Lesson 3: Data Policies and Privacy


Students learn that the apps, websites, and other computing innovations they use every day require a lot of data to run, much of which they might consider to be private or personal. In the warm up students discuss which of a list of possible information types they consider private. Then students read the data policies from a website or service they use or know about. This investigation focuses on the kinds of data that are being collected, the way it's being used, and any potential privacy concerns that arise. A brief second activity reveals that even data that may not seem private, like a birthdate or zipcode, can be combined to uniquely identify them. To conclude the lesson students prepare for a discussion in the following class about the pros and cons of sharing all this data by journaling about their current thoughts on whether the harms of giving up this privacy are outweighed by the benefits of the technology they power.


This lesson is closely tied with the one that follows. In today's lesson students focus primarily on understanding the kinds of data that are collected by modern apps, websites, and computing innovations, and the ways that this may sometimes lead to sharing private information. In the following lesson students will specifically discuss the pros and cons of sharing that information.


Lesson Modifications

Warm Up (5 mins)

Activity (35 mins)

Wrap Up (10 mins)

View on Code Studio


Students will be able to:

  • Describe the different types of data that are used and collected by modern computing innovations
  • Define Personally Identifiable Information as information about an individual that identifies, links, relates, or describes them.
  • Explain how disparate pieces of personal information can be combined to identify individuals or deduce other private information.


  • Check a few popular websites with students in your school to make sure they'll be able to access those sites' data policies over your school network.


Heads Up! Please make a copy of any documents you plan to share with students.

For the Teachers

For the Students

Teaching Guide

Lesson Modifications

Attention, teachers! If you are teaching virtually or in a socially-distanced classroom, please read the full lesson plan below, then click here to access the modifications.

Warm Up (5 mins)

What Information is Private?

Discussion Goal

Goal: This prompt sets up the rest of the lesson where students will be exploring instances where many of the pieces of information on this list are used by the services they use every day. Aim to push students to think about what it means to say that something is "personal" or "private". This is a lens they should take into the lesson.

Also, point out to students the items on this list that are biometric data: a picture of your face, your fingerprint, and voice/video recordings. Are these considered any more private or personal than the other items? Why or why not?

Prompt: Which of the following pieces of information would you consider to be "personal", as in you wouldn't want it shared with just anyone.

  1. Your full name
  2. Your social security number
  3. Your favorite musician / band
  4. A picture of your face
  5. Your fingerprint
  6. Your birthdate
  7. Your address
  8. Where you go after school
  9. Your phone number
  10. Your medical information
  11. Who your best friends are
  12. Your racial / ethnic identity
  13. A list of everything you've bought this month
  14. A list of recordings of your voice
  15. Your IP address
  16. A video of you singing
  17. Your academic history / report card
  18. The town or city you live in

Discuss: Have students brainstorm silently at their tables, then have them share with neighbors, and finally have them share out with the room.


We know that computing innovations need data to run, but we don't always think about just how personal or private that information may be. We're about to kick off a two-part lesson. In today's lesson we're going to look at just how much personal data we share online. Tomorrow we'll debate the pros and cons of sharing all that data.

Activity (35 mins)

Teaching Tip

Profanity in Video: Note this video briefly includes the written phrase "How to read an f*$%ing privacy policy" roughly 15 seconds in. Review the video and ensure you're comfortable sharing it in your class. If you need you can start the video later.

Dated Video: This video is from 2018 but makes the point that students should check that privacy policies are recent. Be prepared to let students know that even though this video was shot in 2018, the same principles are important and apply.

How to Read a Privacy Policy - 5 mins


Most good websites and apps will have a privacy policy that explains the data that they collect and the way that it's used. We may have seen them before, but we've probably not read them.

Display: Show the video about how to read a data privacy policy. Take note of the teaching tip about the date and content of the video to the right.

Data Policy Exploration - 25 mins


Today we're going to practice reading data policies to get a sense for what kinds of information is actually being collected by modern computing innovations like websites and apps. We're going to spend today filling out the front part of the activity guide. In the next lesson we'll think more deeply about whether we think the tradeoffs of privacy are worth it, but you don't need to worry about that side of the activity guide today.

Group: If students like they can work in pairs for today's activity when they will be reading the privacy policy. Each student, however, should be completing their own activity guide.

Distribute: Give each student a copy of Privacy, Security, and Innovation - Activity Guide

Choose a Website and Find the Data Privacy Policy: Have students pick a company / app to use. If students are having a hard time picking a specific website, many big technology companies have fairly robust data policy pages, like Facebook, Google, Twitter, Instagram, and so on.

What Is Their Data Policy?: Students should spend 10-15 minutes reviewing the data policies and answering the questions there.

Share Findings: Have groups meet with another group to share what they discovered.

Wrap Up (10 mins)

Review: Review the key takeaways from the lesson and have students record the definition of Personally Identifiable Information in their journal.


Users can control the permission that programs have for collecting their information. As a thoughtful user of technology, don't forget to review the privacy policies of the various apps and programs you use to protect your privacy!

Assessment: Check For Understanding

Check For Understanding Question(s) and solutions can be found in each lesson on Code Studio. These questions can be used for an exit ticket.

Question: Which of the following is NOT a reason that a company would typically collect personally identifiable information (PII)?

Activity Guide: Have students submit their activity guides from today's lesson but be prepared to hand them back out for the following lesson.

Standards Alignment

View full course alignment

CSTA K-12 Computer Science Standards (2017)

IC - Impacts of Computing
  • 2-IC-23 - Describe tradeoffs between allowing information to be public and keeping information private and secure.
  • 3A-IC-29 - Explain the privacy concerns related to the collection and generation of data through automated processes that may not be evident to users.
  • 3A-IC-30 - Evaluate the social and economic implications of privacy in the context of safety, law, or ethics.


IOC-2 - The use of computing innovations may involve risks to your personal safety and identity
IOC-2.A - Describe the risks to privacy from collecting and storing personal data on a computer system.
  • IOC-2.A.1 - Personally identifiable information (PII) is information about an individual that identifies, links, relates, or describes them. Examples of PII include:●       social security number●       age●       race●       phone number(s)●       medical infor
  • IOC-2.A.12 - PII can be used to stalk or steal the identity of a person or to aid in the planning of other criminal acts.
  • IOC-2.A.13 - Once information is placed online, it is difficult to delete.
  • IOC-2.A.14 - Programs can collect your location and record where you have been, how you got there, and how long you were at a given location.
  • IOC-2.A.15 - Information posted to social media services can be used by others. Combining information posted on social media and other sources can be used to deduce private information about you.
  • IOC-2.A.2 - Search engines can record and maintain a history of searches made by users.
  • IOC-2.A.3 - Websites can record and maintain a history of individuals who have viewed their pages.
  • IOC-2.A.4 - Devices, websites, and networks can collect information about a user’s location.
  • IOC-2.A.5 - Technology enables the collection, use, and exploitation of information about, by, and for individuals, groups, and institutions.
  • IOC-2.A.6 - Search engines can use search history to suggest websites or for targeted marketing.
  • IOC-2.A.7 - Disparate personal data, such as geolocation, cookies, and browsing history, can be aggregated to create knowledge about an individual.
  • IOC-2.A.8 - PII and other information placed online can be used to enhance a user’s online experiences.
  • IOC-2.A.9 - PII stored online can be used to simplify making online purchases.