school, parents, or eligible students to review student information?

  • 6.3.1: Data Modification (BASIC): Do the policies clearly indicate whether or not the vendor provides authorized individuals with the ability to modify a user's inaccurate data?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.5.3: User Deletion: Do the policies clearly indicate whether or not a user can delete all of their personal and non-personal information from the vendor?

  • 10.4.1: Third-Party Tracking (BASIC): Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the product?

  • 10.4.2: Track Users (BASIC): Do the policies clearly indicate whether or not a user's information is used to track users and display target advertisements on other third-party websites or services?

  • 10.7.1: Unsubscribe Ads: Do the policies clearly indicate whether or not a user can opt out of traditional, contextual, or behavioral advertising?

  • 10.8.1: DoNotTrack Response: Do the policies clearly indicate whether or not the vendor responds to a "Do Not Track" signal or other opt-out mechanisms from a user?

  • 10.8.2: DoNotTrack Description: Do the policies clearly indicate whether the vendor provides a link to a description and the effects of any program or protocol the vendor follows that offers consumers a choice not to be tracked?

The National School Lunch Act (NSLA)

  • 2.1.8: Lunch Status: Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?

California "Shine the Light" (ShineTheLight)

  • 5.5.1: Opt-Out Consent: Do the policies clearly indicate whether or not a user can opt out from the disclosure or sale of their data to a third party?

  • 5.5.2: Disclosure Request: Do the policies clearly indicate whether or not a user can request the vendor to provide all the personal information the vendor has shared with third parties?

Protection of Pupil Rights Act (PPRA)

  • 1.8.6: Teachers Intended: Do the policies clearly indicate whether or not the product is intended to be used by teachers?

  • 3.2.3: Third-Party Research: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?

  • 10.6.2: Third-Party Promotions: Do the policies clearly indicate whether or not the vendor may ask a user to participate in any sweepstakes, contests, surveys, or other similar promotions?

California Data Breach Notification Requirements (DataBreach)

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.5.1: Transit Encryption (BASIC): Do the policies clearly indicate whether or not all data in transit is encrypted?

  • 8.6.1: Storage Encryption (BASIC): Do the policies clearly indicate whether or not all data at rest is encrypted?

  • 8.7.1: Breach Notice (BASIC): Do the policies clearly indicate whether or not the vendor provides notice in the event of a data breach to affected individuals?

California Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)

  • 6.6.2: Legacy Contact: Do the policies clearly indicate whether or not a user may assign an authorized account manager or legacy contact to access and download their data?

California AB 1584 - Privacy of Pupil Records (AB 1584)

  • 1.8.6: Teachers Intended: Do the policies clearly indicate whether or not the product is intended to be used by teachers?

  • 4.1.1: Purpose Limitation: Do the policies clearly indicate whether or not the vendor limits the use of data collected by the product to the educational purpose for which it was collected?

  • 5.6.1: Data Ownership: Do the policies clearly indicate whether or not a student, educator, parent, or the school retains ownership to the Intellectual Property rights of the data collected or uploaded to the product?

  • 6.1.3: Review Data: Do the policies clearly indicate whether or not the vendor provides a process available for the school, parents, or eligible students to review student information?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.5.1: Deletion Purpose: Do the policies clearly indicate whether or not the vendor will delete a user's personal information when the data are no longer necessary to fulfill its intended purpose?

  • 6.6.1: User Export: Do the policies clearly indicate whether or not a user can export or download their data, including any user created content on the product?

  • 8.3.1: Security Agreement: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.4.2: Employee Access: Do the policies clearly indicate whether or not the vendor implements physical access controls or limits employee access to user information?

  • 8.6.2: Data Control: Do the policies clearly indicate whether or not personal information is stored outside the control of the vendor?

  • 8.7.1: Breach Notice (BASIC): Do the policies clearly indicate whether or not the vendor provides notice in the event of a data breach to affected individuals?

  • 11.2.3: School Contract: Do the policies clearly indicate whether or not the vendor provides a contract to a Local Educational Agency (LEA) or otherwise provides notice to users of additional rights?

  • 11.2.4: School Official: Do the policies clearly indicate whether or not the vendor is under the direct control of the educational institution and designates themselves a 'School Official' under FERPA?

  • 11.3.1: Parental Consent (BASIC): Do the policies clearly indicate whether or not the vendor or third party obtains verifiable parental consent before they collect or disclose personal information?

California Privacy of Pupil Records (CalPPR)

  • 1.8.5: Students Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by students in preschool or K-12?

  • 3.2.3: Third-Party Research: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?

  • 3.14.1: Social Login (BASIC): Do the policies clearly indicate whether or not social or federated login is supported to use the product?

  • 3.14.2: Social Collection: Do the policies clearly indicate whether or not the vendor collects information from social or federated login providers?

  • 3.15.1: Data Deidentified: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or deidentified format?

  • 6.1.3: Review Data: Do the policies clearly indicate whether or not the vendor provides a process available for the school, parents, or eligible students to review student information?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.5.4: Deletion Process (BASIC): Do the policies clearly indicate whether or not the vendor provides a process for the school, parent, or eligible student to delete a student's personal information?

California Privacy Rights for Minors in the Digital World (CalPRMDW)

  • 1.8.2: Teens Intended: Do the policies clearly indicate whether or not the product is intended to be used by teens 13 to 18 years of age?

  • 3.2.4: Third-Party Marketing (BASIC): Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?

  • 6.5.3: User Deletion: Do the policies clearly indicate whether or not a user can delete all of their personal and non-personal information from the vendor?

  • 9.4.1: Block Content: Do the policies clearly indicate whether or not an educator, parent, or a school has the ability to filter or block inappropriate content or social interactions?

  • 9.5.1: Safe Tools: Do the policies clearly indicate whether or not the vendor provides tools and processes that support safe and appropriate social interactions on the product?

  • 10.4.2: Track Users (BASIC): Do the policies clearly indicate whether or not a user's information is used to track users and display target advertisements on other third-party websites or services?

  • 10.4.3: Data Profile (BASIC): Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create an automated profile, engage in data enhancement, conduct social advertising, or target advertising to students, parents, teachers, or the school?

  • 10.5.1: Filter Ads: Do the policies clearly indicate whether or not the vendor or third party filters inappropriate advertisements (e.g., alcohol, gambling, violence, or sexual content)?

  • 10.6.1: Marketing Messages: Do the policies clearly indicate whether or not the vendor may send marketing emails, text messages, or other related communications that may be of interest to a user?

California Electronic Commerce Act (CalECA)

  • 1.5.1: Vendor Contact: Do the policies clearly indicate whether or not a user can contact the vendor about any privacy policy questions, complaints, and material changes to the policies?

California Electronic Communications Privacy Act (CalECPA)

  • 5.5.3: Disclosure Notice: Do the policies clearly indicate whether or not the vendor will provide the affected user, school, parent, or student with notice in the event the vendor receives a government or legal request for their information?

  • 11.4.4: Law Enforcement: Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law to comply with a legal process, to respond to governmental requests, to enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

Children's Internet Protection Act (CIPA)

  • 3.6.1: Outbound Links: Do the policies clearly indicate whether or not outbound links on the site to third-party external websites are age-appropriate?

  • 9.4.1: Block Content: Do the policies clearly indicate whether or not an educator, parent, or a school has the ability to filter or block inappropriate content or social interactions?

  • 9.5.1: Safe Tools: Do the policies clearly indicate whether or not the vendor provides tools and processes that support safe and appropriate social interactions on the product?

  • 10.5.1: Filter Ads: Do the policies clearly indicate whether or not the vendor or third party filters inappropriate advertisements (e.g., alcohol, gambling, violence, or sexual content)?

  • 5.3.1: Complaint Notice: Do the policies clearly indicate whether or not the vendor has a grievance or remedy mechanism for users to file a complaint after the vendor restricts or removes a user's content or account?

  • 5.6.4: Copyright Violation: Do the policies clearly indicate whether or not the vendor provides notice to a user when their content is removed or disabled because of alleged infringement or other Intellectual Property violations?

  • 5.6.1: Data Ownership: Do the policies clearly indicate whether or not a student, educator, parent, or the school retains ownership to the Intellectual Property rights of the data collected or uploaded to the product?

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)

  • 10.7.2: Unsubscribe Marketing: Do the policies clearly indicate whether or not a user can opt out or unsubscribe from a vendor or third party marketing communication?

The Communications Decency Act of 1996 (CDA)

  • 5.3.1: Complaint Notice: Do the policies clearly indicate whether or not the vendor has a grievance or remedy mechanism for users to file a complaint after the vendor restricts or removes a user's content or account?

  • 9.4.1: Block Content: Do the policies clearly indicate whether or not an educator, parent, or a school has the ability to filter or block inappropriate content or social interactions?

  • 9.5.1: Safe Tools: Do the policies clearly indicate whether or not the vendor provides tools and processes that support safe and appropriate social interactions on the product?

Children's Online Privacy Protection Act (COPPA)

  • 1.5.1: Vendor Contact: Do the policies clearly indicate whether or not a user can contact the vendor about any privacy policy questions, complaints, and material changes to the policies?

  • 1.8.1: Children Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by children under the age of 13?

  • 1.8.2: Teens Intended: Do the policies clearly indicate whether or not the product is intended to be used by teens 13 to 18 years of age?

  • 1.8.3: Adults Intended: Do the policies clearly indicate whether or not the product is intended to be used by adults over the age of 18?

  • 1.8.4: Parents Intended: Do the policies clearly indicate whether or not the product is intended to be used by parents or guardians?

  • 2.1.1: Collect PII (BASIC): Do the policies clearly indicate whether or not the vendor collects personally identifiable information (PII)?

  • 2.1.2: PII Categories: Do the policies clearly indicate what categories of personally identifiable information are collected by the product?

  • 2.1.3: Geolocation Data: Do the policies clearly indicate whether or not precise geolocation data are collected?

  • 2.1.4: Health Data: Do the policies clearly indicate whether or not any health or biometric data are collected?

  • 2.1.5: Behavioral Data: Do the policies clearly indicate whether or not any behavioral data are collected?

  • 2.1.7: Usage Data: Do the policies clearly indicate whether or not the product automatically collects any information?

  • 2.2.2: Child Data: Do the policies clearly indicate whether or not the vendor collects personal information online from children under 13 years of age?

  • 2.4.1: Collection Limitation (BASIC): Do the policies clearly indicate whether or not the vendor limits the collection or use of information to only data that are specifically required for the product?

  • 3.1.1: Data Shared (BASIC): Do the policies clearly indicate if collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?

  • 3.1.2: Data Categories (BASIC): Do the policies clearly indicate what categories of information are shared with third parties?

  • 3.2.1: Sharing Purpose: Do the policies clearly indicate the vendor's intention or purpose for sharing a user's personal information with third parties?

  • 3.2.2: Third-Party Analytics: Do the policies clearly indicate whether or not collected information is shared with third parties for analytics and tracking purposes?

  • 3.2.3: Third-Party Research: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?

  • 3.2.4: Third-Party Marketing (BASIC): Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?

  • 3.4.1: Sell Data (BASIC): Do the policies clearly indicate whether or not a user's personal information is sold or rented to third parties?

  • 3.10.1: Third-Party Providers: Do the policies clearly indicate whether or not third-party services are used to support the internal operations of the vendor's product?

  • 3.10.2: Third-Party Roles: Do the policies clearly indicate the role of third-party service providers?

  • 3.13.1: Vendor Combination: Do the policies clearly indicate whether or not data collected or maintained by the vendor can be augmented, extended, or combined with data from third-party sources?

  • 3.15.1: Data Deidentified: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or deidentified format?

  • 3.15.2: Deidentified Process: Do the policies clearly indicate whether or not the deidentification process is done with a reasonable level of justified confidence, or whether the vendor provides links to any information that describes their deidentification process?

  • 3.16.1: Third-Party Limits (BASIC): Do the policies clearly indicate whether or not the vendor imposes contractual limits on how third parties can use personal information that the vendor shares or sells to them?

  • 3.16.2: Combination Limits: Do the policies clearly indicate whether or not the vendor imposes contractual limits that prohibit third parties from reidentifying or combining data with other data sources that the vendor shares or sells to them?

  • 4.1.1: Purpose Limitation: Do the policies clearly indicate whether or not the vendor limits the use of data collected by the product to the educational purpose for which it was collected?

  • 4.2.1: Combination Type: Do the policies clearly indicate whether or not the vendor would treat personally identifiable information (PII) combined with non-personally identifiable information as PII?

  • 5.2.1: Collection Consent: Do the policies clearly indicate whether or not the vendor requests opt-in consent from a user at the time information is collected?

  • 6.1.1: Access Data (BASIC): Do the policies clearly indicate whether or not the vendor provides authorized individuals a method to access a user's personal information?

  • 6.1.2: Restrict Access: Do the policies clearly indicate whether or not the vendor provides mechanisms (permissions, roles, or access controls, etc.) to restrict what data are accessible to specific users?

  • 6.1.3: Review Data: Do the policies clearly indicate whether or not the vendor provides a process available for the school, parents, or eligible students to review student information?

  • 6.2.1: Maintain Accuracy: Do the policies clearly indicate whether or not the vendor takes steps to maintain the accuracy of data they collect and store?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.5.1: Deletion Purpose: Do the policies clearly indicate whether or not the vendor will delete a user's personal information when the data are no longer necessary to fulfill its intended purpose?

  • 6.5.2: Account Deletion: Do the policies clearly indicate whether or not a user's data are deleted upon account cancellation or termination?

  • 6.5.4: Deletion Process (BASIC): Do the policies clearly indicate whether or not the vendor provides a process for the school, parent, or eligible student to delete a student's personal information?

  • 7.1.1: Transfer Data (BASIC): Do the policies clearly indicate whether or not the vendor can transfer a user's data in the event of the vendor's merger, acquisition, or bankruptcy?

  • 7.3.1: Contractual Limits: Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same privacy compliance required of the vendor?

  • 8.1.1: Verify Identity: Do the policies clearly indicate whether or not the vendor or vendor-authorized third party verifies a user's identity with personal information?

  • 8.3.1: Security Agreement: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.6.2: Data Control: Do the policies clearly indicate whether or not personal information is stored outside the control of the vendor?

  • 9.1.1: Safe Interactions (BASIC): Do the policies clearly indicate whether or not a user can interact with trusted users?

  • 9.1.2: Unsafe Interactions: Do the policies clearly indicate whether or not a user can interact with untrusted users?

  • 9.1.3: Share Profile: Do the policies clearly indicate whether or not information must be shared or revealed by a user in order to participate in social interactions?

  • 9.2.1: Visible Data (BASIC): Do the policies clearly indicate whether or not a user's personal information can be displayed publicly in any way?

  • 9.3.2: Filter Content (BASIC): Do the policies clearly indicate whether or not the vendor takes reasonable measures to delete all personal information from a user's postings before they are made publicly visible?

  • 9.3.3: Moderating Interactions (BASIC): Do the policies clearly indicate whether or not social interactions between users of the product are moderated?

  • 10.2.1: Traditional Ads (BASIC): Do the policies clearly indicate whether or not traditional advertisements are displayed to a user based on a webpage's content, and not that user's data?

  • 10.3.1: Behavioral Ads (BASIC): Do the policies clearly indicate whether or not behavioral advertising based on a user's personal information are displayed?

  • 10.4.1: Third-Party Tracking (BASIC): Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the product?

  • 10.4.2: Track Users (BASIC): Do the policies clearly indicate whether or not a user's information is used to track users and display target advertisements on other third-party websites or services?

  • 10.4.3: Data Profile (BASIC): Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create an automated profile, engage in data enhancement, conduct social advertising, or target advertising to students, parents, teachers, or the school?

  • 10.6.1: Marketing Messages: Do the policies clearly indicate whether or not the vendor may send marketing emails, text messages, or other related communications that may be of interest to a user?

  • 10.6.2: Third-Party Promotions: Do the policies clearly indicate whether or not the vendor may ask a user to participate in any sweepstakes, contests, surveys, or other similar promotions?

  • 10.7.1: Unsubscribe Ads: Do the policies clearly indicate whether or not a user can opt out of traditional, contextual, or behavioral advertising?

  • 11.1.1: Actual Knowledge: Do the policies clearly indicate whether or not the vendor has actual knowledge that personal information from children under 13 years of age is collected by the product?

  • 11.1.2: COPPA Notice: Do the policies clearly indicate whether or not the vendor describes: (1) what information is collected from children under 13 years of age, (2) how that information is used, and (3) its disclosure practices for that information?

  • 11.1.3: Restrict Account: Do the policies clearly indicate whether or not the vendor prohibits creating an account for a child under 13 years of age?

  • 11.1.4: Restrict Purchase: Do the policies clearly indicate whether or not the vendor restricts in-app purchases for a child under 13 years of age?

  • 11.1.5: Safe Harbor: Do the policies clearly indicate whether or not the product participates in an FTC-approved COPPA safe harbor program?

  • 11.3.1: Parental Consent (BASIC): Do the policies clearly indicate whether or not the vendor or third party obtains verifiable parental consent before they collect or disclose personal information?

  • 11.3.2: Limit Consent: Do the policies clearly indicate whether or not a parent can consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties?

  • 11.3.3: Withdraw Consent: Do the policies clearly indicate whether or not the vendor responds to a request from a parent or guardian to prevent further collection of their child's information?

  • 11.3.4: Delete Child-PII: Do the policies clearly indicate whether or not the vendor deletes personal information from a student or child under 13 years of age if collected without parental consent?

  • 11.3.5: Consent Method (BASIC): Do the policies clearly indicate whether or not the vendor provides notice to parents or guardians of the methods to provide verifiable parental consent under COPPA?

  • 11.3.6: Internal Operations: Do the policies clearly indicate whether or not the vendor can collect and use personal information from children without parental consent to support the 'internal operations' of the vendor's product?

  • 11.3.7: COPPA Exception: Do the policies clearly indicate whether or not the vendor collects personal information from children without verifiable parental consent for the sole purpose of trying to obtain consent under COPPA?

  • 11.4.4: Law Enforcement: Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law to comply with a legal process, to respond to governmental requests, to enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

Family Educational Rights and Privacy Act (FERPA)

  • 1.8.5: Students Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by students in preschool or K-12?

  • 1.8.6: Teachers Intended: Do the policies clearly indicate whether or not the product is intended to be used by teachers?

  • 2.1.1: Collect PII (BASIC): Do the policies clearly indicate whether or not the vendor collects personally identifiable information (PII)?

  • 2.1.3: Geolocation Data: Do the policies clearly indicate whether or not precise geolocation data are collected?

  • 2.1.4: Health Data: Do the policies clearly indicate whether or not any health or biometric data are collected?

  • 2.1.5: Behavioral Data: Do the policies clearly indicate whether or not any behavioral data are collected?

  • 2.1.7: Usage Data: Do the policies clearly indicate whether or not the product automatically collects any information?

  • 2.1.8: Lunch Status: Do the policies clearly indicate whether or not the vendor collects information on free or reduced lunch status?

  • 2.2.1: Student Data: Do the policies clearly indicate whether or not the vendor collects personal information or education records from preK-12 students?

  • 2.4.1: Collection Limitation (BASIC): Do the policies clearly indicate whether or not the vendor limits the collection or use of information to only data that are specifically required for the product?

  • 3.1.1: Data Shared (BASIC): Do the policies clearly indicate if collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?

  • 3.2.3: Third-Party Research: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?

  • 3.15.1: Data Deidentified: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or deidentified format?

  • 3.15.2: Deidentified Process: Do the policies clearly indicate whether or not the deidentification process is done with a reasonable level of justified confidence, or whether the vendor provides links to any information that describes their deidentification process?

  • 3.16.1: Third-Party Limits (BASIC): Do the policies clearly indicate whether or not the vendor imposes contractual limits on how third parties can use personal information that the vendor shares or sells to them?

  • 5.5.2: Disclosure Request: Do the policies clearly indicate whether or not a user can request the vendor to provide all the personal information the vendor has shared with third parties?

  • 5.5.3: Disclosure Notice: Do the policies clearly indicate whether or not the vendor will provide the affected user, school, parent, or student with notice in the event the vendor receives a government or legal request for their information?

  • 6.1.2: Restrict Access: Do the policies clearly indicate whether or not the vendor provides mechanisms (permissions, roles, or access controls, etc.) to restrict what data are accessible to specific users?

  • 6.1.3: Review Data: Do the policies clearly indicate whether or not the vendor provides a process available for the school, parents, or eligible students to review student information?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.4.2: Retention Limits: Do the policies clearly indicate whether or not the vendor will limit the retention of a user's data unless a valid request to inspect data is made?

  • 6.5.2: Account Deletion: Do the policies clearly indicate whether or not a user's data are deleted upon account cancellation or termination?

  • 6.5.4: Deletion Process (BASIC): Do the policies clearly indicate whether or not the vendor provides a process for the school, parent, or eligible student to delete a student's personal information?

  • 8.1.1: Verify Identity: Do the policies clearly indicate whether or not the vendor or vendor-authorized third party verifies a user's identity with personal information?

  • 8.3.1: Security Agreement: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.6.2: Data Control: Do the policies clearly indicate whether or not personal information is stored outside the control of the vendor?

  • 10.4.2: Track Users (BASIC): Do the policies clearly indicate whether or not a user's information is used to track users and display target advertisements on other third-party websites or services?

  • 11.2.2: Education Records: Do the policies clearly indicate the process by which education records are entered into the product? For example, are data entered by district staff, school employees, parents, teachers, students, or some other person?

  • 11.2.3: School Contract: Do the policies clearly indicate whether or not the vendor provides a contract to a Local Educational Agency (LEA) or otherwise provides notice to users of additional rights?

  • 11.2.4: School Official: Do the policies clearly indicate whether or not the vendor is under the direct control of the educational institution and designates themselves a 'School Official' under FERPA?

  • 11.3.1: Parental Consent (BASIC): Do the policies clearly indicate whether or not the vendor or third party obtains verifiable parental consent before they collect or disclose personal information?

  • 11.3.4: Delete Child-PII: Do the policies clearly indicate whether or not the vendor deletes personal information from a student or child under 13 years of age if collected without parental consent?

  • 11.3.8: FERPA Exception: Do the policies clearly indicate whether or not the vendor may disclose personal information without verifiable parental consent under a FERPA exception?

  • 11.3.9: Directory Information: Do the policies clearly indicate whether or not the vendor discloses student information as 'Directory Information' under a FERPA exception?

  • 11.4.4: Law Enforcement: Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law to comply with a legal process, to respond to governmental requests, to enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

Student Online Personal Information Protection Act (SOPIPA)

  • 1.8.5: Students Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by students in preschool or K-12?

  • 1.8.6: Teachers Intended: Do the policies clearly indicate whether or not the product is intended to be used by teachers?

  • 2.1.3: Geolocation Data: Do the policies clearly indicate whether or not precise geolocation data are collected?

  • 2.1.4: Health Data: Do the policies clearly indicate whether or not any health or biometric data are collected?

  • 2.1.7: Usage Data: Do the policies clearly indicate whether or not the product automatically collects any information?

  • 2.2.1: Student Data: Do the policies clearly indicate whether or not the vendor collects personal information or education records from preK-12 students?

  • 3.1.1: Data Shared (BASIC): Do the policies clearly indicate if collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?

  • 3.2.1: Sharing Purpose: Do the policies clearly indicate the vendor's intention or purpose for sharing a user's personal information with third parties?

  • 3.2.2: Third-Party Analytics: Do the policies clearly indicate whether or not collected information is shared with third parties for analytics and tracking purposes?

  • 3.2.3: Third-Party Research: Do the policies clearly indicate whether or not collected information is shared with third parties for research or product improvement purposes?

  • 3.2.4: Third-Party Marketing (BASIC): Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?

  • 3.4.1: Sell Data (BASIC): Do the policies clearly indicate whether or not a user's personal information is sold or rented to third parties?

  • 3.10.1: Third-Party Providers: Do the policies clearly indicate whether or not third-party services are used to support the internal operations of the vendor's product?

  • 3.10.2: Third-Party Roles: Do the policies clearly indicate the role of third-party service providers?

  • 3.13.2: Third-Party Combination: Do the policies clearly indicate whether or not data shared with third parties can be augmented, extended, or combined with data from additional third-party sources?

  • 3.15.1: Data Deidentified: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or deidentified format?

  • 3.15.2: Deidentified Process: Do the policies clearly indicate whether or not the deidentification process is done with a reasonable level of justified confidence, or whether the vendor provides links to any information that describes their deidentification process?

  • 3.16.1: Third-Party Limits (BASIC): Do the policies clearly indicate whether or not the vendor imposes contractual limits on how third parties can use personal information that the vendor shares or sells to them?

  • 4.1.1: Purpose Limitation: Do the policies clearly indicate whether or not the vendor limits the use of data collected by the product to the educational purpose for which it was collected?

  • 6.5.2: Account Deletion: Do the policies clearly indicate whether or not a user's data are deleted upon account cancellation or termination?

  • 6.5.4: Deletion Process (BASIC): Do the policies clearly indicate whether or not the vendor provides a process for the school, parent, or eligible student to delete a student's personal information?

  • 6.6.1: User Export: Do the policies clearly indicate whether or not a user can export or download their data, including any user created content on the product?

  • 7.1.1: Transfer Data (BASIC): Do the policies clearly indicate whether or not the vendor can transfer a user's data in the event of the vendor's merger, acquisition, or bankruptcy?

  • 7.3.1: Contractual Limits: Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same privacy compliance required of the vendor?

  • 8.3.1: Security Agreement: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.6.2: Data Control: Do the policies clearly indicate whether or not personal information is stored outside the control of the vendor?

  • 10.3.1: Behavioral Ads (BASIC): Do the policies clearly indicate whether or not behavioral advertising based on a user's personal information are displayed?

  • 10.4.1: Third-Party Tracking (BASIC): Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the product?

  • 10.4.2: Track Users (BASIC): Do the policies clearly indicate whether or not a user's information is used to track users and display target advertisements on other third-party websites or services?

  • 10.4.3: Data Profile (BASIC): Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create an automated profile, engage in data enhancement, conduct social advertising, or target advertising to students, parents, teachers, or the school?

  • 10.6.1: Marketing Messages: Do the policies clearly indicate whether or not the vendor may send marketing emails, text messages, or other related communications that may be of interest to a user?

  • 10.6.2: Third-Party Promotions: Do the policies clearly indicate whether or not the vendor may ask a user to participate in any sweepstakes, contests, surveys, or other similar promotions?

  • 11.2.1: School Purpose (BASIC): Do the policies clearly indicate whether or not the product is primarily used, designed, and marketed for preschool or K-12 school purposes?

  • 11.4.4: Law Enforcement: Do the policies clearly indicate whether or not the vendor can use or disclose a user's data under a requirement of applicable law to comply with a legal process, to respond to governmental requests, to enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the vendor, its users, or others?

Early Learning Personal Information Protection Act (ELPIPA)

  • 1.8.5: Students Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by students in preschool or K-12?

  • 1.8.6: Teachers Intended: Do the policies clearly indicate whether or not the product is intended to be used by teachers?

  • 2.2.1: Student Data: Do the policies clearly indicate whether or not the vendor collects personal information or education records from preK-12 students?

  • 11.2.1: School Purpose (BASIC): Do the policies clearly indicate whether or not the product is primarily used, designed, and marketed for preschool or K-12 school purposes?

General Data Protection Regulation (GDPR)

  • 1.5.1: Vendor Contact: Do the policies clearly indicate whether or not a user can contact the vendor about any privacy policy questions, complaints, and material changes to the policies?

  • 1.6.1: Quick Reference: Do the policies clearly indicate the vendor's privacy principles by short explanations, layered notices, a table of contents, or outlined privacy principles of the vendor?

  • 1.8.1: Children Intended (BASIC): Do the policies clearly indicate whether or not the product is intended to be used by children under the age of 13?

  • 1.8.2: Teens Intended: Do the policies clearly indicate whether or not the product is intended to be used by teens 13 to 18 years of age?

  • 1.8.3: Adults Intended: Do the policies clearly indicate whether or not the product is intended to be used by adults over the age of 18?

  • 2.1.1: Collect PII (BASIC): Do the policies clearly indicate whether or not the vendor collects personally identifiable information (PII)?

  • 2.1.2: PII Categories: Do the policies clearly indicate what categories of personally identifiable information are collected by the product?

  • 2.1.3: Geolocation Data: Do the policies clearly indicate whether or not precise geolocation data are collected?

  • 2.1.4: Health Data: Do the policies clearly indicate whether or not any health or biometric data are collected?

  • 2.1.5: Behavioral Data: Do the policies clearly indicate whether or not any behavioral data are collected?

  • 2.1.6: Sensitive Data: Do the policies clearly indicate whether or not sensitive personal information is collected?

  • 2.1.7: Usage Data: Do the policies clearly indicate whether or not the product automatically collects any information?

  • 2.4.1: Collection Limitation (BASIC): Do the policies clearly indicate whether or not the vendor limits the collection or use of information to only data that are specifically required for the product?

  • 3.1.1: Data Shared (BASIC): Do the policies clearly indicate if collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?

  • 3.2.1: Sharing Purpose: Do the policies clearly indicate the vendor's intention or purpose for sharing a user's personal information with third parties?

  • 3.2.2: Third-Party Analytics: Do the policies clearly indicate whether or not collected information is shared with third parties for analytics and tracking purposes?

  • 3.3.1: Exclude Sharing: Do the policies specify any categories of information that will not be shared with third parties?

  • 3.5.1: Data Acquired: Do the policies clearly indicate whether or not the vendor may acquire a user's information from a third party?

  • 3.11.1: Third-Party Categories: Do the policies clearly indicate the categories of related third parties, such as subsidiaries or affiliates with whom the vendor shares data?

  • 3.15.1: Data Deidentified: Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or deidentified format?

  • 3.15.2: Deidentified Process: Do the policies clearly indicate whether or not the deidentification process is done with a reasonable level of justified confidence, or whether the vendor provides links to any information that describes their deidentification process?

  • 3.16.1: Third-Party Limits (BASIC): Do the policies clearly indicate whether or not the vendor imposes contractual limits on how third parties can use personal information that the vendor shares or sells to them?

  • 4.1.1: Purpose Limitation: Do the policies clearly indicate whether or not the vendor limits the use of data collected by the product to the educational purpose for which it was collected?

  • 4.1.2: Data Purpose: Do the policies clearly indicate the context or purpose for which data are collected?

  • 4.3.1: Context Notice: Do the policies clearly indicate whether or not notice is provided to a user if the vendor changes the context in which data are collected?

  • 4.4.1: Context Consent: Do the policies clearly indicate whether or not the vendor will obtain consent if the practices in which data are collected change or are inconsistent with contractual requirements?

  • 5.2.1: Collection Consent: Do the policies clearly indicate whether or not the vendor requests opt-in consent from a user at the time information is collected?

  • 5.3.1: Complaint Notice: Do the policies clearly indicate whether or not the vendor has a grievance or remedy mechanism for users to file a complaint after the vendor restricts or removes a user's content or account?

  • 5.5.1: Opt-Out Consent: Do the policies clearly indicate whether or not a user can opt out from the disclosure or sale of their data to a third party?

  • 5.5.2: Disclosure Request: Do the policies clearly indicate whether or not a user can request the vendor to provide all the personal information the vendor has shared with third parties?

  • 5.5.3: Disclosure Notice: Do the policies clearly indicate whether or not the vendor will provide the affected user, school, parent, or student with notice in the event the vendor receives a government or legal request for their information?

  • 6.1.1: Access Data (BASIC): Do the policies clearly indicate whether or not the vendor provides authorized individuals a method to access a user's personal information?

  • 6.1.2: Restrict Access: Do the policies clearly indicate whether or not the vendor provides mechanisms (permissions, roles, or access controls, etc.) to restrict what data are accessible to specific users?

  • 6.2.1: Maintain Accuracy: Do the policies clearly indicate whether or not the vendor takes steps to maintain the accuracy of data they collect and store?

  • 6.3.1: Data Modification (BASIC): Do the policies clearly indicate whether or not the vendor provides authorized individuals with the ability to modify a user's inaccurate data?

  • 6.3.2: Modification Process: Do the policies clearly indicate whether or not the vendor provides a process for the schools, parents, or eligible students to modify inaccurate student information?

  • 6.3.3: Modification Notice: Do the policies clearly indicate how long the vendor has to modify a user's inaccurate data after given notice?

  • 6.4.1: Retention Policy: Do the policies clearly indicate the vendor's data retention policy, including any data sunsets or any time-period after which a user's data will be automatically deleted if they are inactive on the product?

  • 6.4.2: Retention Limits: Do the policies clearly indicate whether or not the vendor will limit the retention of a user's data unless a valid request to inspect data is made?

  • 6.5.1: Deletion Purpose: Do the policies clearly indicate whether or not the vendor will delete a user's personal information when the data are no longer necessary to fulfill its intended purpose?

  • 6.5.3: User Deletion: Do the policies clearly indicate whether or not a user can delete all of their personal and non-personal information from the vendor?

  • 6.5.4: Deletion Process (BASIC): Do the policies clearly indicate whether or not the vendor provides a process for the school, parent, or eligible student to delete a student's personal information?

  • 6.5.5: Deletion Notice: Do the policies clearly indicate how long the vendor may take to delete a user's data after given notice?

  • 6.6.1: User Export: Do the policies clearly indicate whether or not a user can export or download their data, including any user created content on the product?

  • 7.3.1: Contractual Limits: Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same privacy compliance required of the vendor?

  • 8.1.1: Verify Identity: Do the policies clearly indicate whether or not the vendor or vendor-authorized third party verifies a user's identity with personal information?

  • 8.3.1: Security Agreement: Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the vendor?

  • 8.4.1: Reasonable Security (BASIC): Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?

  • 8.5.1: Transit Encryption (BASIC): Do the policies clearly indicate whether or not all data in transit is encrypted?

  • 8.6.1: Storage Encryption (BASIC): Do the policies clearly indicate whether or not all data at rest is encrypted?

  • 8.6.2: Data Control: Do the policies clearly indicate whether or not personal information is stored outside the control of the vendor?

  • 8.7.1: Breach Notice (BASIC): Do the policies clearly indicate whether or not the vendor provides notice in the event of a data breach to affected individuals?

  • 8.8.1: Security Audit: Do the policies clearly indicate whether or not the data privacy or security practices of the vendor are internally or externally audited to ensure compliance?

  • 10.4.3: Data Profile (BASIC): Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create an automated profile, engage in data enhancement, conduct social advertising, or target advertising to students, parents, teachers, or the school?

  • 10.7.2: Unsubscribe Marketing: Do the policies clearly indicate whether or not a user can opt out or unsubscribe from a vendor or third party marketing communication?

  • 11.2.3: School Contract: Do the policies clearly indicate whether or not the vendor provides a contract to a Local Educational Agency (LEA) or otherwise provides notice to users of additional rights?

  • 11.3.1: Parental Consent (BASIC): Do the policies clearly indicate whether or not the vendor or third party obtains verifiable parental consent before they collect or disclose personal information?

  • 11.3.3: Withdraw Consent: Do the policies clearly indicate whether or not the vendor responds to a request from a parent or guardian to prevent further collection of their child's information?

  • 11.5.1: Privacy Badge: Do the policies clearly indicate whether or not the vendor has signed any privacy pledges or received any other privacy certifications?

  • 11.6.1: GDPR Jurisdiction: Do the policies clearly indicate whether or not a user's data are subject to International data transfer or jurisdiction laws, such as a privacy shield or a safe harbor framework that protects the cross-border transfer of a user's data?

  • 11.6.2: GDPR Role: Do the policies clearly indicate whether or not the vendor is categorized as a Data Controller or a Data Processor, and whether it has identified a Data Protection Officer (DPO) for the purposes of GDPR compliance?