2017 Global Privacy Enforcement Network Sweep

Key takeaways for online educational services and tools

Introduction

The OPC is highlighting results and key takeaways from the Office of the Privacy Commissioner’s Global Privacy Enforcement Network (GPEN) Sweep 2017 (the “Sweep”), which focused on certain privacy practices of online educational tools and services targeted at classrooms. Together with the Ontario Information and Privacy Commissioner’s Office (Ontario IPC) we “swept” more than two (2) dozen popular online applications used in kindergarten through grade 12 classroomsFootnote 1. These services, targeting a range of ages, varied from websites offering practice exercises, to classroom management apps, to blogging platforms.

The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. Rather, Sweepers sought to replicate the consumer experience by spending a few minutes interacting with websites/apps to record certain privacy practices in relation to a common set of indicators.

Highlighted below are the Sweep results and some of the good (and not so good!) practices that we saw, with certain takeaways for organizations developing online services for classrooms, and for Canadians using these services.Footnote 2 For organizations subject to PIPEDA, we’ve also provided information about relevant obligations under PIPEDA. Organizations that would like more information on their obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, may wish to have a look at our Privacy Toolkit.

The overarching theme selected for the 2017 GPEN Sweep was “user controls over personal information” while the Office of the Privacy Commissioner of Canada (OPC) and Ontario IPC partnered to focus on online educational tools and services.

It goes without saying that technology and online interactions have become standard elements in our lives, including for minors. While post-secondary institutions have long used online educational tools to enhance the classroom experience, an increasing number of elementary and high schools across Canada are now doing the same. We conducted this year’s Sweep to better understand how online educational services used in schools in Canada are handling personal information.

The types of services that we swept varied in nature and scope. Some services engaged students in interactive games but collected minimal personal information other than students’ progress. Others involved services that resembled virtual classrooms, which include blog-like functions where participants can generate and add content that varies from simple text to pictures and videos. The extent to which the class content was accessible was another differentiating feature, i.e., ranging from only the teacher/class members to teacher/class members and parents, to the public. Finally, some websites clearly targeted younger audiences, some older ones, while others did not appear to make any age distinctions at all.

This year’s Sweep took place during the week of May 22nd. The OPC and Ontario IPC jointly swept 27 online educational services. Of these services, 74% offered free services, while 26% of them offered monthly or yearly subscriptions.Footnote 3

We have grouped the Sweep results into four main categories. These are:

  1. Transparency. Most of the services we looked at made information about how they handle personal information available to users, but the quality varied and it was sometimes hard to find.
  2. Consent. There were concerns with how a significant number of services obtained age appropriate consent from students or their parents/guardians.
  3. Age Appropriate Collection and Disclosure. Some (but not all) services were using practices for minimizing collection and disclosure of students’ personal information and providing controls for teachers and parents to set age-appropriate limits/supervision on collection and disclosure of students’ personal information.
  4. Deletion of personal information. Many services swept did not make it easy or even possible to delete personal information no longer needed.

Transparency

Regardless of type of service or business, basic information about how personal information will be handled, should be easily accessible to users.

We were pleased to find that this year, unlike in previous years’ Sweeps, all the organizations we swept did have privacy communications online, and most of them included key content like what personal information will be collected, and whether information will be disclosed to third parties.

However, we were disappointed that some were hard to find. Only 78% had privacy communications readily accessible at registration.

We also found that the quality of privacy communications varied widely. Some were lengthy and challenging to follow.

A number of the services we swept had particularly good privacy communications, with thorough, clear descriptions of their personal information handling practices.

For instance, ProdigyGames.com’s Privacy Policy section on sharing data with third parties not only includes an overview of how and why it shares personal information, but also includes a link to further details for those who want to know more (see the excerpt below):

See text version

(the list continues).

Here is a complete list of our service providers, why we use them and what information they have access to.

Legend:

SP: have access to student PII and teacher/parent PII

TPP: have access to teacher/parent PII

NO: no access to any PII

Hosting

Microsoft Azure: Cloud hosting service (SP)

Amazon Web Services: Cloud hosting service (SP)

Rackspace: Web hosting services (SP)

Datadog: Hosting Analytics service (NO)

Npm: Binary module hosting system (NO)

(the list continues)

Making this kind of specific detail available to those who want it through a ‘layered’ approach lets users get the amount of privacy information they need.

We also found certain services use other ways to make information about their privacy practices accessible, such as making printouts available for teachers to give to parents to inform them about their child’s use of the service, and how they can access further information.

Takeaways

For service providers:

Consider how you can improve your privacy communication. For more see: Ten Tips for a Better Online Privacy Policy and Improved Privacy Practice Transparency and Collecting From kids? Ten tips for services aimed at children and youthFootnote 4

For users:

Considering an online educational service? Look for one with privacy communications (you can understand!) and contact information in case you have privacy questions or concerns. For more see: What to consider when reading a privacy policy.

Consent

Getting meaningful consent to collect, use and disclose personal information is an important cornerstone of privacy protection and an obligation under PIPEDA.

In general, PIPEDA requires that organizations get consent from an individual whose personal information it collects, uses or discloses in the course of commercial activity.

We were concerned to find that more than a third of the services we looked at relied on consent from teachers and did not seek consent from either students or parents (e.g. by providing information about collection use and disclosure and requesting agreement). Although it may be possible in some cases for organizations to obtain consent of parents and students via teachers, these services did not seem to provide teachers resources for obtaining parental or student consent in other ways that we could find. While every situation is case specific, organizations remain ultimately accountable for obtaining meaningful consent from users.

In the Sweep we also looked at how the online service obtained consent for the collection, use and disclosure of students’ personal information for both younger and older students.Footnote 5 This matters given the differences in sophistication and understandings of proper and safe privacy practices between younger children and older children. This is in part why PIPEDA requires that consent will only be valid if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure, to which they are consenting. Generally speaking, in order for consent to be meaningful, in all but exceptional circumstances, if a child is under 13, consent must be obtained from a parent or guardian. For youth aged 13 to the provincial age of majority, the consent process must be adapted to the audience’s level of maturity.

Many of the services we looked at were ones that could be used by both younger and older students. In this context, we were surprised to find that only a handful of services had different consent mechanisms for younger and older students (such as seeking parental consent for younger students, and empowering older students by seeking age appropriate informed consent).

Two positive examples of services that seemed to consider the age of their users in seeking consent were KhanAcademy.org and Scratch.mit.edu. For instance, Khan Academy allows teachers to add student accounts to their online classroom; however, a message to obtain parental consent for students under 13 appears above the box that requires the personal information of the student(s):

See text version

[radio button] Send an email invitation

Students under 13 will need a parent to complete the signup process.

[text box] student1@example.com, student2@example.com

See Text version

[radio button] Create a Khan Academy account for them (recommended for students under 13)

Enter information below. Accounts will be restricted until a parent account connects.

STUDENT NAME UNIQUE USER NAME

[text box] e.g., Marjorie Rose

+ Add new line (or type Enter)

As another example, Scratch.mit.edu provides easily accessible, kid-friendly explanations (along with privacy sensitive tips) when collecting registration information from studentsFootnote 6:

See text version

Join Scratch

Your responses to these questions will be kept private.

Why do we ask for this info?

Birth Month and Year [Month field] [Year field]

Gender [radio button] Male [radio button] Female [radio button][text box] {other}

Country [text box]

Next [button]

See text version

Birth Month and Year

We use this information to calculate the age range of people who use Scratch, and to confirm that you are the owner of the account if you contact us. Your birth month and year will not be made public.

Gender

This helps the Scratch design team understand who is using Scratch, and provides information that helps us broaden participation. This information is not visible on your account, and is only used to describe overall participation.

This example of age-appropriate privacy information enables older students to make informed decisions about sharing their personal information, as part of ‘privacy education’.Footnote 7 Footnote 8 We encourage services to consider how a service’s consent function can help empower students with regards to the privacy choices that will affect them and their personal information.

Takeaways

For service providers:
  • Assure yourself that consent is being obtained from individuals (or their parents) for the personal information your service collects about them.
  • If your service may be used by younger and older students, design in ways to get age-appropriate consent for collection, use and disclosure of personal information.
For users:

Look for services that require (or enable) consent from students and/or parents if applicable, and ones that use consent language that is age appropriate.

Age Appropriate Collection and Disclosure of Personal Information

Collection

PIPEDA requires organizations to limit the collection of personal information to that which is necessary for the purposes identified by the organization. Organizations cannot collect personal information indiscriminately and are instead required to only collect the type and amount of personal information that is necessary to fulfill the identified purpose.

For more complex services, such as those that allow for content uploading, it is important to recall that personal Information is not just identifiers like name, age and address (i.e., the type of information that could be requested at the time of registration), but also may include student achievements, and content students may create or upload.

As mentioned at the outset of this report, there are a range of interactive platforms that target different age groups. We found that services that target younger students typically required teachers to create accounts for their students. We were pleased to see that many such services encourage teachers to not provide the full names of their students and collect little or no personal information. For example, some services offering practice exercises only require the teacher to input a username and password for the student, while no other personal information is collected. Once the student logs in, they can play a game to advance their skills.

Similarly, a substantial number of services discourage students from using full or real names.

However, we did come across a number of instances where we felt that websites were encouraging students to provide more personal information than was necessary in order to provide the identified services. For instance, although the fields are not mandatory, EDUBlogs.org’s student profile page has fields to collect students’ instant messaging handles, photo and bio with very limited explanations of why and how the information may be used or disclosed:

See text version

Contact Info

Email (Required) [text box]

Website [text box]

AIM [text box]

Yahoo IM [text box]

Jabber / Google Talk [text box]

About Yourself

Biographical Info [text box]

Share a little biographical information to fill out your profile. This may be shown publicly.

Profile Picture

Disclosure

In general, PIPEDA requires that organizations not use or disclose personal information without the individual’s consent.

Whether it is disclosure of information to third party companies, sharing with peers and parents, or making student content public online, age-sensitivity is important. For the purposes of this Sweep summary, disclosure includes social sharing within a virtual classroom or blog.

We were pleased to see numerous examples where services specified that they would not share children’s information with third parties for marketing purposes.

We were also pleased to see examples of services that made controls available for teachers and parents to set age-appropriate limits/supervision on the disclosure of students’ personal information between peers, as well as to the public or other individuals.

For instance, Pixton.com makes a range of controls available to tailor both (a) the types of personal information that students can upload, and (b) how content students create and upload (including personal information) can be shared:

See Text version

MODERATION & PERMISSIONS

Teacher Settings

[check boxes]

approve student comics before sharing with group

approve student comments before sharing with group

approve student avatars before sharing with group

Student Settings

Rating:

[check boxes]

view classmates' comics

rate classmates' comics for fun

grade classmates' comics

see ratings on classmates' comics

Sharing:

[check boxes]

remix comics

share comics outside Pixton via embed code or direct link

collaborate with Team Comics *

Other:

[check boxes]

upload images

upload and record sound *

always outline characters by default *

spell checking *

create limited animation *

show all weapon & cigarette props

allow breasts on characters

* Not currently available in the Pixton iPad / Android app

As another example, for children under 13, KhanAcademy.org requires and empowers parents to choose whether to allow their child to “accept” coaches (who can then see their progress and any content they create) by themselves, or require parental approval.

Takeaways

For service providers:
  • Consider minimizing the number of non-core (or optional) purposes for which personal information is collected, particularly for younger students.
  • Avoid collecting unnecessary information, particularly sensitive identifiers like full dates of birth and full names.
  • Consider providing tools for teachers and parents to set age-appropriate limits/supervision on the types of personal information students can upload and who can see their content.
  • Disclosure of personal information to third parties should be limited to what is necessary for the provision of the service, and disclosure practices should be clearly set out and explained in the organization’s privacy policy.
For users:
  • Avoid using services that do not clearly explain their collection and disclosure practices.
  • Consider trying out a service from the ‘student’ perspective to see what kind of personal information they may be encouraged/able to provide about themselves. This experience can help you choose services which limit collection and sharing to what’s age-appropriate in your circumstances, and help kids make privacy sensitive choices when they use a service.

Deletion of Personal Information

PIPEDA states that personal information shall be retained only as long as necessary to fulfill the identified purposes for which it was collected and used. Organizations should delete or anonymize personal information that is no longer required for these purposes. PIPEDA also generally provides that individuals may withdraw their consent, which may require organizations to respect individuals’ wishes if they no longer want an organization to hold their personal information. This is particularly important when dealing with personal information of children.

We were disappointed that more than a third of the services we swept did not have mechanisms in place for students or their parents to delete students’ personal information. In some cases, we couldn’t even find a mechanism for teachers to delete students’ personal information from a service.

For instance, when we attempted to delete our test teacher account (and related student accounts) for IXL Math (ca.ixl.com) we were informed that there was no way to delete our trial account, it could only be deactivated, and that the related account information would be retained indefinitely. In a follow-up conversation with OPC, IXL assured us that it is possible to delete personal information and that they are in the process of updating their privacy policy.

Finally, less than half of services swept provided readily available information about their retention practices for dormant or inactive accounts.

Takeaways

For service providers:
  • Make it straightforward for users to delete their personal information.
  • Develop (and follow-through on) a policy to delete users’ personal information that is no longer needed – such as after a period of inactivity.
For users:

Before providing too much personal information to an online educational service consider double checking that you can delete it. If you’re not sure, you could do what we did and create a test account to find out!

Sweep by the Numbers:

The below are selected statistics from our Sweep, which together with Sweepers’ observations, form the basis for the report above.

Does the website/app have privacy communications? Frequency Percentage
Yes 27 100%
No 0 0%
Are privacy communications available at registration? Frequency Percentage
Yes 21 78%
No 6 22%
Does the website/app specify what personal information will be collected? Frequency Percentage
Yes 26 96%
No 1 4%
Does the website/app specify whether personal information may be disclosed to 3rd parties? Frequency Percentage
Yes 25 93%
No 2 7%
Who must agree to the terms & conditions or privacy policy for a 15 year old? Frequency Percentage
Teacher 11 41%
Student 7 26%
Parent 1 4%
Teachers and Students 4 15%
Teachers and Parents 2 7%
Teachers, Students and Parents 1 4%
Students and Parents 0 0%
Not applicable 1 4%
Who effectively consents to key decisions related to personal information for an 8 year old? Frequency Percentage
Teacher 10 37%
Student 3 11%
Parent 2 7%
Teachers and Students 4 15%
Teachers and Parents 5 19%
Teachers, Students and Parents 1 4%
Students and Parents 1 4%
Not applicable 1 4%
Who effectively consents to key decisions related to personal information for a 15 year old? Frequency Percentage
Teacher 11 41%
Student 6 22%
Parent 1 4%
Teachers and Students 4 15%
Teachers and Parents 2 7%
Teachers, Students and Parents 1 4%
Students and Parents 0 0%
Not applicable 2 7%
Does the service encourage, assist, or require obtaining parental consent? Frequency Percentage
Yes 16 59%
No 11 41%
Does the service collect seemingly unnecessary mandatory information? Frequency Percentage
Yes 7 26%
No 20 74%
Is it possible to use the service without registering and providing identifying information? Frequency Percentage
Yes 5 19%
No 22 81%
Does the website/app provide instructions to students and/or parents on how to remove personal information? Frequency Percentage
Yes 16 59%
No 11 41%
Is a retention policy for dormant/inactive accounts available? Frequency Percentage
Yes 12 44%
No 11 41%
Unknown 4 15%
Date modified: