Data Collection and Security Policies
About this Document
Modern Campus respects our customers’, and their website visitors’ right to privacy. This document describes how the Personalization by Modern Campus feature, when enabled in the Modern Campus CMS product, collects data about your website visitors and how that data is used to deliver personalized content on web pages. It also covers the capabilities that enable institutions of higher education using the Personalization product to comply with the rights and choices that website visitors have regarding their personal information.
This information can be used to update and augment your institution’s privacy policies and opt out procedures, in order that you may comply with General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other privacy regulations as needed when you enable the Personalization by Modern Campus features. However, this is not a legal document and is intended solely as an aid to you as you ensure compliance with regulation. You may have other considerations to include in your privacy policy based on other activities that you may be taking, such as, but not limited to tracking with Google analytics or other services.
Executive Summary
Personalization by Modern Campus feature enables schools to create and display dynamic content on web pages triggered by rules based on information collected about the website visitors’ interactions with the school’s website. Because we track visitor data in order to accomplish this, schools will need to ensure their privacy policy accurately reflects this activity. Rest assured, this is not as scary as it sounds.
While personalization can improve the website visitor’s experience with your site dramatically, little personal information about the user is required to make an impact. In fact, if you are already tracking user activity on your website via Google Analytics or similar tools, your privacy policy may not require any changes at all. Should you choose to use our more advanced personalization features, such as importing data from your CRM or other external systems, your privacy policy may need to be updated to reflect the choices you make about what data you import.
There is a tremendous amount of detail about how we track user information laid out in later sections of this document. We designed Personalization by Modern Campus such that it does not capture critical personally identifiable information (PII). Each regulatory standard defines PII slightly differently. This document defines critical PII as,
- Driving License Number,
- Social Security Number (SSN),
- Social Insurance Number (SIN), and
- Passport Number.
We only capture PII that is needed to drive personalized experiences. We offer several layers of prevention against importing critical PII, including programmatic recognition and user controls (see Data collection via CSV file). This document will enable you to ensure you are disclosing what is necessary to meet the guidelines that are relevant to your institution.
Two common guidelines that many Modern Campus customers look to meet are the GDPR and CCPA. Personalization by Modern Campus only collects one piece of information that is considered to be PII under these guidelines – the user’s IP address.
We also comply with modern browser’s ‘do not track’ capabilities and can provide a means for school’s to enable opt-in capabilities if they do not have them already established for their websites.
Personalization by Modern Campus Overview
The Personalization feature offers two services that can be used separately or together:
- Tracking of unidentified visitors and/or,
- Tracking of identified visitors.
With Personalization, Modern Campus does not track your website visitor without your consent. You are in complete control of what is tracked. We have several controls that enable you to apply tracking as broadly or granularly as you see fit.
Personalization must be enabled at the account and site level for any of the features to be available to users. Additionally, you determine which pages have the tracking code embedded, and you determine the rules for when that information is used and for what purpose. You can track at the site, directory, and single page levels.
The user can opt out of tracking via do-not-track requests, a feature on most modern browsers. Do-not-track requests can be found by navigating to the Privacy and Security section of your browsers’ settings.
Overview of Unidentified Visitor Tracking
Unidentified visitor tracking enables schools to include dynamic content on web pages based on information collected about the user. The feature enables you to:
- Track visitor interactions with your site:
- the frequency of a person’s visits to your website
- the duration of the website visit
- the pages or calendar events visited while on your website
- the source URL from which the visitor navigated to your website
- the visitor’s IP address
- the visitor’s geolocation during the visit (to the metro region)
- the visitor’s browser, operating system, device type, and device resolution
- Create dynamic and personalized content variations to display to website visitors:
- Dynamic blocks
- Text
- Page forwarding
- Define rules for when each version of the dynamic content will be displayed to a user. Rules are defined by:
- The number of repeat visits to your website
- The pages or calendar events visited on your website in the past
- The location of the website visitor (granular to the metro region)
- Segments (categories of visitor traits)
- View visit analytics to understand visitor behavior
Overview of Identified Visitor Tracking
You can also choose to import data from your student information system (SIS) or customer relationship management (CRM) process or system to Personalization. This will identify website visitors by linking them to the prospect and student information from your existing campus systems.
Personalization Architecture
Modern Campus uses Matomo, an open-source project, to help power data tracking and analytics related to the personalization feature. We are hosting our own instance of the Matomo services in our dedicated Amazon Web Services (AWS) hosting environment. Matomo staff do not have access to our environment or any of the data in it.
Matomo uses a combination of first-party cookies and other techniques to ‘fingerprint’ a website visitor. The default expiration for Matomo cookies is 13 months. Even if a user clears their cookies, Matomo can still tell who they are based on this fingerprint.
Matomo enables you to track against all your domains, unlike other tracking technologies. However, we do not enable tracking on any domains other than those owned by our customers. We are not tracking user behavior outside of your website interactions.
Modern Campus is using industry standard data security controls to ensure the integrity of the data and to protect the privacy of website visitors, including but not limited to encrypting the data at rest.
Data that is Collected
Unidentified Visitor Tracking
When you enable personalization on your site, AND you add tracking code to a particular page or set of pages, we will collect the following information for website visitors:
- User IP address (leading 2 octets)
- Date and time of the page visit
- Title of the page being viewed (Page Title)
- URL of the page being viewed (Page URL)
- URL of the page that was viewed prior to the current page (Referrer URL)
- Calendar event visited
- Screen resolution being used
- Time in local user’s time zone
- Location of the user: country, region, and metro region
- Main Language of the browser being used (Accept-Language header)
- Browser plug-ins
- User Agent of the browser being used (User-Agent header)
- From the User-Agent, detect the browser, operating system, device used (desktop, tablet, mobile, TV, cars, console, etc.), brand and model.
Some information is also stored in first party cookies and collected by our Personalization feature:
- Random unique Visitor ID
- Time of the first visit for this user
- Time of the previous visit for this user
- Number of visits for this user
Identified Visitor Tracking
When you choose to import your campus data to our Personalization feature we store this data with third-party services that we have evaluated to our security standards (Table 1). Specifically, we store this data in Matomo MySQL or AWS Elasticsearch databases. Data is encrypted at rest and accessible only by Modern Campus. Data is not stored in the Modern Campus CMS or microservice databases.
When you connect your campus data with Modern Campus CMS, you decide what data to share. If shared, we handle your data in the following two ways.
Data collection via CSV file
- When you upload a CSV file containing your CRM/SIS data to Modern Campus CMS, we store your data in a private AWS S3 bucket. This private bucket is a shared space accessed by a secret key.
- In Modern Campus CMS, you provide the data mapping, including marking data as restricted. Restrict PII by removing it from your CSV file before import and/or by marking it as restricted during import.
- If your CSV file contains critical PII that we can identify programmatically, we will automatically restrict it and it will never be stored (Figure 2).
Figure 2. Critical PII identified programmatically by Modern Campus CMS and restricted.
- We read your CSV file using your mapping and delete the CSV from the AWS S3 bucket.
Data collection via Personalization form
You can also post our Personalization form on your website to request information from your visitors. This form will request the following, non-critical PII:
- Name
- Country
- Date of Birth
- Email Address
- Contact Number
- Location
How we use the data collected
Data collected about a particular individual website visitor is used as follows:
- To determine which version of your dynamic content to display based, on your website, based on the rules you create to target particular segments
- To support or troubleshoot the personalization service
Modern Campus may aggregate data across users and our customers to define best practices and help customers to improve their website content, messaging, and structure. We may also aggregate data across our customers to analyze user behavior trends in service to improving our product and creating additional products and services. In the future we may use visitor data to provide predictive recommendations of content to other similar website visitors.
We will never sell your data to a third party and we will not use it to market Modern Campus products or services directly to your website visitors.
Third party services we use
When you use our Personalization feature, we may use third parties to deliver some product feature capabilities. Table 1 details the third party services we use that may collect personal data.
Recipient |
Purpose of processing |
Lawful basis |
Data location and security |
Personal data collected by the third party |
Privacy policy |
Matomo |
To collect and analyze information about how website visitors interact with your site. The pages and activities that are tracked are defined solely by your institution. We may also use this data to recognize and stop any misuse |
Legitimate interest |
Amazon AWS, USA | ||
To host our microservice, databases and Matomo instance, and to store your campus data. |
Legitimate interest |
Amazon AWS, USA |
None |
Table 1. Third Party Services and Data Collection
Retention of data
We will retain collected information for a minimum of two years, or if your account is active with the personalization service. We will also retain and use this information as necessary for the purposes set out in this document and to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and protect our legal rights. We also collect and maintain aggregated, anonymized or pseudonymized information which we may retain indefinitely to protect the safety and security of our site, improve our services or comply with legal obligations.
Security Statement
Modern Campus has taken steps to safeguard the integrity of its data and prevent unauthorized information that is maintained it our computer systems. These measures are designed and intended to prevent the corruption of data, block unknown or unauthorized access to our systems and information, ensure the integrity of information that is transmitted to us, and to provide reasonable protection of private information that is in our possession.
While ensuring network security and consistent services for all users, we employee software programs to do such things as monitor network traffic, identify unauthorized access or access to nonpublic information, detect computer viruses and other software that might damage our computers or network, and monitor and tune the performance of our network.
We use industry-standard software tools to control access to specific applications and services and to protect data that is transmitted electronically to us.
Unauthorized attempts to deny service, upload information, change information, or to attempt to access a non-public site from this service are strictly prohibited and may be punishable by law.
Policy Changes
We may update this document from time to time. If we do, we’ll let you know about any material changes, either by notifying you through the Modern Campus support site or by sending you an email.