Privacy Policies: Risk Mitigation and Strategy

3 min read

Privacy Policies and Terms of Service specify the rules under which an application can be used. They cover a lot of ground, and in this post, we are going to leave a lot out and focus on one specific element of the policies: how data collected by an application gets handled if the structure of the company changes.

In earlier posts, we have described how data collection within education is different than in consumer technology. In general terms, educational applications will require data to support a learner, and collect data about that learner as they work. The context within which that data is collected is pretty focused: it supports a learning process as defined by the software. In theory, the learner gets a benefit, and the data trail documents the process by which the learner earned the benefit.

If a company is sold, merges with another company, or goes out of business, the context within which data is collected and used has the potential to shift. Currently, most privacy policies treat a sale, a merger, or a bankruptcy as identical events, and most companies claim that learner data is an asset that can be sold as part of any of these deals. However, it's useful to look at how the context within which data can be collected or used can shift.

In many sales or mergers, the function of the application will remain largely unchanged. If two companies that offer online quizzing software merge, the data trails collected and stored pre-merge will be used in comparable ways post-merge. The same can often be true for a sale - there are many scenarios where one company could be acquired by another and the learning supported by the app continues uninterrupted.

However, bankruptcies are a different situation. In bankruptcies, the company is going out of business, or the company is getting broken up into smaller pieces. The original context within which data was originally collected no longer exists. In these situations, if data is treated as an asset to be sold, it can end up being used completely outside an educational context, in ways never intended by the learner. The main reason to reserve this right is as a hedge against failure: this allows investors to recoup losses on the backs of people who trusted the application.

Clear and direct Terms of Service and Privacy Policies make an application better. They eliminate ambiguity. However, there is no need for a strong service to claim rights over learner data if the original service is going away. If an edtech company is a service that supports learning, then the value is in the service, and the learning supported by that service - not in the ability to sell learner data. If, however, learner data is claimed as an asset, then the software is really a data collection tool with a specialized interface. While one purpose of privacy policies and terms of service is to define the rules that govern how an application is used, these policies also give us a glimpse into the larger strategies of the company.