Outsourced University Athletics Websites Violate University Privacy Policy

Outsourced university athletics websites violate university privacy policy including tracking visitor data and using it for advertisers. I don’t want to over complicate this so let me offer the simplest explanation of how university privacy policy are being violated.

University athletic department’s contract with a third party to host their official university athletics department website. The vendor provides the platform that hosts advertising and offers eCommerce capability under the vendor’s commercial privacy policy – not the university privacy policy.

CBSSports.com College Nework

According to CBSSports.com College Network they partner with over 150 universities and athletic conferences to host over 175 official athletic sites. CBSSports.com services:

“…helps collegiate athletic departments protect and build their brand by deepening and expanding their fan base.”

Their services include a full range of editorial and web services including providing web hosting, interactive media and eCommerce services to sell branded products, tickets and auction services for ‘fan days’ and other fundraising activities.

As far as I can tell, they offer a fantastic, highly specialized and valuable service to universities which represents a potentially strong revenue stream. This is so specialized it might be difficult for the university IT department to provide a comparable level of service. That may be besides the point.

The issue is CBSSports.com College Network, acquired by CBS Corporation in 2002, has a privacy policy for a corporate media company not a university. As such, their privacy policy reflects a commercial entity who sells advertising and user data which may include transferring user data to third parties even out of the United States.

University of Wisconsin Athletics

Wisconsin AthleticsThe official website of the University of Wisconsin Athletics is UWBadgers.com operated by the CBSSports.com College Network and the CBSSports.com privacy policy is the only one on the site.

So there is no university privacy policy on this site and according to the University Privacy Policy found on the university home page, that privacy policy does not apply.

You should know that I think the University of Wisconsin privacy policy structure is an absolute mess. There is no single university privacy policy framework as I have described before, just a hodgepodge of unrelated privacy policies for every department, program and subdomain.

This means the Wisconsin Athletics site operates as an official university website with no university privacy policy and current practices that seem contrary to most of the existing university privacy policies.

Additionally, based on the CBSSports.com description of their Third Party Online Advertising practices, it would seem the Wisconsin Athletics site also runs a fowl of the Responsible Use of Information Technology Policy.

University of Massachusetts – UMASS Athletics

UMASS AthleticsThe official UMASS athletics site is also operated by CBSSports.com. Unlike the University of Wisconsin, the UMASS privacy policy is a comprehensive university privacy policy that would extend to UMASSAthletics.com stating:

“Except as noted, the information below applies to University of Massachusetts Amherst Web sites, consisting of designated Web pages or publications of the university, its schools, colleges, departments, administrative offices, divisions, certain registered student organizations, and other units, as well as to the campus home page, or Gateway, at www.umass.edu.”

But just like the University of Wisconsin, UMASS allows third party advertising and data collection on their official UMASS athletics website without providing the university privacy policy on the site.


Just as an aside, I am also wondering if allowing third party advertising on an official university web site, controlled by CBSSports.com and the advertising networks, fits with university policy?

How Does This Happen

My guess as to how these things happen includes three main factors:

  • Privacy in higher education is mostly associated with FERPA so there is a lack of broad oversight of privacy beyond FERPA.
  • The CIO is not in the loop on purchases of external IT services which might be the best chance to catch these things.
  • Most people don’t realize their obligations for privacy compliance and university policy enforcement doesn’t end just because you outsource to a third party.

5 Tips To Strengthen Privacy Controls

  1. Appoint or designate a Chief Privacy Officer. This should be someone who can see the broader picture of privacy beyond FERPA.
  2. Establish an Enterprise Privacy Policy Framework. There should be an institutional privacy policy serving as an umbrella for privacy controls and compliance in all areas.
  3. Conduct Privacy Risk Assessments. The Chief Privacy Officer or compliance officer should require privacy risk assessments of all new applications and web services prior to purchasing them and again with regular frequency based on risk.
  4. Require SSAE 16 Audit Reports annually from all IT service providers as part of your vendor management program.
  5. Provide or expand annual FERPA privacy training to cover privacy controls more broadly making the distinctions between privacy and security.

This entry was posted in CIO Job, Privacy and tagged , , , , . Bookmark the permalink.

2 Responses to Outsourced University Athletics Websites Violate University Privacy Policy

  1. Dorthey Bruestle says:

    Very interesting subject, but not altogether surprising. Thanks for sharing.

  2. The Higher Ed CIO says:

    Interesting is one way to look at it on another big football weekend.

Comments are closed.