Abstract:

Common Sense Privacy has initiated a deeper look into advertising tracking practices in educational technology (Edtech). This paper will begin by covering advertising tracking law and policy as it exists, including GDPR, Federal Trade Commission (FTC) jurisdiction, constitutional foundations, and federal legislation, as well as inroads states have made to protect consumers. Section I will further expose the difficulties of compliance with and enforcement of advertising law as it pertains to tracking. Difficulties of definition and monitoring will be highlighted. In this background section, a survey of existing research will illuminate the impact of trackers on privacy, particularly, for Common Sense Privacy program’s purposes, the impact on student and children’s privacy. Not all trackers are the same and we will need to make meaningful distinctions going forward. For example, trackers can be present on different areas of an application or service (i.e., landing page, registration pages, login pages, or gated content pages) raising concerns about consumers expectations and often implying that the whole product is a safe place. On a more granular level, trackers may seem fine on a landing page, but not login pages where Personally-Identifiable Information (PII) is collected with actual knowledge that the company’s users are children or students. Section II will note the conundrums associated with previous research and tools intended to root out trackers in general, and in the Edtech space, and to monitor their activities for the purposes of transparency, notice, and consent. Barriers to complete and effective transparency will be explored, including structural, technical, and human factors. These barriers include, at the onset, (a) the burden of manual scanning and evaluation of URLs, (b) the layers of ad tracking, flowing between multiple devices and vendors, and, of course, (c) the sheer quantity of websites overall, even when examining Edtech more narrowly.

Common Sense Privacy has completed related work on Android applications that trained a spotlight on the need for this type of work regarding COPPA compliance and protecting children on the internet in general. We have identified a need for additional transparency for the practices of advertising tracking in the Edtech industry, and began this new research project to address this concern. Section III of this paper will explain the development methodology of Common Sense privacy’s latest project to develop a tool that can evaluate 2,000 Edtech-related company URLs to detect whether they use ad trackers. This section will describe the tools used, how we automated the detection process of third-party URLs on these 2,000 domains, and how to categorize which trackers would be considered advertising/tracking related uses based on deference to existing publicly available lists. Section IV will go on to describe the expected results of this research, including the technical challenges that may be encountered, planned analysis of the statistics gathered, and the a hypothesis about the state of the ad tracker industry as it intersects with Edtech used by consumers and educators. Finally, Section V will outline layered solutions to the industry’s gaps in transparency. This section will address recommendations for each stakeholder group involved in the process, from developers interested in privacy by design, to regulators, educators, and consumers who interact with their designs.

Keywords:

Privacy, security, Edtech, students, apps, tracking, advertising.