Technology procurement decisions have become data privacy decisions. When an organization signs a contract with a technology vendor, it is also deciding how that vendor may collect, use, store and share data about the organization's users — including, in education contexts, data about children.

Why Vendor Contracts Must Address Privacy Explicitly

Privacy terms that are not in a contract do not exist. If a vendor's standard contract does not restrict their right to use your data for product development, advertising targeting or sharing with third parties, they may exercise those rights. The time to negotiate privacy terms is before signing, when you have leverage — not after, when changing contract terms is difficult.

The Essential Questions

Data collection: What specific data elements does your system collect from our users? Is there any data collection that is not necessary for the core functionality we are purchasing? Can data collection be configured to match our privacy requirements?

Data use: For what purposes may you use data collected through our use of your platform? Can you use our data to improve products sold to other customers? Can you use our data for advertising purposes? Can you use our data to build user profiles?

Data sharing: With whom do you share our data? Do you share data with third-party analytics services, advertising networks or data brokers? What are your contractual requirements for subprocessors?

Data security: How is our data encrypted at rest and in transit? What access controls prevent unauthorized employee access? What is your breach notification process and timeline?

Data deletion: What is your data retention schedule? When we terminate our contract, how long do you retain our data and in what form? How can we verify that deletion is complete?

Compliance: What steps have you taken to comply with FERPA, COPPA and applicable state privacy laws? Have you undergone any third-party privacy audits?

The vendor data questions resource provides a comprehensive organized list. The responsible vendor principles describe what organizations should expect from vendors who are genuinely committed to privacy.