Privacy policies for websites are usually written by lawyers who sacrifice readability in search of strict legal accuracy. Maximum rights are reserved for the company, with caveats that allow changes in the future.
For companies serving students, this model is simply not a feasible option. The common legal strategy of seeking the minimum required description or disclosure--while maintaining maximum flexibility for the company--is guaranteed to lead to criticism.
The privacy policy for a company serving schools needs to take several key audiences into account. The school technology administrator or school board contracting officer is obligated to read the policy and should be ensuring that schools are only providing data as FERPA allows--and as the school has determined to be an appropriate educational use. If the policy doesn’t spell out what data is collected and how it is specifically used, the school can’t be sure that the policy is compliant.
Too many school technology administrators have told us that they find the policies they review to be inscrutable when it comes to clearly laying out the information needed by the school to assess the vendor. Simply saying in the policy that the service complies with FERPA doesn't do the job, as the vendor is not bound by FERPA. The school needs to understand how the vendor is helping the school live up to the school’s obligation of ensuring data is used only for the educational purposes that the school intends to authorize.
Increasingly, parents and privacy advocates are rigorously examining the privacy practices of school vendors, and are raising alarms as they read the legal terms. Company after company has had to backpedal, explaining that they didn’t really mean or intend to do what the policy seemed to say.Criticism is sure to follow, andclarification must be quickly issued; why not get it right the first time?
To help companies facing this challenge, here are some tips gathered from our discussions with key advocates and stakeholders in the ed-tech arena.
- Do not claim that you can simply change your policy at any time. Schools can’t be assured that data will be used as they authorized if a policy can change without notice. And, for services covered by COPPA, federal law specifically requires a new prominent notice and consent from parents before a material change can be made.
- Do not simply say that if your company is sold, student data is an asset that will also be sold to the acquirer. Yes, your company can be acquired, but state clearly that the purchaser is subject to the same commitments for the previously collected student personal information.
- Don’t disclaim responsibility for any third party code on your site. You are responsible for ensuring that any tracking, such as basic web site analytics, is acceptable for approved purposes. Behavioral advertising is never an approved purpose for a site subject to FERPA and is a clear violation for services covered by COPPA. Avoid the use of free plug-ins like Add This or Share This, which explicitly collect data for behavioral advertising.
The vendor tips page at FERPA|SHERPA provides additional, practical suggestions to getting student privacy right. They are certainly not comprehensive, but following them in conjunction with a careful review of the legal requirements and industry best practices can put relevant stakeholders on the road to a strong policy that protects business interests along with those of students, parents, and schools.
After all, you don’t want to be the one searching for just the right apology…