Security & Privacy

Report: Ed Tech Startups Stink at Student Data Privacy

• By Dian Schaffhauser
• 07/14/17

Education technology start-ups are doing a lousy job of protecting the data privacy of the students who use their products. That's not to say they've necessarily suffered data breaches as a result; it's primarily because privacy concerns just aren't a priority. That's the outcome of a research project undertaken by six graduate researchers in public policy and management at Carnegie Mellon's Heinz College. Granted, the sample size was small (six ed tech companies), so a summary of the findings calls them "exploratory, rather than empirically conclusive."

The project's initial intent was to "capture the status quo" of how ed tech startups interact with their stakeholders about student data privacy practices and to identify best practices for those companies and others in the industry in formulating communications plans on privacy.

The research team developed a database of 450 ed tech startups, which they winnowed down to 18 "finalists" based on criteria that included student data privacy risk, staff size, reputation and revenue growth. Ultimately, six companies agreed to participate, which involved going through multi-hour interviews on their privacy and communications practices.

What the master's students found was that aside from adhering to federal and state-level requirements, data privacy wasn't on the radar. What was more important during their first five years of operation was customer acquisition and product development. Concerns about privacy seemed to have no impact on innovation.

Also, because startups are notoriously shorthanded and there's little demand from prospects and customers, they don't bother developing "formal strategies" around their public-facing communications on student data privacy for their external stakeholders. Frequently, they'll "borrow" or adapt sections from competitors' privacy policies or build up their policies only when customers demand it or as compliance laws change.

School districts can influence how the start-ups they work with prioritize considerations related to data privacy. As the summary noted, "School districts were the greatest force for our startups to change their privacy behaviors." However, the report added, the researchers weren't persuaded that districts had the capacity to truly assess technology coming into their schools from the data privacy perspective.

Investors financing these start-ups can also play a role in helping them put "strong privacy practices" into place.

As for the ed tech companies themselves, the research paper advised them to become more proactive. By doing so, they "can position their vigilance as a key differentiator for their product, capture a broader market share, and share in the responsibility for protecting sensitive student data."

The summary of the report's findings can be found on the Heinz College website here.