Lacks appropriate detail about personal data collected by cookies.
- 26 collect excessive PII
- 33 collect location information
- 45 have open-ended or undisclosed data retention time limits.
- 40 either have relationships with third parties with implications for children’s privacy, or do not address this in their policies:
- 5 share PII with third parties
- 16 contain third-party ad tracking
- 6 share aggregated user data
- 9 have open-ended policies in this area
- 3 collect or source user data via third parties
- 13 fail entirely to address this issue
- Educ.ar (ARG)
- Aula Em Casas (BRA)
- Eduyun (CHN)
- Swayam App (IND)
- SnapAsk (JAP)
- Telesecundaria (MEX)
- Russian Electronic School (RUS)
- YaKlass (RUS)
- Tatweer for educational services (SAU)
- V School (SAU)
- Vodacom eSchool (ZAF)
- Korean Education Broadcasting System (KOR)
- EBA: Eğitim Bilişim Ağı (TUR)
- EBA App (TUR)
Privacy Red Flags
We also flagged platforms as high risk if their policies failed to properly outline how they protect children’s sensitive personal data, or if they disclosed commercial exploitation of that data.
A full list of privacy red flags can be found in the source datasheet. However, we have also picked out some of the more egregious examples, as follows.
Instead, Scholastic collects a laundry list of PII from Learn at Home users, including name, home address, email, phone, precise location data, along with detailed device and usage data.
The site also features extensive third-party ad tracking and targeted advertising.
In Australia, Cisco’s WebEx videoconferencing platform is recommended by the government in Victoria, where lockdown was reinstated following new coronavirus outbreaks. Unfortunately, not only are Webex-specific policies not very easy to find among the general Cisco privacy provisions but the personal data collection is extremely extensive and includes recordings of video calls.
Cisco also claims broad rights over how it can use personal information. Despite disclosing extensive sharing with third parties for advertising and other purposes, the policy includes no active protections for children.
Study Sapuri also had multiple red flags. The platform does not clearly specifiy what PII it collects while disclosing that not only does it use the data for ads but it also shares data with companies using the service and employs behavioral targeting.
Russian platform Teach.ru collects extensive personal data and employs it for advertising. It also tracks visitors after leaving the site in order to show them targeted ads based on their browsing behavior. Teach.ru is another learning platform with no sunset period on data retention.
Mano in Brazil collects SMS and chat messages as part of its invasive personal data collection. It is also one of four platforms collecting precise location data. Indonesia’s Kelas Pintar also advises that its users should expect that messages can be read.
Mexican platform Aprende 2.0 has perhaps the most disturbing level of personal data collection, in that it collects racial or ethnic origin along with photos or images of faces.
We should point out that there were also a small number of platforms, such as BrainPop and Khan Academy, that we deemed to be Medium Risk, despite extensive data collection and third-party ad tracking. This was due to comprehensive children’s privacy protections that mitigate some of that risk.