Tracking: EDU

Part IV: Privacy Policies

While policies vary across states, members of the public have a reasonable expectation to know what information is being collected about them by state and local public agencies – including state departments of education and school districts – as well as to know the rights they may have to not participate or opt out of those collections. According to the National Conference of State Legislature (NCSL), at least 17 states require government websites or state portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their websites. These rights are codified in Virginia, for instance, as follows:



While advice and requirements for the contents of privacy policies vary, some popular third-party website plug-ins require specific disclosures as a condition of their use. The free-of-cost Google Analytics service, for instance, in its Terms of Service, states that:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. This can be done by displaying a prominent link to the site “How Google uses data when you use our partners’ sites or apps”, (located at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time). You will use commercially reasonable efforts to ensure that a Visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the Visitor’s device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law.”

Google further notes (in the above referenced, “How Google uses data when you use our partners’ sites or apps”) that:

Many websites use Google technologies to improve their content and keep it free. When you visit a website that uses our advertising products (like AdSense), social products (like the +1 button), or analytics tools (Google Analytics), your web browser automatically sends certain information to Google. This includes, for example, the web address of the page that you’re visiting and your IP address. We may also set cookies on your browser or read cookies that are already there.

Similarly, apps that partner with Google can send us information such as the name of the app and an identifier that helps us to determine which ads we’ve served to other apps on your device. If you are signed in to your Google Account, and depending on your Account settings, we may add that information to your Account, and treat it as personal information.

[Note: Red underlined text added for emphasis, not in original text.]

To what degree are state and local education agency websites in compliance with applicable privacy laws and the terms of service of the applications they’ve deployed on their public websites?

Analyzing Education Agency Websites

While there are automated tools available to assess the technical characteristics of education agency (and other) websites, the evaluation of the quality and content of privacy policies and/or terms of service of education agency websites is largely a manual process. For the purposes of this study, these manual reviews were conducted of:

  • Each of the 51 state department of education websites, including the state education agency website for the District of Columbia; and
  • A national cross-section of 159 unique public school district websites, comprised of recipients of the Consortium for School Networking’s Trusted Learning Environment Seal, members of the Council of Great City Schools, and members of Digital Promise’s League of Innovative Schools.

Note: While this research project is focused on state and local education agency websites, there are other promising efforts to help website users more generally evaluate the quality and content of privacy policies, such as Terms of Service; Didn’t Read.

Findings: State Department of Education Websites

  • 15 percent of state department of education websites (8 of 51) do not publish a privacy policy of any kind (including Terms of Use or Disclaimers) on their site, including Alaska, Indiana, Louisiana, Mississippi, and Wyoming. The states of Delaware and Nebraska instead link to generic vendor policies, describing some of the terms of the contract between those state agencies and their vendor, but not the relationship between the state agencies and the visitors to their websites. The Florida Department of Education’s privacy policy appears to redirect to the policy of a wholly unrelated state website.
  • Of the 43 state agency websites that published a privacy policy, only 32 state department of education websites disclosed the use of ad tracking or surveillance cookies (or related technology) by their sites. 
    • The 11 states that had privacy policies, but did not disclose the use of ad tracking or surveillance cookies in use by their websites included: Alabama, Arizona, California, the District of Columbia, Hawaii, Iowa, Maryland, Oklahoma, Rhode Island, and West Virginia. Some of these states had remarkably brief and generic policies:

The full privacy policy of the Maryland State Department of Education website (retrieved January 20, 2018).


  • No fewer than 10 state departments of education make demonstrably false statements in their website privacy policies about the use of ad tracking or surveillance cookies on their websites, including:
    • Arkansas: “Cookies are not used.
    • Georgia: “Once the user closes their browser, the cookie automatically terminates.
    • Illinois: “We do not use ‘persistent’ cookies on our web site. ‘Session’ or ‘temporary’ cookies are also not used on ISBE web site pages.
    • Massachusetts: “The cookies…expire when your session has ended.” and “Nevertheless, if the URL begins with “https” you can be assured that sensitive information such as your account and credit card numbers remain encrypted and secure even though the padlock icon disappears.
    • Nevada: “If cookies are used, the organization must disclose the specific information regarding the use of the cookie as part of their privacy statement.
    • New York: “The information is not collected for commercial marketing purposes and NYSED does not sell or distribute the information collected from the website for commercial marketing purposes.” and “NYSED does not use “persistent” cookies on this site.
    • Pennsylvania: “This information is not collected for commercial marketing purposes.” and “Commonwealth policy does not allow for the use of persistent cookies.” (Note: persistent cookies are in use.)

Persistent Google cookies in use by the Pennsylvania Department of Education (retrieved January 22, 2018.)


    • South Carolina: “Once the user closes their browser, the cookie automatically terminates.” and “Any SDE application or Web page that uses ‘cookies’ will identify itself as such. This information is handled in the same way as other personally identifiable information obtained by the SDE. No user information will be gathered through the use of ‘cookies’ except that which is required to run the specific application(s) being accessed by the user.
    • Vermont: “If a persistent Web cookie is required, the Web page discloses to visitors that a persistent cookie is being used.
    • Wisconsin: “Wisconsin.gov uses only session cookies. The information on these cookies is retained by the State only while the user’s session is active in a table that lists the unique identifiers of those currently using the site.
  • Of the 43 state department of education websites found to deploy Google Analytics on their websites, 90 percent were found to be in violation of the service’s Terms of Service. Only 4 state department of education websites were found to be in partial compliance by disclosing some information to users about its presence on their website, including: Colorado, Idaho, Missouri, and North Dakota.

Findings: School District Websites

  • Fewer than one in five school districts (19 percent) included in the study sample (30 of 159 districts) published their school district’s privacy policy on their website. Instead:
    • Forty-five percent of school district websites in they study sample (72) lacked any reference to a privacy policy whatsoever.
    • About one-third of school districts (52) linked to a generic school district vendor policy from their website, describing some of the terms of the contract between the school district and their vendor, but not the relationship between the school district and the visitors to its website.
    • The remaining few school districts in the study sample either provided a link to a privacy policy page on their website that was missing/blank or directed users to a school district vendor’s website home page.
  • Of the 30 school district websites that published a privacy policy, only 19 disclosed the use of ad tracking or surveillance cookies (or related technology) by their sites. Unfortunately, in many cases school these statements were misleading, if not demonstrably false. Consider the following illustrative examples:
    • A school district’s privacy policy includes the statement, “We do not use cookies.” Yet, Ghostery reports that their website has deployed Google Analytics, which sets a persistent cookie on the user’s computer.
    • A school district’s privacy policy includes the statement, “For each visitor to our Web page, our Web server automatically recognizes only the consumer’s domain name.” Yet, Ghostery reports that their website has deployed DoubleClick, Google Translate, and Google Analytics. These trackers record significantly more than the user’s referring domain name.
    • A school district’s privacy policy includes the statement that it, “Does not place a “cookie” on your computer. Will not track your personal movements through the web site.” Yet, Ghostery reports that their website has deployed Google Translate, Google Analytics, and two different Twitter trackers.
    • A school district’s privacy policy includes the statement, “Session specific cookies may be used on [redacted].edu to improve the user experience and for basic web metrics. These cookies expire in a very short time frame or when a browser window closes.” Yet, Ghostery reports that their website has deployed 14 different ad trackers on their home page alone. These trackers set multiple persistent cookies, including some set to expire no sooner than 2 years in the future.
  • Of the 148 school districts in the study sample (i.e., 93 percent) that were found to deploy Google Analytics on their websites, 98 percent were found to be in violation of the service’s Terms of Service. Only 2 districts of the 148 were found to be in partial compliance by disclosing some information to users about its presence on their website.
  • Membership in school district technology leadership programs seem negatively associated with the presence or quality of school district website privacy policies and disclosures. Members of the Council of Great City Schools were slightly more likely to publish a privacy policy (22 percent) and to include disclosures about user tracking (15 percent) than either members of Digital Promise’s League of Innovative Schools (18 percent published privacy policies; 9 percent disclosed user tracking) or the first cohort of CoSN’s Trusted Learning Environment Seal Initiative (17 percent published privacy policies; 8 percent disclosed user tracking).

In sum, the vast majority of state and local education agency websites were found to do a poor job of disclosing their website privacy practices.

Consider that:

  • Only 32 of 51 (63 percent) state education agency websites published a privacy policy that disclosed the presence and use of ad tracking and/or cookies on their sites. And, of those, no fewer than 10 states made misleading or provably false statements about their data collection and privacy practices.
  • Only 12 percent of school district websites (19 of the 159 included in the study sample) published a privacy policy that disclosed the presence and use of ad tracking and/or cookies. And, of the 19 school districts that did so, many made misleading or provably false statements about their data collection and privacy practices.
  • Despite the near universal deployment of Google Analytics user tracking tools on state and local education agency websites, only 4 states and 2 school districts were found to be in partial compliance with Google’s Terms of Service, which require specific disclosures by its customers to their users (including about what it collected and how users can opt out of data sharing).

In the next part, we will examine the state of state department of education websites.

^^ Home  <<Part III: Ad Tracking & Surveillance   …   Part V: State of the States  >>

 

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.