April 23, 2024

The ISL Company Privacy Risk Dictionary scores companies found in ISL research (such as the 2022 US K-12 EdTech Safety Benchmark), either as app developers, SDK developers, or found in the network traffic of the app when tested.

Company Privacy Risk is calculated from a multi-part formula ultimately reflecting Risk Impact plus Risk Likelihood. Risk Impact and Risk Likelihood are both scored from -1 (lowest risk) to -4 (highest risk), and then added together. The final score is normalized into a range from -1 (lowest risk) to -4 (highest risk).

Risk Impact is directly proportional to the sensitivity of the data generally accessed to provide services in the Company’s industry category/subcategory. The more sensitive the data, the higher the Risk Impact. For instance, mental health services would increase Risk Impact, as would School Information Systems, given the depth and breadth of student and parent information.

Risk Likelihood is calculated by the likelihood of the company sharing or monetizing personal information. This was determined by evaluating the following characteristics:  

          a.  The company’s primary industry category and subcategory. Categories known to monetize personal information resulted in
               higher Risk Likelihood. [Source: Crunchbase, Wikipedia, online research] 

          b.  The status of the company. If the company is defunct, it results in a higher Risk Likelihood. [Source: Crunchbase, Wikipedia,
               online research] 

          c.   If the company is a registered data broker in California or Vermont, or has been reported to commercialize bulk personal data,
                it receives a higher Risk Likelihood. [Source: California Data Broker Registry, Vermont Data Broker Registry, online research]

          d.   If the company’s user-facing services perform behavioral advertising it increases Risk Likelihood. [Source: Company Privacy
                Policy, Website behavior]  

          e.   Each of the following events impact the Risk Likelihood score [Source: online research]:  
                       i.    If the company has had privacy related regulatory cases and/or fines.
                      ii.    If the company has had privacy related lawsuits.
                     iii.    If the company has had data breaches.

          f.    The absence of a privacy policy increases the Risk Likelihood score. [Source: Company Website]

ISL provides this data as an informational tool reflecting research at this point in time, version 1.0 published on 4/23/24. Please contact us at contact@internetsafetylabs.org if you have questions or corrections.

This work is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.

Open Company Risk Dictionary