13 min read
Update, 08 October 2015: Since this post was written, I have had the opportunity to talk with people within ClassDojo. In these conversations, we candidly discussed the issues raised in this post. The team within ClassDojo listened, and incorporated this feedback while they updated their policies. In short, they were responsive to constructive criticism, and improved their terms. I would love to see other companies follow their example. End update
Jumping into the details, ClassDojo defines that they will put your personal information to use. In the "Information You Provide To Us" section, they state:
The Personal Information you provide is used for such purposes as responding to your requests for certain information, products and services, customizing the content you see, and communicating with you about specials and new features.
This sentence - particularly the phrase "communicating with you about specials" - appears to indicate that they can mine your data to sell to you. Given that ClassDojo is a free online service, what would constitute a "special"? Will they somehow make it more free?
Moving on, they have language related to COPPA, which allows Class Dojo to be used with children under the age of 13.
If you are a student under the age of 13, please do not send any Children's Personal Information about yourself to us, other than what we request from you when you sign up for the Services. In the event that we learn that we have collected Children's Personal Information from a student under the age of 13 without having obtained parental consent, or if we learn a student under the age of 13 has provided us Children's Personal Information without parental consent, we will delete that information as quickly as possible.
In this section, they note that parental consent is required. However, it's completely unclear whether, once an account has been created for an under 13 student, the student can or can't share information. The Terms of Service, discussed below, also have problematic language around COPPA. Also, given how they describe "deletion" in their policies (which is discussed later in this post) it's not entirely clear what they mean when they say "delete."
Moving on, the policy notes that, for teachers, they combine data from multiple sources.
We also compare our non-student user list to lists received from other companies
Translated, for teachers who got signed up to use ClassDojo via your school or district: congratulations! These terms mean that your personal information can be mined, and included in a larger data warehouse, all as a precondition of doing your work!
The reason that ClassDojo reserves the right to combine your data with external data sources becomes more obvious when they describe their relationships with third party companies.
In certain situations, businesses or third party websites we have relationships with may sell items or provide services to you through the Website (either alone or jointly with us). We may, for example, sell products or provide services jointly with affiliated businesses, or work with third party websites to enhance your online experience. These transactions or services may or may not be commercial in nature;, but we will not share your Children's Personal Information in connection with any commercial third party transaction or service. You can recognize when an affiliated business is associated with such a transaction or service, and we will share your Personal Information or Children's Personal Information with that affiliated business only to the extent that it is related to such transaction or service.
Translated: ClassDojo has partnerships with other companies selling products and services. Your contact info can be used as their rolodex. ClassDojo also differentiates between what they call "Children's Personal Information" and "Personal Information". As they define it, Childrens's Personal information is information from students under 13; Personal Information refers to information from everyone 13 and over.
The language here, however, appears to be contradictory. On the one hand, they say, "we will not share your Children's Personal Information in connection with any commercial third party transaction or service." But, in the next line, they say that they "will share your Personal Information or Children's Personal Information with that affiliated business only to the extent that it is related to such transaction" - so, they won't share any information, right up until they share the information.
Business Transfers: In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the business assets that are transferred. Moreover, if Company, or substantially all of its assets were acquired, or in the unlikely event that Company goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party.
In other words, your information is their product. Recently, the FTC stepped in to block a sale of student information when ConnectEDU went bankrupt. The ClassDojo terms appear to remove any doubt that user information can be sold whenever ClassDojo wants to sell it.
Moving on, we get to some curious language around the definition of "delete." The language ClassDojo uses around cancelling and deleting an account doesn't specify what personal information they retain, or what actually gets deleted.
Please note that some information may remain in our records after deletion of your account. Further, information may remain viewable elsewhere to the extent that it was copied or stored by other users. We may use any aggregated data derived from or incorporating your Personal Information after you delete your information, but not in a manner that would identify you personally. If your personal information changes or you no longer desire our service, you may correct, update, delete inaccuracies, or remove it by making the change within your profile settings or by contacting us at @classdojo.com; we will respond to your access request within 30 days.
If any ex-user of ClassDojo has gone through the cancellation and deletion process, I would love to hear about that experience. However, given that ClassDojo claims that user information is an asset, they should specify if they respect a person's right to remove all of their information from their system.
This also complicates what they mean (or don't mean) when they describe deleting a users information in response to a COPPA violation. If they have the ability to fully delete a user's information in response to a COPPA complaint, they should offer that as an option to all users. If they don't have the ability to fully delete a user's information, it's hard to see how they can be in full compliance with COPPA.
So, if they can delete information fully, they should do that for all users. If they can't do that completely, their COPPA language isn't accurate.
Moving on to the Terms of Service, ClassDojo retains the right to change their terms at any point, at their discretion.
Company reserves the right, in its sole discretion, to modify this Agreement on a going forward basis at any time by posting a notice on the Website, or by sending you a notice via email, provided that such changes will only be effective upon the earlier of (a) your use of the Service with actual knowledge of the change, and (b) thirty days following the publication of the modified Agreement on the Website, and further provided that disputes arising hereunder shall be resolved in accordance with the version of the Agreement in place at the time the dispute arose. You shall be responsible for reviewing and becoming familiar with any such modifications.
While this language is very typical of many edtech applications, it shows a complete disregard for people who use their service. Just once, I would like to see an educational technology company commit to giving users both ample notice, a clear explanation, and an opt out window in response to any change in the terms of service.
As an aside, it would also be great to see companies maintain annotated changelogs of their privacy policies and their terms of service. These logs could include a summary of changes, the items that were changed, and why.
Under the "Registration" section, they address some language specifically to children under the age of 13:
You understand and acknowledge that the Childrenâ€™s Online Privacy Protection Act (â€œCOPPAâ€) prohibits online service providers from knowingly collecting personally identifiable information from children under 13 years of age without verifiable parental consent (â€œConsentâ€). Persons who are 13 or younger are prohibited from using the Services without verifiable parental consent. By using Services, you represent and warrant that (a) you are over the age of 13 or (b) if you are under 13, you have provided Company your parent or legal guardianâ€™s actual and current email address, and that any response sent to Company in response comes from your parent or legal guardian.
While this language likely satisfies legal requirements, it's a little ridiculous. It would be fun to go through just this paragraph this with a room full of ten year olds and see what they made of it.
Moving along, they address FERPA requirements in one of the more roundabout ways I have seen.
FERPA. Certain information that may be provided to Company by teachers and other users, such as student directory information and performance metrics, may be considered an educational record (â€œEducation Recordâ€) under the Family Educational Rights and Privacy Act (â€œFERPAâ€). If you are a parent or student, you hereby authorize and consent to Company storing and accessing such Education Records, and if you are a teacher, you represent that your school or district has obtained all necessary consents to share such Educational Records with Company, in each case, solely to enable Companyâ€™s operation of the Services from your parent, legal guardian, or other person authorized to provide such permission.
So, let's look at the user flow here. Let's say, over the summer, a school adminstrator signs up their school for ClassDojo. Five teachers within that school register their classes. According to this language the teachers are now on the hook for ensuring that the admin has done their due diligence. Leaving that highly questionable position aside, when the students from these five classes show up on the first day of school, they are told that their teacher will be using this new online tool. Maybe information about this tool gets sent home to parents. But, by virtue of the teacher and the student using the system, ClassDojo assumes that both students and parents understand their rights under FERPA, and are therefore okay with signing off on FERPA requirements. In short, by the time anyone wants to exercise their rights under FERPA, it's too late.
Given that ClassDojo claims that data stored within their application is an asset that can be transferred, this position is predatory at best.
The ClassDojo terms of service also do a wonderful job highlighting the tenuous nature of "free" services.
Access to the Services is currently free for general users, but in the future, we may offer special features (including, without limitation, exclusive Content and/or features) which Company may charge for. Therefore, Company reserves the right to require payment of fees for certain Services.
One way of reading this section is that ClassDojo is free for now, but that they reserve the right to charge at any point. For districts, schools, and teachers, this clause should really lead you to ask about how you get your usage data out of ClassDojo.
If ClassDojo doesn't support an API for data migration, and/or doesn't export data using an open format, schools and teachers should be aware that using ClassDojo means that they are tossing student and teacher information into a hole from which it cannot be retrieved (unless you are a marketing/sales partner of ClassDojo).
Two notes here: if ClassDojo does support data migration out of the system, please let me know. I'll update this post with the relevant information. However, even if ClassDojo does support migration, they still appear to be claiming your data as an asset they can buy or sell, which means that using ClassDojo turns students and teachers into product.
Moving on, the terms also include a provison that attempts to bar class action lawsuits.
No Class Actions. YOU AND COMPANY AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Further, unless both you and Company agree otherwise, the arbitrator may not consolidate more than one personâ€™s claims, and may not otherwise preside over any form of a representative or class proceeding.
This is a highly defensive position. Given the odd sequence of parents signing off on FERPA, outlined above, I wonder how this would fare if challenged. I'm not a lawyer; if there are lawyers reading this, I'd welcome a more informed take on this than I can offer.
In closing, one of the things that ClassDojo has done well is to have Terms of Service and Privacy policies that are more human readable than other companies in the technology space. However, given that one of the uses of Class Dojo is to transform the classroom into a Skinner box, the fact that student learning becomes a business asset is troubling. They could run their business without being so possessive of learner information. If they renounced the position that user information was their asset, they could focus on building solid partnerships that added real value to their platform.