On September 18, 2014 Lisa Shultz, public education advocate and member of the Parent Coalition for Student Privacy, tagged @leoniehaimson and @parents4privacy in a tweet about Pearson’s new collaborative partnership with an edtech startup called LearnSprout. Her tweet linked to a public document (link now here) that listed the data schema used for their product. At the time we knew little about the company, but their name was familiar because they had once been listed as a partner of inBloom.
Lisa’s tweet also caught the attention of Paul Smith, Marketing Director for LearnSprout. He quickly engaged in a thoughtful and productive Twitter exchange between @lisa4schools, @leoniehaimson and @parents4privacy. In 140 characters or less, we asked Paul numerous questions about the types of data his company collected, how they used the data, their data retention and deletion policies, and how they contracted with schools and school districts. Though Paul did his best to field the barrage of questions, we agreed it was best to take the conversation offline.
Further, to sign up for this free service, the “customer” or school employee simply accepted the “click wrap” agreement. There was no negotiated contract between LearnSprout and the school/district – a teacher or administrator merely agreed to the Terms of Service which, of course, favored LearnSprout by stating: “We reserve the right, at our discretion, to change the Terms on a going forward basis at any time. Please check the Terms periodically for changes.”
Upon learning more about LearnSprout, we were clear with Paul that we disagreed with the underlying principles of their service and would we never endorse their product because we believe strongly that profiling individual students – no matter how pure the intention – stigmatizes children and can harm or limit their future chances for success. We also insisted that the “click wrap” agreement insufficiently protected schools/districts (and their students) and at the very least LearnSprout should require an electronic signature so the school employee signing up for the service would consider the gravity of his/her decision before sharing sensitive student data. Paul assured us that he understood our position about the value of the service but respectfully disagreed, and he was committed to improving their “onboarding” process. With that behind us, we started digging into their policies.
- If LearnSprout should go bankrupt, all data in its possession will be deleted in 30 days.
- When the Terms of Service are changed, customers will be notified and must accept the terms in order to continue using the service.
- They post on their website the full data dictionary of what data they store for schools/districts.
- Breach notification within 24 hours of a suspected incident.
- Student’s personally identifiable information will not be used to improve or enhance LearnSprout’s products or services, and will be removed 60 days after the student is not longer enrolled in the school/district.
Paul’s collaborative nature and sincere desire to improve their policies set a great example for other ed tech companies to follow. We still don’t agree with LearnSprout’s business goals but we do believe they are a leader in forging partnerships with parents and advocates to safeguard the data entrusted to them. Our hope is that others will engage in equally civil and productive dialogue.
(Correction: The previous blogpost stated that LearnSprout would “backdoor” SISs. The term “backdoor” was an oversimplified description of the technical process, and was not intended to imply that LearnSprout was accessing student information stored in the SISs in an unauthorized manner.)