Apps and “I agree” box raises concerns for schools
(District of Columbia) It is both ubiquitous and overlooked – the terms of service contract that pops up and requires acceptance in order for an app to load. And it is of increasing concern to schools as more and more services are being marketed to K-12 students and their teachers.
Known within the industry as the ‘click-wrap’ agreement, the terms of service contract outlines legal protections for the service host and liabilities on a user who would misuse the product.
At issue for school managers is that once a user has clicked the “I agree” box – the terms set out in the fine print govern what information the provider can collect from or about students and what they can do with that information.
As such, schools need to be wary that signing on to some apps might lead to violations of the Family Educational Rights and Privacy Act or the Protection of Pupil Rights Amendment, according to new guidance from the U.S. Department of Education’s Privacy Technical Assistance Center.
“Schools and districts should exercise diligence when reviewing TOS agreements and follow established school and district policies for evaluating and approving online educational services and mobile applications,” the federal report urged.
“This will help ensure that the service or application is inventoried and evaluated, supports the school’s and district’s broader mission and goals, and that the TOS is legally appropriate and compatible with the school’s and district’s policies and procedures,” they said.
There is a broad range of services that should be flagged including programs students use to access class readings, to view their learning progression, to watch video demonstrations, to comment on class activities, or to complete their homework.
Before students should be allowed to engage any new service, the federal guidance suggests teachers or other administrators take a few minutes and actually read the terms of service.
To start, does the agreement explicitly describe how the provider may use and share student data? Key to this disclosure would be how the provider defines “data.”
An acceptable definition would look something like this: “Data include all Personally Identifiable Information (PII) and other non-public information. Data include, but are not limited to, student data, metadata, and user content.”
Federal officials said that schools should be wary of a definition of data that looks something like this: “Data only include user information knowingly provided in the course of using (this service).”
The issue here is whether the provider is embracing a broad range of information in its definition or is restricting the definition and narrowing what can be considered student information.
Another area of concern relates to information that might be gathered by the provider on individual students but complied into a pool where no individual is identifiable. The so-called de-identification collection is often used to help app designers improve a product or make enhancements.
School managers, the federal report said, should look for a well-documented explanation of what the provider may use de-identification data for:
“Provider may use de-identified Data for product development, research, or other purposes. De-identified Data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, ID numbers, date of birth, demographic information, location information, and school ID. Furthermore, Provider agrees not to attempt to re-identify de-identified Data and not to transfer de-identified Data to any party unless that party agrees not to attempt re-identification.”
The federal guidance said schools should be concerned if, again, the provider offers few details about their intent:
“Provider may use de-identified Data for product development, research, or other purposes. De-identified Data will have all names and ID numbers removed.”
Marketing and advertising is another soft spot. A provider engaging in ‘best practices” would provide full disclosure of what advertising, if any, will be directed at students.
“Provider will not use any Data to advertise or market to students or their parents. Advertising or marketing may be directed to the [School/District] only if student information is properly de-identified.”