The cookie jar

Online educational tools and protecting children’s data

Safeguarding is a high priority in any good school, but Huma Shah wonders if we are doing enough to protect children’s data when using well-known online learning resources.

Cookies in online educational resources

There is no doubt that online educational resources can enhance learning. While institutions can and do conduct due diligence to ensure a proposed digital platform meets safety and security, is this sufficient to prevent the tracking of pupils’ data? How can we check data-privacy in educational websites and apps and how can we limit the tracking of teachers and pupils’ data?

Online tracking and selling of children’s data

Tracking us online is done through a variety of web tools, the best-known of which is a digital ‘cookie’. The BBC’s website tells us:

”Cookies are small text files which are transferred to your computer or mobile when you visit a website or app.”

These enable data about us, held on the device, to be extracted. They can then be passed on (they are often sold) without our knowing it. Andreas Weigendi, author of ‘Data for the people: how to make our post-privacy economy work for you’ (2017), warned that “Every time we Google something, Facebook someone, Uber somewhere … we create data that businesses collect and use to make decisions about us”[i]. Weigend addedi:

“the default condition of life has shifted from ‘off the record’ to ‘on the record’[ii]”.

Even if teachers and pupils want to be ‘off the record’ online, trackers are monitoring keystrokes everywhere –  which website we came from, our location, etc. Trackers can pass this data on without our consent.

Examples of cookies in educational websites: BBC Bitesize


If we look ‘under the hood’ of one online educational resource: BBC Bitesize website we see a message at the top of the home page – the cookie banner (screenshot 1):

“We use cookies to give you the best online experience”

“Please let us know if you agree to all of these cookies”

The cookie banner provides two choices: ‘Yes, I agree’, and ‘No, take me to settings’ (screenshot 1).

On selecting “cookies” in the banner you are directed to another page which includes the following information[iii]:

“To deliver advertising to websites outside of the UK”

If you select ‘Yes, I agree’ you are agreeing to the placement of cookies on the device you used to access the page, and you are helping the BBC to “deliver advertising to websites outside of the UK”.

What teachers can do to prevent children’s data tracking in websites


There are a number of free online tools that teachers can use to check for tracking in educational apps before launching for children’s use. One such tool is Webbkoll[iv] . Using webbkoll to analyse BBC Bitesize the following information is revealed (screenshot 2):

  • The server is located in Sweden
  • Six first-party cookies are detected (i.e. the BBC’s own trackers)
  • Fifty-one third-party requests from twelve unique hosts have also been detected

What does this mean?  Webbkoll tells us the third-party requests are “requests to a domain that’s not or one of its subdomains.” It is unclear what the benefit of third-party requests are to BBC Bitesize website users. Webpages have become spaces for the online advertising industry (AdTech), because of an “increasing amount of time spent by consumers on digital media”v, which helps companies using AdTech to make money out of “any user’s move”v. Digital educational tools are not exempt from “monetizing traffic” while improving “interaction with the user on platforms”[v] .

Examples of tracking through educational apps: Kahoot


Kahoot educational app is another digital resource that allows teachers to set pupils with challenges through games and competitions[vi]. Using another free online data-privacy tool Exodus Privacy[vii] we can check beneath Kahoot.

Exodus Privacy reveals that Kahoot app has two trackers and twelve ‘permissions’.  The trackers are both from Google and include Google’s “Firebase Analytics[viii] a tool that “provides insight on app usage and user engagement”viii . Once downloaded to a device, Kahoot app’s default permissions include access to the camera, and to read the contents of the device’s storage function (SD card).

What teachers can do to prevent children’s data tracked through apps

The requirements of a particular task or activity should dictate what app permissions are necessary. For example, an app for transport times needs access to your location in order to provide information about when the transport is due to arrive. For any other permissions, such as access to your contacts, photos, etc., you should have the choice whether or not to grant this permission.

Free training to protect student privacy

CSI-COP[ix] (nothing to do wtih COP 26!) is an EU-funded project investigating the extent of online tracking through websites and apps. CSI-COP has created a free informal education course, ‘Your Right to Privacy Online[x]’. This is available in English, Czech, Greek, Hebrew, Hungarian and Romanian (more language translations, and free online workshops[xi] to follow). The free course across five easy-to-follow steps can be completed in half-a-day. It can help teachers to minimise the risk to children when navigating educational websites and apps, and also help children to protect their own data online.


Digital tools can enhance a learner’s experience. Preventing our data being tracked can further improve engagement by rejecting those annoying cookies!



Huma Shah is Assistant Professor and Researcher at the University of Coventry’s Research Centre for Computational Science and Mathematical Modelling specialising in Artificial Intelligence at Coventry University

News about free upcoming webinars here

Huma can be contacted on

All images and screen shots kindly provided by Huma.


Helen Bilton, Professor of Outdoor Learning,-Reading University; CSI-COP Advisory Board member.

CSI-COP partners: Dr. Ulrico Celentano; Professor Jordi Vallverdú; Dorottya Rigler; Mária Hinsenkamp; Dr. Maayan Zhitomirsky-Geffet; Professor Olga Stepankova; Deniz Ozdemir; Nantia Lantavou and Professor Yannis Gialelis.

CSI-COP project website:

Short animation on how to stop cookies, in CSI-COP FAQs:

How to get involved in CSI-COP as a citizen scientist:

Further reading (see also end-notes):

2015 book: The Black Box Society: The Secret Algorithms that Control Money and Information. Author: Frank Pasquale. Publisher: Harvard University Press

2017 book: Data for the People: how to make our post-privacy economy work for you. Author: Andreas Weigend. Publisher: Basic Books.

2019 book: The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. Author: Shoshana Zuboff. Published by Profile Books

2020 book: Privacy is Power: Why and How You Should Take Back Control of Your Data. Author: Carissa Véliz. Publisher: Bantam Press


[i] Andreas Weigend. 2017. Data for the people: how to make our post-privacy economy work for you. New York: Basic Books.

[ii] Page 109 in Andreas Weigend 2017’s book

[iii] Using the BBC – About cookies:

[iv] Webbkoll online tool simulating no-tracking browser

[v] The APP Solutions: Digital Adtech – the complete guide:

[vi] Kahoot:

[vii] Exodus Privacy:

[viii] Google Firebase Analytics:

[ix] Citizen Scientists Investigating Cookies and App GDPR compliance:

[x] Your Right to Privacy Online, free informal education course:

[xi] CSI-COP  will be offering free online workshop in the near future. More information here about future workshops

You may also like