Can you sign this form promising FERPA (US) or GDPR (Europe) compliance?

We get requests like this once in a while. We can't do what you ask, but I hope to convince you that you don't need it.

Why we can't: Snap! is a zero-budget project run by a small group at Berkeley. We are not authorized to enter into contracts on behalf of the University. In any case, to be valid a contract must have a quid pro quo, and you aren't doing anything for the University. That is, we don't charge anything for people or institutions to use Snap!. Within reason, we even allow our users to store their projects on cloud storage that is provided to you free of charge. So it would be legally meaningless for us to sign your form even if we were authorized to do so. But we have two suggestions:


First: You (or your students) can use Snap! without sending us any information at all, by saving your work (please understand an "or your students" wherever we say "you") on your local computer network, or on a CMS with which you have a contract. In the "Save as" dialog, click the big "Computer" button and you'll get an operating system file save dialog. If you do that, you don't have to have a Snap! account at all. The Snap! software runs entirely on your computer, in your browser. It sends us no information until you log in or save a project to our cloud server.

This is an absolutely ironclad solution; if we have no information about you, there's no need to worry that we might disclose it to others or use it against you. (We do, like all web sites, log the IP address from which you connect to download Snap!.) If you or your lawyers are worried about legal compliance, this is by far your best course of action.


Second, you can agree that even when you do sign up for an account, there is little risk: The only personally identifying information we knowingly collect from users is an email address, which we use only to send a password reset link when a user forgets his or her password. (We also notify the user in the unlikely event that we find it necessary to un-publish a project, either because it violates community standards or because we have been notified that it violates someone's copyright.) When a user creates a new account, if the user is under 13 (US) or under 16 (Europe), we ask for a parent's email rather than for the user's own. (We do not store the user's date of birth; this age computation is done entirely in the user's browser.)

The email address by itself is arguably not PII at all. In particular, teachers may create accounts for their students using their own email address; the same address can own more than one account. Users can even give us a temporary email address (e.g., tempmail.com), if they're confident they won't forget their password. We do not operate a course management system; there are no student grades or test scores on our server.

The remaining risk concerns information that students publish on purpose. From the student's point of view, the virtue of storing projects in our cloud storage is that they can be published, so that every other Snap! user in the world (or anyone else, really) can see them. This is how we build a community of users, who learn from each other.

Users can decide whether or not to share or publish each of their projects. We do not examine unshared projects at all. A shared project can be seen only by people to whom the author sends the project's URL. A published project is displayed on our web site. There is a risk that underage users might include PII in a shared or published project ("I'm 12 years old today!"), but there is nothing we can do to preclude that. We can only unpublish projects if we are notified about a problem.

For school use, we encourage teachers and students to use a style of work in which each student has a class account that's used only for classwork, deleted at the end of the course, and a different account for extracurricular projects. This limits your exposure to the risk of PII in a student project; you are not a party to a student's birthday announcements.

We try hard to follow all the rules of FERPA/COPPA (US) or GDPR (Europe), but we do so mainly by not collecting PII in the first place.

We hope that this information will suffice to convince your lawyers that you don't need a signature from us.