Laatste update op 13 maart 2021

Spoiler alert: it’s all about ethics.

Schools are struggling with which software applications and websites can be used in the classroom by students when it comes to privacy. Indeed, there is so much to choose from, teachers all have their own preferences but not every website or application is safe to use.

In this article I’ll address several issues, talk you through some best practices that will help you how to go about this in your school. I write this article with the European GDPR in mind, but I guess it will also be useful in other countries, such as the USA. I’ll use an American example, the one that tricked me into writing this post.


First I want to point out that a school should always provide a safe learning place, be a safe space for students, either young and old. Customers (parent, students) may require this from their school. It should be a no-brainer. However, in reality it seems not to be that simple. This has everything to do with how fast technology develops, how we got where we are and, of course, with money. I think there is a way out.

consent form online educational tools

Example of a (not so appropriate) consent form for online educational tools you may come across

The above form was presented by Laura Moy on Twitter, stating “My six-year-old brought home this ridiculous “consent” form yesterday. What am I supposed to do with this? Just glanced over policies of three providers on the list (of 58) and already found one that says it’s “designed to be used by individuals who are over the age of thirteen.

There are several issues with this consent form.

No need

First, the form should not have been presented in the first place. The school did a really good job vetting over 300 apps and marked them with either ‘approved’, ‘consent’ and ‘prohibited’. However, they should have dismissed use of apps that require consent all together. Consent is only one of several lawful bases for data processing and opt-in/consent is not always required. In GDPR terms, the school could simply use the basis ‘contract’ and/or ‘legitimate interest’ to perform their task. Mind you, for this you still need to use tools that are compliant with the laws. And you may have guessed it already, not all of them are (and that’s where they ask for consent). In the end it is about educational responsibility.

For example, ClassDojo is listed by the school as ‘use responsibly’. The International Association of Privacy Professionals (IAPP) says:

Classroom management software, such as ClassDojo and others, provides for behavioral and disciplinary tracking of students. While much of this functionality is a positive for teachers overseeing a classroom with limited resources, there are potentially negative impacts educators must consider.

Sourc: IAPP

So no teacher should use this in the classroom at any case. Schools nor parents should expose their children to this kind of tracking.

Assessing 58 apps/sites?

ODT-database blocked
access to ODT-database blocked

Second, there is no way anyone can make a quick and good assessment whether or not to agree, as no further information is given about the tools other than that the school says they are compliant. The school does it’s best to provide further information about the 58 apps/sites on their site through their ODT database (Online Digital Tools) where screened apps are listed. However, he database itself can only be accessed if you agree to cross-site tracking cookies. Once there, the database does provide useful information, although it does not become clear what tools are used for, what information they gather, share, etc.

And as Laura checked some policies herself, she soon discovered that one of the apps is only suitable for children who are over the age of thirteen. Her daughter is six.

Assessed ODT's database
Assessed ODT’s database

It would be so much easier for everyone to just use privacy-friendly ODTs.

All or nothing

And how is one supposed to opt-out some and opt-in others? The consent form does not provide such a selection. It is simply ’take it’ or ‘leave it’, logically originated by a sense of being practical. This is not being transparent about what happens. In addition this practice of no exception makes it extra hard to say ‘no’ as it is easier for the school. Parents are especially susceptible to that approach, as they don’t want to make it any harder for schools and teachers as it is. However, in this way the school avoids its accountability. Presenting the form in this way, creates four issues:

  • ethical: they use group pressure in this way to consent, as children of parents who say no, are at risk of social isolation because of alternative instructional activities (hey, so the instruction can be done in another way).
  • judicial: pressure means that consent is not freely given, people feel forced to say yes (group pressure and school pressure).
  • judicial: the form lacks transparency about the processing of personal data per application
  • judicial: what they do when a parent withdraws consent?

In this way the school does not take enough measures to actually provide a safe learning space.

It can be done

As a privacy officer of a large school for vocational education with over 17,000 students, I am familiair with the topic. We cannot ask parents to consent: we need to ask the students themselves as almost everyone is over 16. GDPR says freely given consent is almost impossible to prove because of the imbalance in power when a school/teacher asks a student to use a certain product. So, we actually can’t ask consent in this power relation.

We solved it simply by not allowing the use of unsafe tools all together. So we wrote a sound policy in which we (obviously) choose to only use products that are privacy-friendly and compliant. So we screen all apps/websites/tools that we know of teachers like to use and tell them which options they have. This way we can use tools in the classroom without the need to ask consent. In addition we work together with other schools to find privacy-friendly alternatives when a certain app is discouraged and we share best practices. The teachers are actively involved in expanding the list of usable ODTs and alternatives.


When you assess digital tools, there are of course several topics you can take into account. Usually the information this check provides, is enough to assess whether an app is safe to use or should be discouraged/prohibited, as a suggestion:

  • privacy statement available (if yes, is the content compliant with the applicable legislation), and is it transparent or vague/broad?
  • cookie statement available (if yes, are the cookies presented in privacy-friendly way), is it transparent or vague/broad?
  • is marketing tracking performed (if yes, is it opt-in or opt-out)
  • is information being transferred to third parties?
  • https available?
  • bothering Facebook pixel?
  • contact information available?
  • contractual agreements possible (like a data processing agreement)?
  • simple protection/safety test

Decision tree

Or use a decision tree to decide which tools you can use as a teacher (I’ll try to find time to actually “tree” this text):

  • Does the tool requires personal information?
    no? use
  • yes? – is the application offered by your school?
    yes? use
  • no? – do users need to login or make an account?
    no? use
    yes? – ask the privacy officer of your school to screen the app (may in addition a data processing agreement is required).

ODT suggestions

In the next list you will find suggestions for the use of online educational software like apps/websites/tools in the classroom. I hope this will be of use to you. It will be expanded with the list from the consent form in this article. In addition I will add the aspects that were taken into account for the advice.

123testindividual tests, assessments, IQ-testpersonal use only, not advised for privacy reasons (trackingcookies/no opt-out)
Adobe Sparkcreation of visual storiesteacher only
Autodesk (Fusion 360)drawing programlicensed-based
Blender3D creation suiteyes (local download, management for updates required)
Core TalentsCore Talents Analyseronly for personal use (employees/consent)
CumlaudeELOcontractual agreements necessary
Datumprikkerappointment plannercontractual agreements necessary
Doodleappointment plannernot GDPR-compliant
Dropboxfile sharing cloud servicecheck whether the school offers contracted alternatives
Eventbriteevent organiser and ticketing systempersonal use only, not advised for privacy reasons
Gallup Clifton Strength Finderdevelopment strengthspersonal use only, not advised for privacy reasons (trackingcookies/no opt-out)
Google tools (forms, etc.)a selection of online toolsNot privacy-friendly. Check whether the school offers contracted alternatives
H5Pgeneration HTML5-contentcontractual agreements necessary
Hypothes.isannotation of websitesnot GDPR-compliant
IAT implicit Association Test Harvardnot GDPR-compliant
Intodrivesmotivational factors scanonly for personal use (employees/consent)
Kahoot!online learning toolsteacher only
Learningappsonline learning toolsteacher only
Lesson upinteractive digital lessonsteacher only
Mailchimpemail newsletterscontractual agreements necessary
Mentimeterinteractive presentationsteacher only
Microsoft 365office applicationscontractual agreements necessary
Mindmaponline mindmappingteacher only
Mindmeisteronline mindmappingnot GDPR-compliant
Nearpodonline learning toolsteacher only
Padletsharing information through widgetsteacher only
Peergradeonline peer feedback not GDPR-compliant
Plickersonline learning tools/quizteacher only
Preziinteractive presentationsteacher only
Quizletonline learning toolsteacher only
QuizToolsquiz systemyes (anonimised tests only)
RoundMecreation of virtual toursteacher only
Schoolgesprek.nlappointment plannercontractual agreements necessary
Socrativeonline learning toolsteacher only
SurveyMonkeyonline survey toolcontractual agreements necessary
TMA Analysetalent developmentpersonal use only, not advised for privacy reasons (trackingcookies/no opt-out)
Tricidersource for inspirationteacher only
Weeblyonline website buildingnot GDPR-compliant
WeTransferfilesharingfree version not safe enough
WhatsAppchatappcommunication with students on initiative of student/employee
Wheel Onlineturn chooserjust surnames
Wickronline website buildingnot GDPR-compliant
Wixonline website buildingnot GDPR-compliant
Wordpress onlineonline website buildingnot GDPR-compliant

* teacher only means that the teacher may choose to open an account for themselves and work from there with the class. For example Quizlet and Kahoot! are quite useful without student accounts.

Also check for privacy-friendly tools.

These suggestions are open for feedback. If any company should feel an assessment is not accurate, please notify me.


And in this case, maybe also read about the MCPS approach, their database and the MCPS data breach. It happens.