Expand All


  • Is my company eligible to take the Pledge?

    The Student Privacy Pledge applies to “school service providers.” This means you must be (1) a commercial company (not a government entity or individual person); and (2) provide an online or mobile application or service that is designed for United States K-12 educational institutions; and (3) is used at the direction of their teachers or school employees.

    Of course, you must also collect or handle K-12 student data. Although it does not matter whether you receive the information from the school or directly from student users, the Pledge does not apply to companies that merely sell software to schools (but never see or handle any of the student data). See the full definition here.

  • What if I am not based in the United States?

    That’s okay! If your company is collecting or managing data from United States K-12 students, then you are subject to US laws for those business operations and are eligible to take the Pledge.

  • What if my service is designed for K-12 students, but I’m not sure if it’s being used “at the direction of” teachers or school administrators?

    Sometimes companies may provide, for example, an online platform or game that is designed for K-12 students, but do not have any way of knowing whether teachers are using it or instructing their students to use it (for instance, because it might be freely available). If your platform or service is designed to be used by teachers or at the direction of teachers (i.e. in the classroom, for homework, or for extra-curricular assignments), then as long as the other criteria are met, we will add you as a Pledge signatory.


  • Is the Pledge legally enforcable?

    Yes. By taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for “unfair or deceptive trade practices.” This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation here.

  • Who runs the Student Privacy Pledge website?

    The studentprivacypledge.org website is maintained by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA).

  • How do you verify that Signatories are in compliance?

    FPF and SIIA serve as facilitators for discussions about privacy practices, and we encourage companies to undertake thoughtful reviews of their own policies. However, this is not a self-regulatory program, and we do not provide legal advice or make affirmations about the state of signing companies’ policies. If a company’s privacy policy contradicts the Student Privacy Pledge or contains obvious disconnects with the intent of the Pledge, we will decline to add that company as a Signatory until those issues are resolved. After a company takes the Pledge, however, enforcement stems from the FTC and state attorneys general, and accountability rests with the company directly.

  • Is the Student Privacy Pledge enforceable against non-profit entities?

    While the FTC Act only applies to “corporations,” defined as a company organized to do business for profit or for the profit of its members, state unfair and deceptive practices (UDAP) statutes usually do not have that restriction. Massachusetts and Illinois have both found that a non-profit was engaged in “trade or commerce” or acting in a “business context,” and have taken action against those non-profits. Determining whether or not a specific organization falls under a state’s UDAP statute is a highly fact-dependent inquiry, but it should not be assumed that a state cannot act against a non-profit if it believes the non-profit is violating their consumer protection laws.

  • Are companies ever removed from the list of Pledge Signatories?

    Sometimes. A company might be removed if it goes out of business, merges with, or is acquired by another company. We also ask companies to “re-commit” to the Student Privacy Pledge each year, by confirming to us that, in the event of any changes to their policies and procedures, they are still in compliance with the Pledge. If a company decides not to re-commit (for whatever reason), we will remove their logo.

  • What if I have a question about a signing company’s Privacy Policy (can I ask you about it)?

    If you have a question about a signing company’s Privacy Policy, we recommend first reaching out to that company. If the company’s products or services are used in your child’s school, you may also consider reaching out to your school administrators or school district. We are also happy to serve as facilitators of discussions around privacy practices. For questions about the Pledge, feel free to contact us.

  • What should I do if I think a Signatory is not complying with the Student Privacy Pledge?

    If you have questions about whether a Signatory is complying with the Student Privacy Pledge, we recommend that you reach out to that company. If the company’s products or services are used by your school district, school administrators can also help resolve questions. You are also welcome to reach out to us as intermediaries, and we will help facilitate a discussion about privacy practices, although we cannot speak directly on behalf of any company. If you believe a company is seriously in violation, you may also file an FTC Complaint.

  • Does taking the Pledge mean that a company is complying with all other state and federal privacy laws?

    The Pledge is limited in scope to the commitments it outlines. The Pledge is not intended to be a comprehensive privacy policy nor to be inclusive of all the many requirements needed to comply with applicable federal and state laws. That said, most Signatories have taken the Pledge because they wish to be thoughtful and conscientious about privacy, and are therefore likely to have done a thorough analysis of the requirements at all levels and attempted to comply.


  • Does a company need a Privacy Policy in order to take the Pledge?

    Yes. The Pledge requires that a signing company “clearly disclose” their privacy practices to students, parents, and teachers, in a manner that is easy to understand. Usually, the easiest way to do this is to post a public Privacy Policy on your website. However, some companies choose to disclose their privacy policies within their educational platform (product or service) itself, or within their contracts with schools, and this is also fine.

  • Does a company need to provide a logo in order to take the Pledge?

    Yes. In order to take the Pledge, we ask you to provide a copy of your company’s logo. Before adding you to the Pledge site, we will also contact you to ask for your affirmative consent to use that logo on the website to represent your public commitment to the full text of the Pledge.

  • What are the other requirements?

    Because the Student Privacy Pledge is an enforceable public commitment, a company’s Privacy Policy should not contain any obvious inconsistencies with the intent of the Pledge, or direct contradictions to Pledge terms. If it does, we will point out those issues in order to bring them to the company’s attention before they take the Pledge. Ultimately, it will be up to the signing company to make changes to their policy at their own discretion. If a company’s policy is obviously out of sync with the Pledge terms, we may decline to list them on the studentprivacypledge.org website.

  • My company is still developing our Privacy Policy. Can you help us draft it, or give advice?

    If you are developing your Privacy Policy, we are happy to tell you whether your policy contains any obvious inconsistencies with the intent of the Pledge. However, we do not provide legal advice, and cannot help draft privacy policies. For more resources on drafting privacy policies, we recommend visiting FERPA|SHERPA and GitHub.