Tier Risks

The Common Sense Privacy Program helps parents, teachers, schools, and districts make sense of the privacy risks they may face with our evaluation tiers that flag areas of concern. A comprehensive privacy risk assessment can identify these risks and determine which personal information companies are collecting, sharing, and using to minimize potential harm to children and students. Children require specific protection of their personal information, because they may be less aware of the risks, consequences, and safeguards concerned and their rights in the processing of their personal information. This protection should apply to the use of personal information of children for the purposes of marketing or creating personality or user profiles and the collection of personal data from children when using services offered directly to a child.

The Privacy Program provides an evaluation process that assesses what companies' policies say about their privacy and security practices. Our evaluation results, including easy-to-understand tier icons, indicate which companies are transparent about what they do and don't do but also indicate whether a company's privacy practices and protections meet standard industry practices. Our privacy evaluations display evaluation tier criteria for each product and indicate when a criteria is found to be a worse practice for the purposes of our evaluation process or unclear with a yellow alert icon.

Evaluation Flags

The following evaluation tier criteria describe some of the most important privacy risks and resulting harms that can occur with technology products intended to be used by children and students that also affect their parents and educators.

Privacy policy

The privacy policy of the specific product (vs. the company website) must be made publicly available.

Without transparency into the privacy practices of a product, there are no expectations on the part of the child, student, parent, or teacher of how that company will collect, use, or disclose collected personal information, which could cause unintended harm.

Supporting encryption

A product is required to use and/or redirect all pages to encryption with HTTPS.

Without basic security protections, such as encryption of personal information while in transit, there is an increased risk of potential interception and misuse of personal information (by unauthorized third parties) that may include a child or student's login credentials, which could cause unintended harm. Unencrypted product pages can be tampered with to look official and appear to be coming from an official source, which could enable phishing attacks or leaking of sensitive information.

Selling data

A child or student's personal information should not be sold or rented to third parties.

If a child or student's personal information is sold to third parties, then there is an increased risk that the child or student's personal information may be used in ways that were not intended at the time at which they provided their personal information to the company, resulting in unintended harm.

Third-party marketing

A child or student's personal information should not be shared with third parties for advertising or marketing purposes.

An application or service that requires a child or student to be contacted by third-party companies for their own advertising or marketing purposes increases the risk of exposure to inappropriate advertising and influences that exploit children's vulnerability. Third parties who try to influence a child or student's purchasing behavior for other goods and services may cause unintended harm.

Behavioral advertising

Behavioral or contextual advertising based on a child or student's personal information should not be displayed.

A child or student's personal information provided to an application or service should not be used to exploit that child or student's specific knowledge, traits, and learned behaviors to use their vulnerability to influence their decisions to purchase other goods and services they would not have otherwise made, which may cause unintended harm.

Third-party tracking

Third-party advertising services or tracking technologies should not collect any information from a user of the application or service.

A child or student's personal and usage information provided to an application or service should not be used by a third party to persistently track that child or student's actions on the application or service to influence what content they see in the product and elsewhere online. Third-party tracking can use a child or student’s vulnerability to change their decision-making processes, which may cause unintended harm.

User tracking

A child or student's personal information should not be tracked and used to target advertisements on other third-party websites or services.

A child or student's personal information provided to an application or service should not be used by a third party to persistently track that child or student's actions over time and across the internet on other devices and services to use their vulnerability to influence their decision-making processes, which may cause unintended harm.

User profile

A company should not allow third parties to use a child or student's data to create a profile, engage in data enhancement or social advertising, or target advertising.

Automated decision-making, including the creation of data profiles for tracking or advertising purposes, can lead to an increased risk of harmful outcomes that may significantly affect children or students.