The Student Privacy Pledge applies to “school service providers.” This means you must be (1) a commercial company (not a government entity or individual person); and (2) provide an online or mobile application or service that is designed for United States K-12 educational institutions; and (3) is used at the direction of their teachers or school employees.

Of course, you must also collect or handle K-12 student data. Although it does not matter whether you receive the information from the school or directly from student users, the Pledge does not apply to companies that merely sell software to schools (but never see or handle any of the student data). See the full definition here.

That’s okay! If your company is collecting or managing data from United States K-12 students, then you are subject to US laws for those business operations and are eligible to take the Pledge.

Sometimes companies may provide, for example, an online platform or game that is designed for K-12 students, but do not have any way of knowing whether teachers are using it or instructing their students to use it (for instance, because it might be freely available). If your platform or service is designed to be used by teachers or at the direction of teachers (i.e. in the classroom, for homework, or for extra-curricular assignments), then as long as the other criteria are met, we will add you as a Pledge signatory.


Yes. By taking the Pledge, a company is making a public statement of its practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies that do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for “unfair or deceptive trade practices.” This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation here.

The studentprivacypledge.org website is maintained by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA).

While the FTC Act only applies to “corporations,” defined as a company organized to do business for profit or for the profit of its members, state unfair and deceptive practices (UDAP) statutes usually do not have that restriction. Massachusetts and Illinois have both found that a non-profit was engaged in “trade or commerce” or acting in a “business context,” and have taken action against those non-profits. Determining whether or not a specific organization falls under a state’s UDAP statute is a highly fact-dependent inquiry, but it should not be assumed that a state cannot act against a non-profit if it believes the non-profit is violating their consumer protection laws.

Sometimes. A company might be removed if it goes out of business, merges with, or is acquired by another company. We also ask companies to “re-commit” to the Student Privacy Pledge each year, by confirming to us that, in the event of any changes to their policies and procedures, they are still in compliance with the Pledge. If a company decides not to re-commit (for whatever reason), we will remove their logo.

If you have a question about a signing company’s Privacy Policy, we recommend first reaching out to that company. If the company’s products or services are used in your child’s school, you may also consider reaching out to your school administrators or school district. We are also happy to serve as facilitators of discussions around privacy practices. For questions about the Pledge, feel free to contact us.

If you have questions about whether a Signatory is complying with the Student Privacy Pledge, we recommend that you reach out to that company. If the company’s products or services are used by your school district, school administrators can also help resolve questions. You are also welcome to reach out to us as intermediaries, and we will help facilitate a discussion about privacy practices, although we cannot speak directly on behalf of any company. If you believe a company is seriously in violation, you may also file an FTC Complaint.

The Pledge is limited in scope to the commitments it outlines. The Pledge is not intended to be a comprehensive privacy policy nor to be inclusive of all the many requirements needed to comply with applicable federal and state laws. That said, most Signatories have taken the Pledge because they wish to be thoughtful and conscientious about privacy, and are therefore likely to have done a thorough analysis of the requirements at all levels and attempted to comply.


Yes. The Pledge requires that a signing company “clearly disclose” their privacy practices to students, parents, and teachers, in a manner that is easy to understand. Usually, the easiest way to do this is to post a public Privacy Policy on your website. However, some companies choose to disclose their privacy policies within their educational platform (product or service) itself, or within their contracts with schools, and this is also fine.

Yes. In order to take the Pledge, we ask you to provide a copy of your company’s logo. Before adding you to the Pledge site, we will also contact you to ask for your affirmative consent to use that logo on the website to represent your public commitment to the full text of the Pledge.

Because the Student Privacy Pledge is an enforceable public commitment, a company’s Privacy Policy should not contain any obvious inconsistencies with the intent of the Pledge, or direct contradictions to Pledge terms. If it does, we will point out those issues in order to bring them to the company’s attention before they take the Pledge. Ultimately, it will be up to the signing company to make changes to their policy at their own discretion. If a company’s policy is obviously out of sync with the Pledge terms, we may decline to list them on the studentprivacypledge.org website.

If you are developing your Privacy Policy, we are happy to tell you whether your policy contains any obvious inconsistencies with the intent of the Pledge. However, we do not provide legal advice, and cannot help draft privacy policies. For more resources on drafting privacy policies, we recommend visiting FERPA|SHERPA and GitHub.

Pledge 2020

Pledge 2020 is a collaborative, public effort to update the Pledge. Since the Pledge was first established in 2014, student data use, technology, and US laws have all changed. For this reason, we are asking pledge signatories, edtech companies, civil society groups, student privacy experts, and the general public to weigh in on how the Pledge can be improved to effectively protect student information in 2020 and beyond.

It will take effect in January 2020. Convening large groups of smart people to talk about privacy takes time. For the rest of 2019, we will take public comments and draft updates to the Pledge. When that process ends, we will launch Pledge 2020, and both current and new signatories can become Pledge 2020 signatories.

Because companies need time to update legal documents such as contracts, current signatories will be allowed to maintain their current commitments to the Student Privacy Pledge for a set time after Pledge 2020 takes effect. After that set time, all signatories will eventually commit to Pledge 2020.

You can still apply for the Pledge at any time. Applicants will be considered in terms of the original Pledge until the implementation of Pledge 2020, at which point all new applicants will apply for Pledge 2020.

Both current signatories and current applicants will eventually be required to commit to the new Pledge 2020 framework.

For additional questions, to submit comments, or to weigh in, please contact Alan Simpson at [email protected]