Part IV: Privacy Policies
While policies vary across states, members of the public have a reasonable expectation to know what information is being collected about them by state and local public agencies – including state departments of education and school districts – as well as to know the rights they may have to not participate or opt out of those collections. According to the National Conference of State Legislature (NCSL), at least 17 states require government websites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their websites. These rights are codified in Virginia, for instance, as follows:
While advice and requirements for the contents of privacy policies vary, some popular third-party website plug-ins require specific disclosures as a condition of their use. The free-of-cost Google Analytics service, for instance, in its Terms of Service, states that:
Google further notes (in the above referenced, “How Google uses data when you use our partners’ sites or apps”) that:
Many websites use Google technologies to improve their content and keep it free. When you visit a website that uses our advertising products (like AdSense), social products (like the +1 button), or analytics tools (Google Analytics), your web browser automatically sends certain information to Google. This includes, for example, the web address of the page that you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there.
Similarly, apps that partner with Google can send us information such as the name of the app and an identifier that helps us to determine which ads we’ve served to other apps on your device. If you are signed in to your Google Account, and depending on your Account settings, we may add that information to your Account, and treat it as personal information.
[Note: Red underlined text added for emphasis, not in original text.]
To what degree are state and local education agency websites in compliance with applicable privacy laws and the terms of service of the applications they’ve deployed on their public websites?
Analyzing Education Agency Websites
While there are automated tools available to assess the technical characteristics of education agency (and other) websites, the evaluation of the quality and content of privacy policies and/or terms of service of education agency websites is largely a manual process. For the purposes of this study, these manual reviews were conducted of:
- Each of the 51 state department of education websites, including the state education agency website for the District of Columbia; and
- A national cross-section of 159 unique public school district websites, comprised of recipients of the Consortium for School Networking’s Trusted Learning Environment Seal, members of the Council of Great City Schools, and members of Digital Promise’s League of Innovative Schools.
Note: While this research project is focused on state and local education agency websites, there are other promising efforts to help website users more generally evaluate the quality and content of privacy policies, such as Terms of Service; Didn’t Read.
Findings: State Department of Education Websites
- The 11 states that had privacy policies, but did not disclose the use of ad tracking or surveillance cookies in use by their websites included: Alabama, Arizona, California, the District of Columbia, Hawaii, Iowa, Maryland, Oklahoma, Rhode Island, and West Virginia. Some of these states had remarkably brief and generic policies:
- No fewer than 10 state departments of education make demonstrably false statements in their website privacy policies about the use of ad tracking or surveillance cookies on their websites, including:
- Arkansas: “Cookies are not used.“
- Georgia: “Once the user closes their browser, the cookie automatically terminates.“
- Illinois: “We do not use ‘persistent’ cookies on our web site. ‘Session’ or ‘temporary’ cookies are also not used on ISBE web site pages.“
- Massachusetts: “The cookies…expire when your session has ended.” and “Nevertheless, if the URL begins with “https” you can be assured that sensitive information such as your account and credit card numbers remain encrypted and secure even though the padlock icon disappears.“
- Nevada: “If cookies are used, the organization must disclose the specific information regarding the use of the cookie as part of their privacy statement.“
- New York: “The information is not collected for commercial marketing purposes and NYSED does not sell or distribute the information collected from the website for commercial marketing purposes.” and “NYSED does not use “persistent” cookies on this site.“
- Pennsylvania: “This information is not collected for commercial marketing purposes.” and “Commonwealth policy does not allow for the use of persistent cookies.” (Note: persistent cookies are in use.)
- South Carolina: “Once the user closes their browser, the cookie automatically terminates.” and “Any SDE application or Web page that uses ‘cookies’ will identify itself as such. This information is handled in the same way as other personally identifiable information obtained by the SDE. No user information will be gathered through the use of ‘cookies’ except that which is required to run the specific application(s) being accessed by the user.“
- Vermont: “If a persistent Web cookie is required, the Web page discloses to visitors that a persistent cookie is being used.“
- Wisconsin: “Wisconsin.gov uses only session cookies. The information on these cookies is retained by the State only while the user’s session is active in a table that lists the unique identifiers of those currently using the site.“
- Of the 43 state department of education websites found to deploy Google Analytics on their websites, 90 percent were found to be in violation of the service’s Terms of Service. Only 4 state department of education websites were found to be in partial compliance by disclosing some information to users about its presence on their website, including: Colorado, Idaho, Missouri, and North Dakota.
Findings: School District Websites
- About one-third of school districts (52) linked to a generic school district vendor policy from their website, describing some of the terms of the contract between the school district and their vendor, but not the relationship between the school district and the visitors to its website.
- Of the 148 school districts in the study sample (i.e., 93 percent) that were found to deploy Google Analytics on their websites, 98 percent were found to be in violation of the service’s Terms of Service. Only 2 districts of the 148 were found to be in partial compliance by disclosing some information to users about its presence on their website.
In sum, the vast majority of state and local education agency websites were found to do a poor job of disclosing their website privacy practices.
- Despite the near universal deployment of Google Analytics user tracking tools on state and local education agency websites, only 4 states and 2 school districts were found to be in partial compliance with Google’s Terms of Service, which require specific disclosures by its customers to their users (including about what it collected and how users can opt out of data sharing).
In the next part, we will examine the state of state department of education websites.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.