Privacy & Security

Twitter Dialogue Leads to New Privacy Policy for Popular Ed-Tech Company

By Benjamin Herold — March 10, 2015 5 min read
  • Save to favorites
  • Print

Popular educational vendor Clever has revised its privacy policy, in part thanks to a social-media back-and-forth with a vocal proponent of increased transparency in the ed-tech industry.

The changes to the company’s policy include introducing of a 30-day notification period before any future updates can be made, creating an online log that will allow users to easily track changes to the policy over time, and establishing a more stringent protocol for how student data will be handled in the event of a bankruptcy, merger, or acquisition involving the company.

Tyler Bosmeny, the San Francisco-based company’s CEO, said in an interview that he hopes Clever’s stance would help spur wider adoption of such practices in the ed-tech industry.

“We were guilty of having boilerplate language in [our privacy policy] that is common across a lot of industries,” Bosmeny said. “I would recommend to any company to revisit these key terms. It’s a very easy way to signal your commitment to privacy, and they’re not hard to make.”

Clever, a service that provides a bridge between schools and software providers, is currently used by 30,000 K-12 schools in the U.S.

The company’s policy update comes at a time of increased attention to how vendors handle student data.

Last month, the U.S. Department of Education issued “model terms of service” designed to help school districts ensure that third-party companies are providing proper protections.

The protocol by which a company may alter its privacy policy or terms of service (TOS) was a featured point of the guidance, which states:

A provider that agrees to give notice of TOS changes is good; a provider that agrees not to change the TOS without consent is better.

Many ed-tech companies have long reserved the right to change their privacy policies at any time, without advance notice. That was previously the approach taken by Clever.

The company’s new policy, which went into effect March 3, takes a different tack, however:

If we change the policy in a material manner, for example if we seek to use personal information in a materially different way than we had previously, we will provide at least 30 days notice to the Schools so that you have sufficient time to evaluate the change in practice. Of course, you can always opt-out by deleting your account before the changes take effect.

Developer and open-source software advocate Bill Fitzgerald praised that change, as well as Clever’s move to post both its current policy and all the policy’s previous iterations on Github, a site used be developers that allows for texts to easily be compared.

In a post on his own blog, Fitzgerald called the move a “great step towards increased transparency” that “any ed-tech company can do.”

Bosmeny credited Fitzgerald with helping prod Clever to make the changes.

Last October, Education Week wrote about Clever’s new partnership with the American Federation of Teachers. In response, Fitzgerald took to Twitter to express his concern about the company’s privacy policy:

The discussion prompted Clever officials to chime in—and to commit to making some of the changes Fitzgerald requested.

All of which left me in a bit over my head both technically and legally, but certainly quite interested journalistically:

Four months later, this showed up in my feed:

Fitzgerald “deserves a lot of credit for beating this drum in our industry,” Bosmeny said. “He brought this to our attention, and we looked at it, and said, ‘He’s right, this could be better.’”

Bosmeny said the process of making the changes was not as difficult as some might expect—after the company was able to effectively communicate to its lawyers that respecting users’ privacy needed to be a high priority.

“If you ask a lawyer for a privacy policy, [the boilerplate] is typically what you get back, and they typically err on the side of companies rather than users,” he said.

Perhaps the most significant change to Clever’s policy is its new prescription for how student data should be handled during a “corporate event.”

Last December, my colleague Michele Molnar reported on the bankruptcy sale of ed-tech company ConnectEDU Inc. Despite the efforts of the Federal Trade Commission, the proceeding included the sale of 20 million student records in a manner that was inconsistent with the company’s privacy policy.

Here’s Clever’s original language, pre-changes:

In the event of a change of control: If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information - under the same conditions—in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.

And here’s the new language:

In the event of a change of control: If we sell, divest or transfer our business, we will not transfer personal information of our customers unless the new owner intends to maintain and provide the service as a going concern, and provided that the new owner has agreed to data privacy standards no less stringent than our own. In such case we will provide you with notice and an opportunity to opt-out of the transfer of personally identifiable Student Data.

The key differences, Bosmeny said, are that Clever now assures its users it won’t transfer the data to a company that does not intend to remain a “going concern” and commits to providing users with advance notice and an opportunity to opt out prior to any such transfer of information.

Clever is a signatory to the voluntary industry student-data-privacy protection pledge created by the Software & Information Industry Association and the Future of Privacy Forum, a trade association and a think tank, respectively, that are both based in Washington.

The issues addressed by Clever in its policy revisions are not specifically called for in the pledge.

“I’m going to recommend they consider [including] these practices,” Bosmeny said.

See also:

A version of this news article first appeared in the Digital Education blog.