The Children’s Online Privacy Protection Act (COPPA) requires that websites, edtech apps, and other digital vendors protect the privacy of children 13 years old and younger. Personal data must be masked and cannot be harvested for sale to other companies or vendors.

At least 50% of online app vendors for young children routinely gather and sell personal data to other sources. You may wonder who is protecting your children’s personal data. Are education vendors taking data privacy seriously?

Ask these nine questions:

1. Who handles the data? Find out if student data will be stored on company servers or backed up in the cloud. Determine who has access to the data center and how secure that access is.
2. How is the data handled? Ask how often the vendor backs up data, and identify firewalls that protect students’ identities. Most importantly, the backups should be redundant in the event of outages and viruses.
3. What do vendors do with the student data? Student data should be collected only for legitimate educational purposes. Expect your education vendors to destroy student data when program use is terminated.
4. Is single sign-on an option? One of the quickest ways to access the multitude of edtech programs students use in the classroom is through single sign-on rather than managing multiple logins and passwords for a single student. Single-sign-on saves time and reduces the likelihood or forgotten passwords, but it can also be a nightmare if education vendors do not take appropriate data security measures.
5. What policies are in place to prohibit selling data to advertisers? Look for clearly outlined policies that prohibit data mining and the sale of that data.
6. How often does the vendor review policies and practices? Education vendors should routinely review their policies and practices, making sure they remain compliant with COPPA and other privacy standards.
7. What does the vendor track and monitor? Personalized learning is making digital experiences more common, and education vendors may want to take advantage of surveillance opportunities to expand their programming.
8. Is the data necessary for learning? If the data has nothing to do with learning, the education vendor doesn’t need to collect it.
9. How are possible data breaches handled? If the education vendor had a data breach in the past how was it treated? If there has not been a data breach, what plan is in place if it happens?

Until the Federal Trade Commission, along with Android and iOS app stores like Google Play and iTunes, take a greater role in checking apps for COPPA compliance, you should take matters into your own hands and ask the nine questions above to determine whether or not your educational vendor takes data privacy seriously.