Clever Updates Their Privacy Policy, and Does It Well
3 min read
Clever recently updated their privacy terms, and their method and process provides a good example for other companies to replicate.
First, they checked their privacy policy and terms of service into Github. This is a simple step that any edtech company can do. By having terms checked into git, we automatically get an annotated changelog of how terms evolve. This log is a great step toward increased transparency. All companies are using some form of version control to manage their codebase; extending this to their terms of service and privacy policy is incredibly straightforward.
In terms of the actual content, Clever made two substantial changes around how data is treated in case of a sale, transfer, or bankruptcy.
Here is Clever's original language, before the updates:
In the event of a change of control: If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.
Here is Clever's updated language, after the updates:
In the event of a change of control: If we sell, divest or transfer our business, we will not transfer personal information of our customers unless the new owner intends to maintain and provide the Service as a going concern, and provided that the new owner has agreed to data privacy standards no less stringent than our own. In such case we will provide you with notice and an opportunity to opt-out of the transfer of personally identifiable Student Data.
The updated language contains two important distinctions. First, the terms now clearly state that personal data will not be transferred as part of any transaction unless the buyer is going to maintain the service, and do so under sound policy. This goes a long way toward mitigating the risk of another ConnectEdu or Corinthian Colleges fiasco.
The second important change in this section is that the terms now guarantee notification in case of sale, paired with user opt-out of data transfers. This puts control in the hands of end users. I'm also assuming here that end users could be both schools that contract with Clever, and people who attend those schools.
The last line of the policy shows an additional minor change: the privacy policy has the date the policy was updated, and the date the updates went into effect. This is a great shift because it shows that a review window of updated terms is a standard part of doing business.
These changes get a lot of things right. By identifying that a sale to a company that wants to maintain and grow the service is a different type of event than a liquidation, Clever combines good data stewardship as a parallel to maintaining the continuity of their service. By committing to notification and user opt out, Clever demonstrates a confidence in what they offer, and a respect for the trust people place in them. By putting their terms in Github, and maintaining solid commit messages, they make it very clear how their terms evolve over time.
Most importantly, both the process that Clever has used, and the content of these changes, show how this can be done well. I'd love to see other companies follow Clever's lead here.
