Dear Senators Durbin, Markey, and Blumenthal:
Thank you for the opportunity to share information about Turnitin’s data privacy practices.
In our 20 years of operation, Turnitin has served over 15,000 educational institution customers and approximately 34 million high school and higher education students throughout the world. We provide products and services that help students develop skills they need to think critically and take ownership of their work. Central to our operation is a suite of technology solutions that identify plagiarism in students’ written work, facilitate constructive instructional intervention, and help maintain educational institution standards. We believe that education is a right, not a privilege, and we strive to support students in learning to express their original, authentic voices with integrity.
We simply do not collect or use data for advertising or marketing purposes, nor to develop profiles of children or students that may be used by marketers. We collect and use personal information only to provide our products.
We provide the following software products, primarily for high schools and higher education institutions:
- Turnitin Feedback Studio, Originality Check, and iThenticate, which are designed to support academic integrity by evaluating originality and supporting educator workflows;
- Authorship Investigate, which helps ensure assignments originate as students’ own work;
- Gradescope, which helps to streamline the grading process for teachers, particularly for STEM courses.
We are committed to protecting the privacy of the students and education institution users who interact with our products. We are a signatory of the Student Privacy Pledge and work closely with our education institution customers to ensure that we meet their requirements for protecting student data privacy. We use student personal information only to support the legitimate educational interests of our customers and collect only what is needed to perform the education-related services. We do not sell or rent data, nor do we use it for advertising purposes.
We only collect data directly from our education institution customers and their students. We do not buy, collect or receive student data from any other sources. Further, we do not, “label” or “categorize” students – rather, we simply help institutions check the integrity of their students’ work.
We collect the minimum amount of data required to allow an individual to log into and use our products - including to submit work as assigned by their instructors, keep track of the work they’ve submitted, and permit their instructors to do the same - such as first name, last name, email address, institution name, and, optionally for Gradescope, a student ID. With the approval of their instructor, students may log into our products under a pseudonym.
We also collect coursework – usually essays and other written materials assigned by an instructor – to check for originality. Like most software companies, we also collect some technical information such as IP addresses, device IDs, time spent in our products, and features used. That information is de-identified and used in the aggregate to help us better understand how our products are used, inform new feature development, secure the products, and identify issues with operations.
Depending on the product being used, instructors may also upload student grades and scoring rubrics, used only to help instructors improve the efficiency of their grading processes.
At any time, students or the parents of students who are under age 18 or have not yet matriculated in a higher education institution, may request to review, amend, correct or delete the student’s data by contacting the education institution. We partner with the education institution to respond to those requests in the time requested by the institution or otherwise as required by law. Education institutions may request deletion of their students’ personal information at any time.
We use robust security measures appropriate to the sensitivity of the data we collect, and these measures are regularly reviewed and updated. We have a Chief Information Security Officer on staff, and we complete annual third-party SOC 2 security audits and certification.
We remain vigilant in our security practices. We store the data on Turnitin servers in secure data centers, and on a third-party cloud platform that has certification for compliance with ISO/IEC 27001, 27017, 27018, and ISO/IEC 9001. We require that our third-party technology partners implement security practices that are at least as stringent as our own and use data only for the purpose of facilitating our provision of the products in support of our education institution customers.
Supporting our education institution customers is critical to our mission and to the longevity of our business. Part of that, of course, includes meeting our legal requirements. We comply with the requirements of the Family Education Rights and Privacy Act (“FERPA”), and receive only minimally required information from student education records needed to perform services, using personal information from education records only to support the legitimate educational interest of each school customer, and operating under the direct control of our education institution customers with respect to our use and maintenance of education records.
We partner with our customers to ensure that they have the ability to access, amend, correct, or delete student personal information at their discretion or in response to requests from parents or eligible students, and as noted above, we share student personal information only with third party service providers who facilitate our delivery of the products to our customers and who are contractually obligated to maintain appropriate privacy and security protections over such data.
In addition, we provide a variety of technical, administrative and physical controls to help ensure the security of the data, and we allow our education institution customers to audit our privacy practices to support their compliance with their FERPA obligations.
Under the Children’s Online Privacy Protection Act (“COPPA”), consistent with the position of the Federal Trade Commission (FTC), we rely on our education institution customers to obtain the necessary parental consents prior to collecting only the minimally required personal information from students under age 13. As with all the students we serve, any such information is used only for providing the services to the educational institutions. We comply with all COPPA requirements, and partner with our education institution customers to ensure that parents are always able to exercise their rights under all applicable laws and regulations.
We are pleased to have been able to explain some of our data privacy and security practices and remain available should you wish to discuss in more detail.
Chief Executive Officer