Student Privacy Pledge delivers neither privacy nor enforcement

Riddle me this: Which is more binding, the Student Privacy Pledge or a pinky promise?

Sadly, as of today, the answer is the pinky promise.

With the most recent “Trolls” movie – “Trolls World Tour” – prominently highlighting the binding significance of the “pinky promise,” the same cannot be said of the Student Privacy Pledge — a pledge taken by 400-plus educational technology (Ed Tech) companies stating a commitment to “carry out responsible stewardship and appropriate use of student personal information.” 

Consider the recent Consumer Reports story about the College Board tracking students and sharing that information with Adobe, Facebook, Google, Microsoft, Snapchat, Yahoo, and advertising network AdMedia — despite the pledge’s commitment to “[n]ot use or disclose student information collected through an educational/school service . . . for behavioral targeting of advertisements to students.” Yet when the Future of Privacy Forum, the group that administers the pledge, was asked about this violation, its response was that it was looking into the findings to ensure that the College Board is living up to its promises.

But how does one “ensure” anything, if there is no enforcement?

A 2018 Duke Law & Technology Review article entitled “Peeling Back the Student Privacy Pledge,” posited the same question when analyzing whether signatory companies were complying with the pledge, or “just paying lip service to its goals,” given the toothless nature of a pledge devoid of oversight or enforcement.

Perhaps the poster-child for the lack of accountability to which pledge signatories are held is Naviance by Hobsons — an Ed-Tech provider used by middle, high school, and college students that collects dates of birth, ethnicity, and other sensitive data — having reported at least three data breaches in 2019 alone. The first was a data breach in Virginia, involving sensitive information of 21 former students; the second was a breach in Pennsylvania involving 12,000 students, and the third involved close to 6,000 students attending Montgomery County, Md., public schools. With three breaches in a single year, one could argue that Naviance is not compliant with the pledge’s commitment to “[m]aintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks.”

Yet, almost a year later, Naviance is still displayed as a pledge signatory. No penalties. No suspension. Not even probation.

Another pledge signatory is Canvas by Instructure, which received a “warning” grade of 63 for its privacy practices from Common Sense.org, “the nation’s leading nonprofit organization dedicated to improving the lives of all kids and families by providing the trustworthy information, education, and independent voice they need.”  The privacy policy Instructure says applies to its educational products indicates that Canvas shares data about student use of its product with third parties like Google Analytics, including data about “what other sites they used prior to coming to the Site.” This, despite agreeing in the pledge to “[n]ot collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.” Allowing an analytics provider to “collect and store” a student’s prior online activity and browsing history from before the student even logged in to Instructure, could increase the risk that personal information unrelated to the educational service is being captured.

Relatedly, pledge signatories agree to “[n]ot use or disclose student information . . . for behavioral targeting of advertisements to students.” In describing the data it collects via technology, Instructure defines its use of “web beacons” as being used to “manage cookies, count visits, and to learn what marketing works and what does not.” While reasonable minds may differ, the use of technology, directed at a user, in order to determine whether marketing is or is not working, sure sounds a lot like “behavioral targeting.” Instructure says categorically that the company does not disclose student information for the purpose of targeting advertisements to students.  

Even Google is a pledge signatory. Google is being sued by the New Mexico attorney general for sharing student’s personal information with other parts of its business, in apparent contravention of the pledge. Yet Google proudly boasts of its “compliance with rigorous standards,” to include the Student Privacy Pledge. A Google spokesman said the New Mexico attorney general’s claims were “factually wrong.”

To be clear, there are responsible Ed tech companies that have signed the pledge and that genuinely care about student data privacy. But unless all signatories are held responsible for complying with the pledge, the pledge becomes nothing more than a marketing stunt that means little and misleads many. 

As the Duke Law & Technology article concluded, consumers of education software have limited power to hold pledge signatories accountable, and thus “the Federal Trade Commission (FTC), is best positioned to enforce compliance with the pledge.” After all, trade practices are their bread and butter.  

Notably, in May 2020, when the FTC announced a settlement with Swiss-based Miniclip SA for claiming to be compliant with, and a member of, the Children’s Online Privacy Protection Act (COPAA) Safe Harbor Program, FTC Commissioner Rohit Chopra wrote that “[t]he commission must . . . revamp its approach to these third-party privacy policing programs,” because these programs don’t adequately fulfill their own oversight obligations.

Yet the need to police third-party programs designed to protect our children is the same, whether we’re talking about COPPA Safe Harbor or the Student Privacy Pledge. 

With all the risks to privacy that students already face today — especially in this age of COVID-19, in which schools rely on Ed Tech for the entire (virtual) curriculum — a hollow pledge, with commitments that aren’t enforced, does nothing more than lull parents into a false sense of security, placing our children at greater — not lesser — risk.

NOTE: This post has been updated from the original to focus on the correct privacy policy for Canvas by Instructure; the company says categorically that it does not disclose student information for the purpose of targeting advertisements to students.

Joel Schwarz is a Managing Partner at The Schwarz Group, LLC, where he works as a consultant and attorney, and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Department and New York State Attorney General’s Office. He was also counsel on e-commerce and privacy for MetLife.