MySchoolBucks, or Getting Lunch with a Side of Targeted Adverising

6 min read is an application that is part of services offered by Heartland Payment Systems, Inc, a company in New Jersey. MySchoolBucks processes payments from parents for school lunches.

Before we proceed any further, we must highlight one thing here: this post IS NOT about the federal, state, or local school lunch programs. This post addresses a vendor that has inserted itself between students, schools, and lunches.

The premise of MySchoolBucks is pretty simple. Parents put money into an account on the site. Accounts are tied to a card used by the student to pay for lunch, and the system keeps track of how much money families have in their accounts.

To make this system work, MySchoolBucks collects a parent name, the name of any children enrolled in school, and the school they attend. Parents add money to their MySchoolBucks account via credit card, so MySchoolBucks also processes credit card payments.

However, reading the Privacy Policy of MySchoolBucks shows some oddities that have nothing to do with supporting parents, students, or schools with lunch. It's also worth noting that MySchoolBucks has a "feature" I have never seen before on any other policy: after six or seven minutes, the privacy policy page automatically redirects you to the home page. It's almost like the company doesn't want you to read their privacy policy at all.

But, for those of use who persevere, we discover some oddness in this policy.

In the opening "Glossary" section, MySchoolBucks defines a Business Partner as follows:

"Business Partners" means, collectively, third parties with whom we conduct business, such as merchants, marketers or other companies.

Then, in Section 4, MySchoolBucks states:

We (or our Vendors on our behalf) may share your Personal Information ... with relevant Business Partners to facilitate a direct relationship with you.

So, business partners include marketers, and marketers can be given personal information. As noted above, the personal information collected in this application includes parent name, child's name, and the child's school.

Taking a look back at at the glossary, we get this definition of non-identifying information:

"Non-Identifying Information" means information that alone cannot identify you, including data from Cookies, Pixel Tags and Web Beacons, and Device Data. Non-Identifying Information may be derived from Personal Information.

This definition omits that many of these elements can be used to identify you. Thousands of web sites collect this information, which means that there is a large dataset of what this vendor inaccurately calls "non-identifying information."

Further down in the policy, MySchoolBucks states that they share "non-identifying information" pretty freely.

We may disclose Non-Identifiable Information which does not include Protected Data:

  • with Business Partners for their own analysis and research; or
  • to facilitate targeted content and advertisements.

Because Heartland Payment Systems shares what they misleadingly call "non-identifying information" with marketers and 3rd party ad servers with no prohibitions on how it can be used, this "non-identifying" data can be combined with other data sets, and then tied to your precise identity.

Accordingly, the claim of "non-identifying" data is probably accurate from a very narrow legal perspective, but it does not represent the reality of what is possible when data from multiple datasets are combined and mined.

MySchoolBucks also supports login via Facebook, which creates additional problems:

You may register to use our Services using your existing Facebook account. If you opt to use your Facebook account to register to use our Services, you authorize Heartland to collect, store, and use, in accordance with this Privacy Policy, any and all information that you agreed that Facebook, Inc. ("Facebook") could provide to Heartland or Heartland's third party authentication agent through Facebook's Application Programming Interface ("API"). Such information may include, without limitation, your first and last name, Facebook username, unique Facebook identifier and access token, and e-mail address.

The inclusion of the unique Facebook identifier, combined with a device ID (which is likely collected as part of the "non-identifying information") would be sufficient to tie a precise identity to many occasions where a person clicked a "like" link, or shared a link on Facebook. If someone could explain why this information is needed to pay for a 2nd grader's lunch, I'm all ears.

There are other issues with the privacy policy and terms of service of MySchoolBucks, but getting into the deep weeds of every single issue with the policies obscures the larger point: paying for a kid's lunch at school shouldn't expose the student or parent to targeted advertising.

MySchoolBucks and Portland Public Schools

The site came to my attention a couple weeks ago when I was reviewing back to school emails for my child. My local school district uses this service. I attempted to find any information about this site on the district web site - in particular, any contract that would give more information on how student and parent data use was limited - but found nothing.

To be clear: the lack of information and disclosure from Portland Public Schools is unnecessary, and fosters mistrust.

Portland Public Schools could take three immediate steps to address these issues:

  • List out the district and school level vendors that have been designated school officials. Link to the privacy policies and terms of service of these companies, and upload the text of any additional contracts in place between these vendors and Portland Public Schools.
  • List out vendors used within schools where the vendor has not been designated a school official. Link to the privacy policy and terms of service of these companies. This list would require input and feedback from schools, as they would need to collect up information about the software used within each school to support teaching and learning.
  • Document the process and criteria used to select technology vendors for district wide services. Right now, the decision making process is completely opaque to the point where it's impossible to know if there even is a process.

The distinction between vendors who have been declared school officials and vendors that require parental consent is key, as the rules around data use and sharing differ based on the status of the vendor. The lack of any documentation around contracts is also problematic. Contracts are public documents, and these purchases are made with public dollars.

It's worth noting that this is information that should be on the Portland Public Schools web site already. At the very least, parents shouldn't need to wonder who is processing their children's information. I understand that there are numerous details competing for attention within the district, but at some point, excuses need to stop, and be replaced with results. The current level of awareness and attention to student privacy issues within Portland Public Schools is problematic, at best. The communications about these issues have been factually inaccurate, which begs the question: how can we trust Portland Public Schools to get the complicated issues right when they appear to be missing the basics?