October 6, 2016 | By Sophia Cope and Jeremy Gillula

Google Changes Its Tune When it Comes to Tracking Students

Now that schools are back in full swing, we thought it would be a good time to check in on what’s happened in the student privacy world since we submitted our FTC complaint about Google’s practices a little under a year ago.

The main complaint in our FTC filing was that, based on all the publicly available information we could find, it appeared that Google was tracking students and building advertising profiles on them when they navigated to Google-operated sites outside of Google Apps for Education (GAFE).

At the time, Google’s publicly posted privacy policies explicitly said that Google would not build profiles on students or serve them ads when they were within GAFE services. But based on those same privacy policies, it appeared that if a student logged in to Google using their educational account and then visited a non-GAFE Google-operated service (such as Maps, News, or YouTube, to name a few), Google would associate their activity with their educational account, and then serve them ads on at least some of the non-GAFE services based on that activity.

This assumption was also bolstered by the fact that, at the time we filed our FTC complaint, GAFE accounts had the same options for enabling and disabling targeted ads as normal Google accounts—again leading us to believe that Google was targeting ads at student accounts on non-GAFE services.

Google Changes Its Tune (Maybe)

Needless to say, our complaint garnered quite a bit of attention—including that of Senator Al Franken, who sent Google a letter asking  some detailed questions about its privacy practices. As part of its answer, Google for the first time explicitly stated that even though they do collect information on students’ use of non-GAFE services, they treat that information as “student personal information” and do not use it to target ads.

Additionally, after we filed our complaint, Google published a new GAFE “privacy notice” (which Google is now calling “G Suite for Education”). The webpage was subsequently updated at least couple times this year and currently states, “For Apps for Education users in primary and secondary (K-12) schools, Google does not use any user personal information (or any information associated with an Apps for Education Account) to target ads, whether in Core Services or other Google services accessed while using an Apps for Education account.” 1

Finally, Google changed the ads settings page on GAFE accounts to state that “Google does not use your personal information (or any information associated with your Google account) to target ads while you are signed in to this account.” Here is a screen shot:

Google's new ads settings page for GAFE accounts, which says that "Google does not use your personal information (or any information associated with your Google account) to target ads while you are signed in to this account."

It’s not clear precisely when these changes occurred. It’s also not clear if these changes represent an actual change in Google’s policies, or if they just reflect Google changing how it explains what its policies have been all along. But either way, we can only conclude that even though the FTC has yet to make a decision on our complaint, our decision to shine a light on Google’s practices when it comes to student data has ensured that Google is not targeting ads at students on non-GAFE services when (K-12) students are logged into their Google educational accounts.

A Partial Victory

We shouldn’t start celebrating yet, though. For one thing, the core of our FTC complaint—that Google collects data on students using non-GAFE services without parental consent, despite having promised not to do so—remains. Google is also still collecting a huge amount of information from students for other purposes, including device information (such as hardware models, operating system versions, and unique device identifiers) and log information (such as queries, system activity, and hardware settings). Even if it’s not using that data to target ads, it’s not clear why Google thinks it should be allowed to keep and retain that data for anything other than directly providing a service to the GAFE user, especially when it knows the data comes from a GAFE account—many of which belong to students under the age of 13. This implicates COPPA, which prohibits companies like Google from collecting children’s personal information and using it for commercial purposes without parental consent.

Additionally, it appears that Google has only stopped targeting ads at K-12 student accounts on non-GAFE services. If your college or university is using GAFE then all bets are off.

It’s also still extremely difficult to figure out what Google’s actual privacy practices are when it comes to students. That’s because instead of posting a single, “one-stop shop” privacy policy for student accounts, Google says in the G Suite for Education Privacy Notice:

“This Notice is generally consistent with the Google Privacy Policy and the Apps for Education agreement. Where there are terms that differ, as with the limitations on advertising in Apps for Education, the G Suite for Education agreement (as amended) takes precedence, followed by this Privacy Notice and then the Google Privacy Policy.” (emphasis added)

In other words, if a concerned student, parent, teacher, or administrator wanted to figure out exactly what data Google is collecting and how it is using that data, she must cross-reference three different documents—not exactly a simple task. You shouldn’t have to be a privacy lawyer to understand a privacy policy—especially one dealing with information about students. Google should have one student privacy policy  with clear, straightforward terms—and not rely on some legal hedging and cross-referencing to cover its behind.

Finally, we are disappointed that Google is using a form contract (the G Suite for Education Agreement) that summarily states that Google is a “school official” under FERPA, the federal student privacy statute (see Section 7.7). This is to get around the rule that districts and schools (that receive federal money) may not share student personal information with companies or permit them to collect information on students, without parental consent. However, a third party may only be deemed a “school official” if four criteria are met, and we have not seen any indication that Google is working with schools to either legitimately become “school officials” or consistently obtain parental consent before students are assigned Google accounts.

In sum, it appears that our FTC complaint has spurred some positive changes in how Google operates—or at least discusses how it operates—student accounts. But there is still room for improvement. While Google and other “ed-tech” companies may bring valuable technology to the classroom, they must respect the privacy rights of students—especially minor students—and adjust their data practices accordingly.

  • 1. The privacy notice also states, “Google does not serve ads in the Core Services or use personal information collected in the Core Services for advertising purposes.” But this is something we have never questioned.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

.@zeynep Agreed. While key mgnt choices are complex & security critical, it may be unfair to call them backdoors. https://www.eff.org/deeplinks...

Jan 23 @ 6:52pm

EFF is on @CREDOMobile's January ballot! Your votes help us get more of the $150K+ donation pool. https://www.credodonations.co...

Jan 23 @ 5:22pm

Trump's nominee for Attorney General, Sen. Jeff Sessions, wants the government to be able to "overcome" encryption: https://www.eff.org/deeplinks...

Jan 23 @ 4:47pm
JavaScript license information