The Five Scariest Phrases in Data Privacy

Key Takeaways:

• Clarity builds trust. Ambiguous phrases in data privacy policies create uncertainty and weaken confidence in your privacy practices. 

• Transparency strengthens compliance. Clear policies around data collection, deletion, and third-party links not only demonstrate accountability but also ensure alignment with privacy laws.

Every October, conversations turn to what’s spooky, but in education technology, the real chills come from a different source: data privacy policies. 

Buried in the fine print are phrases that seem harmless but can send shivers down the spine of anyone responsible for protecting student data. From vague commitments like “reasonable efforts” to ominous omissions around data deletion, these words signal uncertainty, risk, and sometimes even noncompliance. 

The good news? Each of these “scary” phrases is easily fixed by prioritizing transparency, specificity, and accountability. Here are the top five creepiest lines in privacy policies, and the language that can “turn on the light” to build trust instead of fear.

1. “Included but not limited to”

If your privacy policy says you collect data “including but not limited to,” it’s time to revise it. Vague language like that raises red flags and erodes trust by suggesting you may be collecting more than necessary. Instead, follow the principle of Data Minimization by collecting only what’s essential for your product to function. Also, be transparent about what data you’re collecting and why. This simple change signals your commitment to privacy, responsible data handling, and Privacy by Design, turning uncertainty into trust.

2. “Reasonable efforts” or “Industry standard practices”

If your privacy policy uses vague terms like “reasonable efforts” or “industry standard practices,” it’s worth clarifying what those actually mean to you. While legally acceptable, such phrases can leave users confused or skeptical. Define your practices in plain language, explain what “reasonable” looks like and which standards you follow. This transparency builds trust, shows accountability, and turns your privacy policy into a genuine trust-building tool rather than just a legal checkbox.

3. "We’re not responsible for the privacy practices of third-party sites linked from our platform."

If your privacy policy includes a “Links to Other Websites” disclaimer that shifts responsibility to third parties, it may be time for an update. In education, trust isn’t transferable. If you link to a site, you are implicitly endorsing it. Review your links carefully: are they necessary, safe, and appropriate for schools? Every connection reflects on your brand, so you want to make sure your digital ecosystem upholds the same standards of privacy and trust you promise your users. Clean links build clean trust.

4. “We do not collect personal information automatically, but we may tie it to other data.” 

Many privacy policies include vague statements like “We do not collect personal information automatically, but we may tie it to other data,” without explaining how or why. That’s a red flag under privacy laws like GDPR, CCPA, and COPPA, which require lawful, transparent, and consent-based data collection. Edtech suppliers must clearly state where data comes from and why it’s collected, as well as ensure user or parental consent. This is especially true when working with students. 

5. Lack of deletion policies

Admittedly, this isn’t a phrase, but it is scary if it isn’t there. Data deletion is one of the most overlooked aspects of edtech privacy. Schools often use hundreds of apps, many free, where accounts are created and quickly abandoned, leaving behind dormant data that’s rarely tracked or deleted. Suppliers can help by publishing clear, plain-language retention and deletion policies that specify inactivity triggers, deletion timelines, and how data is removed from backups and subprocessors. Meanwhile, schools should make deletion requests standard in procurement and renewals, requiring proof of action. Shifting from “we’ll keep it just in case” to “we’ll delete it unless needed” strengthens both compliance and trust.

Still Scared? We Can Help. 

The scariest thing about these phrases isn’t that they exist; it’s how easily they can undermine trust with educators, parents, and learners. The solution isn’t complicated: be clear, be specific, and be proactive. 

The 1EdTech Data Privacy Certification process uses a rubric collaboratively developed by the 1EdTech community to review data privacy policies. Providers can work with 1EdTech staff to address “scary” sections of their policies. Vetted products that earn the Data Privacy Certification seal are listed in the 1EdTech Trusted Apps™ Directory and the Trusted Apps Management Suite (TAMS).

About the Author

Kevin Lewis is 1EdTech’s Data Privacy Officer. He started his career in education as an IT customer service representative, where he was responsible for the break-fix process at two high schools. Kevin then worked as an Education Technology Specialist and headed the district’s student data privacy, Internet safety, and security initiative. At 1EdTech, he vets data privacy policies and provides guidance for consortium members.