Student Privacy Pledge Guidelines
What are the Pledge 2020 Guidelines?
In our process to update the Student Privacy Pledge, we received calls to provide more information about Pledge commitments so readers better understand the content of the Pledge. The Student Privacy Pledge Guidelines, which were developed with multi stakeholder input, seek to provide explanations for the Pledge commitments. The guidelines are meant to be explanatory and are not formally part of the Student Privacy Pledge that signatories commit to follow. The guidelines should not be read or understood to apply in the context of the Legacy Student Privacy Pledge, which Pledge 2020 updated and will replace. Read the full text of Pledge here.
– A signatory is not allowed to use the student PII for purposes outside of those authorized by the school, parent, or eligible student.
– A parent or eligible student may authorize a signatory to use student PII for non-educational purposes.
– This Pledge provision is intended to align with the structure for disclosing student educational records to school officials under the Family Educational Rights and Privacy Act (FERPA) and its applicable regulations, 20 U.S.C. § 1232g; 34 CFR Part 99.
– There are some circumstances in which signatories may be required to disclose Student PII in compliance with a judicial order or pursuant to other legal process (e.g. a lawfully issued subpoena). A disclosure under such circumstances qualifies as an authorized school purpose provided the signatory follows all applicable law in disclosing Student PII. Please familiarize yourself with the many laws that prohibit or limit a company’s ability to disclose information so that you are familiar with limits on sharing data.
– The Pledge is intended to align with the general requirements in FERPA and many state student privacy laws that also prohibit the sale of student PII.
– This limitation on using student PII for behavioral targeting of advertisements applies to all web pages and apps that students are required to access and/or use in order to use an educational service.
– If a signatory has products, applications, or web pages that are not used to access an educational service, the signatory should clearly distinguish between data collected for advertising purposes and Student PII covered by the Pledge, which cannot be used for behavioral targeting of advertising to students.
– This Pledge requirement is intended to align with the general requirements in FERPA and many state student privacy laws, which also prohibit the use of student data for behavioral targeting of advertisements.
– The creation of any student profiles must be limited to uses authorized by the school, parent, or student.
– This commitment does not prohibit profiles such as student profiles used in personalized learning, so long as such profiles are only used for authorized educational purposes or used as authorized by a student or parent.
– Student profiles containing student PII should be subject to a retention policy consistent with the requirements of this Pledge.
– Notice to account holders about material changes to a signatory’s privacy policy must be prominent. Examples of such prominent notice include, but are not limited to:
– A direct email to the account holder stating that the signatory is changing its privacy policy, with details about the prospective changes to the privacy policy.
– A banner or other visual communication when a user visits the signatory’s website, if such communication is prominently displayed when a user first visits the website and includes choice about whether to opt-out of data use under the new policy.
– Notices other than those described above may also satisfy the Pledge requirements so long as they are sufficiently prominent to notify the account holder.
– Notice of any material changes to a privacy policy described in this Pledge provision must be provided to the account holder before data use, collection, or sharing that was not covered in the current privacy policy may take place.
– After receiving notice of the proposed material changes to a privacy policy, account holders must have a choice – an opportunity to agree or disagree with using the service after the change.
– A signatory can provide account holders with an option in the notice to consent to use, collection, or sharing under the new policy by clicking “I agree” or “OK.”
– If an account holder does not accept the new policy, they may stop using the signatory’s product or service. If an account holder opts out of changes after material changes to a privacy policy as described in this Pledge provision, student PII that the signatory has already collected may not be used under the terms of the new policy.
– If student PII is received by the signatory pursuant to a contract with an account holder, the contract should be understood to control the provider’s use of student PII and to constitute adequate notice and choice for the purposes of the Pledge.
– A signatory should securely delete or de-identify student PII after it is no longer needed by a school or needed to support the authorized educational purpose, or after the time period authorized by the parent/student.
– Student PII may be retained for shorter or longer periods, depending on the nature of the signatory’s service and requirements of the educational institution. A signatory can satisfy this requirement of the Pledge by agreeing to a retention schedule or specific requirements for deletion in a service contract with an account holder. The signatory should not hold student PII for an amount of time that is unreasonable in the context of the nature of the particular product or service.
– A signatory should limit its use of student PII to the educational purposes of the educational institution/agency or those specifically authorized by a parent/student. The Pledge is intended to align with the steps required for disclosing student educational records to school officials under FERPA.
– A signatory should not use any student PII for non-educational purposes or without authorization from the parent/student.
– A signatory should delete or de-identify student PII after it is no longer needed by a school or to support the authorized educational purpose, or after the time period authorized by the parent/student.
– In the context of the Pledge, privacy commitments can be made in various forms, including in a privacy statement on a website, in an app, or in a contract with an institution.
– Regardless of the form of a signatory’s privacy policy, the Pledge requires a signatory to commit that its privacy policy is easily accessible. Examples of easily accessible privacy policies are links to privacy policies displayed prominently on public webpages or providing written documents (e.g. a contract excerpt) containing privacy protections to the account holder of a service. Privacy policies should not be hidden behind paywalls and should not require readers to provide personal information in order to access such policies.
– If contracts control how a signatory collects and uses student PII, the signatory should describe the privacy protections for student PII that are contained in its contracts. Such a description could be, for example, provided in a signatory’s privacy policy, through an educational institution/agency website, or through a parent request to the educational institution/agency.
– Privacy policies should be written in clear language that allows institutions and parents to understand a signatory’s privacy practices.
– There are two ways to support access to and correction of student PII. A signatory may support direct access to student PII to parents and students. Alternatively, a signatory may support school access to student PII on behalf of parents and students. A signatory is not required to use both of the above-described methods for support access and correction.
– This approach to supporting access to and correction of student PII is intended to align with the structure of providing parents with access and correction rights under FERPA.
– A signatory’s security program should contain security controls and procedures appropriate to the nature and scope of the signatory’s activities and the sensitivity of the student PII.
– Administrative, technical, and physical safeguards should be designed to protect against both external risks, such as a malicious hack or ransomware attack, and also the possibility of internal breaches, such as an employee inadvertently exposing student PII through an error or an unauthorized employee accessing student PII.
– As applicable and appropriate, signatories should provide resources or information to users of their product or service about how to deploy and use their product or service in ways that promote privacy and security, such as by providing instructions on how to utilize privacy-protective settings or supporting the security of student PII by providing assistance with setting up a product for account holders or users.
– Such resources may also include, but are not limited to, providing privacy-protective settings by default, just-in-time privacy notifications, training materials, manuals for properly using the service, white papers about services, or in-person training.
– The successor entity receiving the student PII does not need to be a Pledge signatory, but must commit to either:
– follow the same commitments as found in the Pledge in order to continue to use or maintain the student PII; or
– provide notice of changes that are inconsistent with the Pledge commitments to the account holder(s) (i.e., the institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent), and provide the account holder(s) an opportunity to opt in to the successor entity’s changed uses or sharing of student PII. If there is no opt-in, the signatory or its successor entity should delete or de-identify the student PII.
– Companies have incorporated privacy and security by, for example, taking a programmatic approach to privacy and security, applying privacy and security by design principles; considering privacy and security best practices; or analyzing guidance concerning reasonable privacy and security measures and comprehensive privacy and security programs.
– Signatories incorporating privacy and security should consider factors including: the potential for misuse or unexpected use of student PII; the privacy and security practices of third party vendors (if any); the potential harms that could result from product development or improvement; and whether any of these risks could be mitigated with additional training or resources for product users, educational institutions, or parents and students.
– Signatories should evaluate new technologies to ensure compliance with applicable laws.
– Signatories should carefully evaluate the use or development of new technologies in their products and services to consider the potential impact on the privacy and security of Student PII.
– The Pledge commitments apply to Student Personally Identifiable Information (PII) which has the same definition as “covered information” under California’s Student Online Personal Information Protection Act (SOPIPA). Information that is collected or retained by a Pledge signatory that meets that definition is covered by the Pledge commitments. Note that the Pledge does not cover de-identified information.
SOPIPA is linked here, and the full definition of “covered information” from the law is copied below.
“Covered information” means information or materials in any media or format that meets any of the following:
(1) Are created or provided by a student, or the student’s parent or legal guardian, in the course of the student’s, parent’s, legal guardian’s, use of the site, service, or application for K-12 school purposes.
(2) Are created or provided by an employee or agent of the educational institution.
(3) Are gathered by the site, service, or application, that is descriptive of a student or otherwise identified a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, persistent unique identifiers, search activity, photos, voice recordings, or geolocation information.
Frequently Asked Questions
Pledge 2020
Pledge 2020 was a collaborative, public effort to update the Pledge. Since the Legacy Pledge was first established in 2014, student data use, technology, and US laws have changed. For this reason, we asked pledge signatories, edtech companies, civil society groups, student privacy experts, and the general public to weigh in on how the Pledge can be improved to effectively protect student information in 2020 and beyond. Overall, we heard that the Pledge succeeds as a set of high-level commitments.
After multiple rounds of suggestions and edits, we have completed the Pledge 2020 process and released the updated Student Privacy Pledge 2020. We kept the core commitments of the Legacy Pledge intact and built upon the Legacy Pledge’s foundation in several key ways, including adding two new substantive commitments, writing a set of explanatory guidelines to help stakeholders better understand the Pledge commitments, and, where possible, aligning terms in the Pledge with language used in state student privacy laws.
Pledge 2020 takes effect upon the date of its publication. However, individual signatories only commit to follow the pledge terms as of the date they opt-in to the updated terms of this pledge. The Legacy Student Privacy Pledge will sunset in June of 2021. After the Legacy Pledge is sunset, this updated Student Privacy Pledge 2020 shall be the only Pledge language in effect.
Because companies need time to update legal documents such as contracts, current signatories will be allowed to maintain their current commitments to the Student Privacy Pledge for a set time after Pledge 2020 takes effect. The Legacy Pledge will be sunset in the Summer of 2021. After the Legacy Pledge is sunset, signatories will no longer be able to maintain their status there and will have the choice to commit to Pledge 2020 in order to remain Pledge signatories.
Going forward, all Pledge applications will be for the updated Pledge 2020 language. We are no longer taking applications to sign the Legacy Pledge.
Signing the Pledge is, and will remain, a commitment that eligible organizations make voluntarily. Current signatories may consider whether to sign Pledge 2020. Those choose to not sign the updated Pledge will no longer be signatories when the Legacy Pledge is sunset. However, if signatories that do not commit to Pledge 2020 before the Legacy Pledge is sunset may re-apply for Pledge 2020 at a later date.
The Legacy Pledge is scheduled to be sunset in Summer 2021. Current signatories of the Legacy Pledge will need to commit to Pledge 2020 by then in order to remain Pledge signatories.
Eligibility
The Student Privacy Pledge applies to “school service providers.” This means you must be (1) a commercial company (not a government entity or individual person); and (2) provide an online or mobile application or service that is designed for United States K-12 educational institutions; and (3) is used at the direction of their teachers or school employees.
Of course, you must also collect or handle K-12 student data. Although it does not matter whether you receive the information from the school or directly from student users, the Pledge does not apply to companies that merely sell software to schools (but never see or handle any of the student data). See the full definition here.
That’s okay! If your company is collecting or managing data from United States K-12 students, then you are subject to US laws for those business operations and are eligible to take the Pledge.
Sometimes companies may provide, for example, an online platform or game that is designed for K-12 students, but do not have any way of knowing whether teachers are using it or instructing their students to use it (for instance, because it might be freely available). If your platform or service is designed to be used by teachers or at the direction of teachers (i.e. in the classroom, for homework, or for extra-curricular assignments), then as long as the other criteria are met, we will add you as a Pledge signatory.
Enforcement
Yes. By taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for “unfair or deceptive trade practices.” This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation here.
The studentprivacypledge.org website is maintained by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA).
While the FTC Act only applies to “corporations,” defined as a company organized to do business for profit or for the profit of its members, state unfair and deceptive practices (UDAP) statutes usually do not have that restriction. Massachusetts and Illinois have both found that a non-profit was engaged in “trade or commerce” or acting in a “business context,” and have taken action against those non-profits. Determining whether or not a specific organization falls under a state’s UDAP statute is a highly fact-dependent inquiry, but it should not be assumed that a state cannot act against a non-profit if it believes the non-profit is violating their consumer protection laws.
Sometimes. A company might be removed if it goes out of business, merges with, or is acquired by another company. We also ask companies to “re-commit” to the Student Privacy Pledge in the event of any material changes to the Student Privacy Pledge.
If you have a question about a signing company’s Privacy Policy, we recommend first reaching out to that company. If the company’s products or services are used in your child’s school, you may also consider reaching out to your school administrators or school district. We are also happy to serve as facilitators of discussions around privacy practices. For questions about the Pledge, feel free to contact us.
If you have questions about whether a Signatory is complying with the Student Privacy Pledge, we recommend that you reach out to that company. If the company’s products or services are used by your school district, school administrators can also help resolve questions. You are also welcome to reach out to us as intermediaries, and we will help facilitate a discussion about privacy practices, although we cannot speak directly on behalf of any company. If you believe a company is seriously in violation, you may also file an FTC Complaint.
The Pledge is limited in scope to the commitments it outlines. The Pledge is not intended to be a comprehensive privacy policy nor to be inclusive of all the many requirements needed to comply with applicable federal and state laws. That said, most Signatories have taken the Pledge because they wish to be thoughtful and conscientious about privacy, and are therefore likely to have done a thorough analysis of the requirements at all levels and attempted to comply.
Requirements
Yes. The Pledge requires that a signing company “clearly disclose” their privacy practices to students, parents, and teachers, in a manner that is easy to understand. Usually, the easiest way to do this is to post a public Privacy Policy on your website. However, some companies choose to disclose their privacy policies within their educational platform (product or service) itself, or within their contracts with schools, and this is also fine.
Yes. In order to take the Pledge, we ask you to provide a copy of your company’s logo. Before adding you to the Pledge site, we will also contact you to ask for your affirmative consent to use that logo on the website to represent your public commitment to the full text of the Pledge.
Because the Student Privacy Pledge is an enforceable public commitment, a company’s Privacy Policy should not contain any obvious inconsistencies with the intent of the Pledge, or direct contradictions to Pledge terms. If it does, we will point out those issues in order to bring them to the company’s attention before they take the Pledge. Ultimately, it will be up to the signing company to make changes to their policy at their own discretion. If a company’s policy is obviously out of sync with the Pledge terms, we may decline to list them on the studentprivacypledge.org website.
If you are developing your Privacy Policy, we are happy to tell you whether your policy contains any obvious inconsistencies with the intent of the Pledge. However, we do not provide legal advice, and cannot help draft privacy policies. For more resources on drafting privacy policies, we recommend visiting Student Privacy Compass and GitHub.