One of the biggest pain points for school districts when assessing education companies’ student data privacy practices is that the process is time-consuming and difficult.
It’s hard to pick out the most responsible actors when it requires knowing what federal and state laws require for the ethical handling of student data and sensitive information — and what the best strategies are for staying in front of those demands.
Several organizations, like 1EdTech, have developed privacy certification or seal programs to help ed-tech companies demonstrate compliance with student data privacy standards.
But not all such programs have endured. Initiatives like the Future of Privacy Forum’s Student Privacy Pledge have been discontinued, reflecting the challenges of maintaining voluntary standards in a shifting technological and regulatory landscape.
About This Analyst
Daphne Li is the CEO of Common Sense Privacy. She has worked at the intersection of education, technology, and healthcare for decades, and has helped launch and scale numerous technology-based startups, as well as identify and develop new growth areas for Fortune 500 brands. She previously led strategy and partnerships at Apple Education and helped scale healthcare technology companies as managing director at Health2047, the innovation arm of the American Medical Association.
To try to aid district customers in identifying companies with privacy-preserving products and to help position education companies as credible organizations in this space, Common Sense Privacy launched its privacy seal program last month, aimed at promoting best practices in the sector, rather than just encouraging ed-tech vendors to meet minimum requirements.
EdWeek Market Brief recently spoke to Daphne Li, CEO of Common Sense Privacy, about how her organization evaluates companies through its comprehensive multi–step process, what it takes to meet all of the requirements, and what having the seal means in an increasingly competitive ed-tech market.
Why did Common Sense Privacy see a need for this new privacy seal?
Privacy policies tell users how their data is collected and used, but policies have transformed from simple agreements into long, complex legal documents that few people, let alone hard-working parents and educators, have the time or training to decode.
This comes at a time when AI advances make it more critical than ever to understand privacy protections. For companies, an explosion of new privacy laws creates a patchwork of requirements, and new technologies lead to confusing privacy choices.
So if there’s a void, how do you believe your effort will fill it?
All this complexity makes having a single source of trust like the Common Sense Privacy Seal more important than ever and more valuable to everyone. For companies, we’re giving them a clear benchmark and recommendations on how to get there. For consumers and educators, we’re giving them confidence at a glance.
There was a study I saw that said, of the people at a district who were responsible for privacy, 17% got no privacy training at all, and 25% of people who did, paid for it themselves. And 65% of them said that they were either extremely or very concerned about understanding what ed-tech vendors’ privacy and security practices actually were.
So we just felt like there were not enough tools and resources out there. We really wanted someone to be able to, at a glance, know if a product was one of these best practice products that were really privacy-preserving. If you’re a company, you can’t self-declare, “We’re the best.” You need someone else [to say that].
How does Common Sense Privacy’s seal differ from other similar types of privacy certifications?
The seal is based on best practice, and not just compliance. If I’m choosing a math app for my kid, I want to find one that offers the most protection. Compliance is just table stakes. I’m really looking for the best actor, and the challenge is, how do you do that?
I read one study that said, if you read the privacy policy of every website you visited, it would take 46 hours. And there’s no guarantee you actually understand what it says because a lot of it is wrapped up in legalese. So it’s unfair to put the burden on parents and teachers and schools who are already completely overloaded. They don’t need one more thing, especially where they’re not experts.
Join Us for EdWeek Market Brief’s Virtual Forum
Join our virtual forum June 10 & 11, 2025, to hear directly from school district leaders and industry peers about important trends playing out in the sector—and the support school systems need from education companies.
Can you break down the requirements of the privacy seal?
If I’m a customer, I have a very reasonable expectation that if I’m using somebody’s product, I might have to give them data so they can provide me with their services. I’m fine letting, say, a math app track how much time my kid is spending on that app because I want to know, are they actually working on their math?
I’m also fine giving age or grade [information] because you want the age-appropriate content. What’s not OK is if that product then takes all that personal data and then turns around and shares my information with third parties that I don’t have any relationship with.
What other behavior is out of bounds?
We have six prohibited things, and they’re all variations on that principle. This includes data sales, third-party marketing, targeted advertising, third-party tracking, cross-app tracking, and commercial profiling. For us, best practice around privacy completely rejects the idea that the user is ever the product.
What is the process like for companies to earn the seal?
It’s a super rigorous process with an over-200-point rubric. Common Sense created this rubric years ago, and they partnered with academics, with regulators, with Big Tech, with a consortium of schools, and over time, we’ve built on the rubric.
We wanted to include people who would benefit from these evaluations to create the rubric. On top of that, our privacy analysts will meet with each recipient before we award the seal, and it goes through all 200 points, and they’ll interview them to find out how things actually work.
What do some of those evaluation questions look like during the interview process?
One of our recipients is Kahoot, and Kahoot has a lot of integrations — video players and other partners. When we evaluated Kahoot, we not only evaluated what they did in terms of privacy, but what data did they collect, how they used it, and how they protected it. We also looked at each one of their integration partners, the agreements they had with their integration partners, and how they worked with them.
Because if Kahoot is sending data to an integration partner, and an integration partner starts selling it, then that is not privacy-preserving. So we did a super-deep dive around that entire ecosystem.
What else do companies have to do to meet the requirements for the privacy seal?
The company is also obligated to regularly give us updates, letting us know when they’re making major [changes]. And we don’t just rely on the company. We also, on a regular basis, do checkups. Some of the companies proactively let us know when they’re thinking about making a change, but we also do it at least on a quarterly basis. The seal is something that you have to continue to earn over time, and it can be revoked.
How will your process change as privacy regulations and technology evolve?
We have expanded it as new laws have come up and as new technologies have become more prevalent. In January, the FTC amended COPPA, so we made sure that the rubric still addressed not only best practices, but all relevant laws.
In January, there were also five new state privacy laws enacted, so all of those are now incorporated into the rubric. With new technology, a lot of people are very excited, very curious, but also a little wary of AI. So the rubric covers privacy and AI as well. Privacy is not a ‘set it and forget it’ type of exercise because laws change, and businesses change.
You mentioned this process is quite rigorous. Are most companies applying for the seal successfully passing your requirements?
Right now, only 10% of companies that we see actually meet the seal criteria. That percentage can be much higher because a lot of the companies, particularly in ed tech, are not trying to do the wrong thing. A lot of it is that people either aren’t aware of requirements or don’t necessarily know the downstream implications of some [actions].
If you’re a company, you can’t self-declare, “We’re the best.” You need someone else [to say that].
For companies that don’t meet the requirements, where does the conversation go from there? Do they get a second chance?
Our overall mission is to try to raise privacy standards for everyone. We meet companies in different places and at different levels of maturity when it comes to privacy, so we absolutely want to encourage everyone to do better. So yes, we do provide feedback. And if people are able to make changes and implement best practices, we are always happy to reevaluate them.
What has the industry reaction been like for this new privacy seal program?
Most companies want to do better, and they want help in doing better. For the people who don’t have the seal, a common thing we hear is, “How can I do better?” For companies who already qualify, what we hear from them is, we’ve been trying to incorporate privacy by design for a long time now, and now they’re really excited to have something like the seal to candidly raise awareness among their users and as a way to help schools and parents make more informed choices.
What role do you see Common Sense’s privacy seal playing in a broader movement toward ethical ed-tech development?
We’re hoping that having the seal will just put more information out there that people can incorporate into their choices. We can apply this to a lot of new technologies as they continue to evolve and merge.
Privacy can seem daunting, but it actually is very doable. A lot of companies we see want to do better, but they don’t always have the rubric to know what is a better practice. We’re hoping that this seal puts a spotlight on best practices and creates a beacon for a higher standard.