February 13, 2024

Privacy Recommendations
for EdTech Stakeholders

6 Free Things To Do Right Now

- DO be intentional. Be convinced that the benefits exceed the privacy risks. More isn’t better.
- DON’T exceed 20 technologies, especially in elementary schools. A good rule of thumb is to use no more technology than the school can reasonably manage monitor on an ongoing basis.

DO examine website risks using EFF’s Privacy Badger, or The Markup’s Blacklight tools:

DO use ISL’s https://appmicroscope.org to familiarize yourself with the privacy risks in EdTech apps.

- If you have a school utility app, ask the vendor to review their App Microscope Safety Label and clarify advertising related data sharing (e.g. https://appmicroscope.org/app/1597/).

DO remember that LEAs have no actual control over the behavior of off the shelf technologies. Use caution before recommending them for student use.

- DO also remember that Schools that even for licensed technologies, the vendor makes unilateral decisions regarding software behavior, and always has access to all the data.

6 Things To Introduce Next School Year

DO remove all ads from your school and district websites.
DO remove advertising trackers on school websites. It’s not enough to remove ads on the website, due to the presence of third-party trackers and scripts running on websites.

DO develop a systemic technology vetting process.
DO create a technology notice for students and parents listing each technology that is required or recommended, and if the school has consented to data sharing [under COPPA] for the student.
DO, at a minimum, allow parents and students to consent to technologies that collect information protected under PPRA.
DON’T overuse the LEA’s ability to consent on behalf of the student.

3 Things To Do with  Appropriate Funding

DO designate a Software Product Manager who is responsible for developing and deploying a systemic technology vetting process.
DO perform annual software privacy audits.
DO have Data Privacy Agreements for all technologies the school is requiring students to use.

- Student Data Privacy Consortium (SDPC) has templates like this one: https://privacy.a4l.org/national-dpa/

For Over Achievers

DO measure efficacy of your current technology vetting using the tools listed above.
DO contact ISL for assistance in auditing privacy risks in technology and establishing tech vetting practices.

Policy Makers

DO fund at least one full-time software procurement specialist, accountable for tech oversight and vendor management.

- Treat software procurement as distinct from hardware. The skillsets differ vastly.

DO pass federal regulation to monitor and rigorously control data brokers and disallow collection of children’s data.

EdTech Developers

DON’T include advertising in EdTech. Until advertising can be done in a way that doesn’t ultimately uniquely identify users and harvest user information, best to not include it on EdTech.
DON’T include cross-site, persistent identifiers in EdTech.
DO configure your analytics platform to preserve student data privacy.
DO only include third party SDKs that are strictly necessary for the expected functions.
DO manage all third-party data processors and ensure student data privacy policies are in place throughout the supply chain, and regularly monitored.
DO know your audience: child-directed/mixed-audience/general audience.
DO employ data purging practices/and make sure your supply chain does as well.

Parents

DO use ISL’s App Microscope (https://appmicroscope.org) to review the technology your children are using and to raise awareness with teachers and other parents.
DO talk to your children about the safety and privacy risks of using technology.
DO explain to them the risks of lying about their age in order to use a particular service.

DO contact ISL for any questions:
info@InternetSafetyLabs.org

School EdTech Safety Recommendations