Is my company eligible to take the Pledge?
The Student Privacy Pledge applies to “school service providers.” This means you must be (1) a commercial company (not a government entity or individual person); and (2) provide an online or mobile application or service that is designed for United States K-12 educational institutions; and (3) is used at the direction of their teachers or school employees.
Of course, you must also collect or handle K-12 student data. Although it does not matter whether you receive the information from the school or directly from student users, the Pledge does not apply to companies that merely sell software to schools (but never see or handle any of the student data). See the full definition here.
What if I am not based in the United States?
That’s okay! If your company is collecting or managing data from United States K-12 students, then you are subject to US laws for those business operations and are eligible to take the Pledge.
What if my service is designed for K-12 students, but I’m not sure if it’s being used “at the direction of” teachers or school administrators?
Sometimes companies may provide, for example, an online platform or game that is designed for K-12 students, but do not have any way of knowing whether teachers are using it or instructing their students to use it (for instance, because it might be freely available). If your platform or service is designed to be used by teachers or at the direction of teachers (i.e. in the classroom, for homework, or for extra-curricular assignments), then as long as the other criteria are met, we will add you as a Pledge signatory.
Is the Pledge legally enforcable?
Yes. By taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for “unfair or deceptive trade practices.” This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation here.
Who runs the Student Privacy Pledge website?
The studentprivacypledge.org website is maintained by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA).
How do you verify that Signatories are in compliance?
Is the Student Privacy Pledge enforceable against non-profit entities?
While the FTC Act only applies to “corporations,” defined as a company organized to do business for profit or for the profit of its members, state unfair and deceptive practices (UDAP) statutes usually do not have that restriction. Massachusetts and Illinois have both found that a non-profit was engaged in “trade or commerce” or acting in a “business context,” and have taken action against those non-profits. Determining whether or not a specific organization falls under a state’s UDAP statute is a highly fact-dependent inquiry, but it should not be assumed that a state cannot act against a non-profit if it believes the non-profit is violating their consumer protection laws.
Are companies ever removed from the list of Pledge Signatories?
Sometimes. A company might be removed if it goes out of business, merges with, or is acquired by another company. We also ask companies to “re-commit” to the Student Privacy Pledge each year, by confirming to us that, in the event of any changes to their policies and procedures, they are still in compliance with the Pledge. If a company decides not to re-commit (for whatever reason), we will remove their logo.
What should I do if I think a Signatory is not complying with the Student Privacy Pledge?
If you have questions about whether a Signatory is complying with the Student Privacy Pledge, we recommend that you reach out to that company. If the company’s products or services are used by your school district, school administrators can also help resolve questions. You are also welcome to reach out to us as intermediaries, and we will help facilitate a discussion about privacy practices, although we cannot speak directly on behalf of any company. If you believe a company is seriously in violation, you may also file an FTC Complaint.
Does taking the Pledge mean that a company is complying with all other state and federal privacy laws?
Does a company need to provide a logo in order to take the Pledge?
Yes. In order to take the Pledge, we ask you to provide a copy of your company’s logo. Before adding you to the Pledge site, we will also contact you to ask for your affirmative consent to use that logo on the website to represent your public commitment to the full text of the Pledge.
What are the other requirements?