Anthropic updated its privacy policy today. They sent me an email about it:
We’re writing to inform you about some updates to our Privacy Policy. These changes only affect consumer accounts (Claude Free, Pro, and Max plans). If you use Claude Team, Claude Enterprise, the Claude Platform, or other services under our Commercial Terms or other agreements, then these changes don’t apply to you. What’s changing? Claude can do more than ever — taking on bigger tasks and connecting with the apps you use. We’ve updated our Privacy Policy to be clearer about the data we collect and how we use it. We encourage you to read the updated Privacy Policy in full, but we’ve set out a summary of the key changes below: 1. Multi-step tasks and connected apps. As Claude takes on more multi-step tasks and works with third-party apps and services, we’ve explained the data this involves — including how data can flow to and from third parties when you connect a service or have Claude do tasks on your behalf. 2. Verification data. As part of our measures to keep our services safe and secure we may ask you to verify your age or identity, and we’ve described what we collect and how. 3. Study participation. If you take part in Anthropic studies, surveys, or interviews, we’ve explained the information we collect. 4. Additional information about our data practices. We’ve provided more detail about how we communicate with you and promote our services, including providing tailored recommendations about our services that may be of interest to you. We’ve also clarified the circumstances under which we may receive or provide data to third parties, and the legal bases we rely on when processing your data. While our products have evolved, our commitments haven’t: We don’t sell your data, Claude remains ad-free, and you can control whether your chats and coding sessions are used to train and improve Anthropic’s AI models.
For fun, I decided to run it through TCEA PROTECT rubric v2.0. It was featured in this blog entry, The Augmented K-16 AI Framework. It comes with a non-AI version (although you can plug your API key into it and use your own AI chatbot to run it). I decided to run Anthropic’s Privacy Policy (updated) and see what the result might be.
The short version:
For adult staff use, Anthropic’s privacy posture is reasonably strong, especially if the district uses a commercial/enterprise agreement rather than consumer Claude.
For K–12 student use, I would mark this as not approved without a separate district agreement, DPA, or education-specific contract. The consumer Privacy Policy alone does not establish FERPA/COPPA school-official terms, and Anthropic states the services are not directed to children under 18.
That point about “commercial/enterprise agreement” is one that I always strongly emphasize in my workshop sessions. Most, however, use consumer Claude, so our privacy expectations are lower because consumer Claude will take your data and use it for training.
| # | PROTECT Category | Score | Evidence / Rationale |
|---|---|---|---|
| 1 | P — Parental Rights and Access | 1 | The policy provides user rights for access, portability, deletion, correction, objection, appeal, and authorized-agent requests, but it is not framed around school/parent access workflows or FERPA-style guardian review. (Anthropic) |
| 2 | R — Retention and Deletion | 1 | Anthropic says deleted conversations are removed from chat history immediately and backend systems within 30 days, but the policy also uses broad “as long as reasonably necessary” language. Model-improvement data may be retained up to 5 years, feedback for 5 years, and flagged safety data longer. (Anthropic) |
| 3 | O — Opt-Out Options | 2 | Users can opt out of model improvement through account settings. Anthropic also states it does not sell personal data, honors global privacy controls, and offers targeted advertising opt-outs. Safety-review exceptions remain. (Anthropic) |
| 4 | T — Transparency | 2 | The policy clearly lists data collected, including account data, inputs/outputs, feedback, verification data, technical data, cookies, third-party integrations, model-training sources, legal bases, and policy updates. (Anthropic) |
| 5 | E — Encryption and Security | 2 | Anthropic’s privacy center states data is encrypted in transit and at rest, employee access is limited, and controls include MFA, least privilege, monitoring, vulnerability checks, training, and assessments. (Anthropic Privacy Center) |
| 6 | C — Consent and Age Restrictions | 1 | The policy is clear that services are not directed to children under 18 and says Anthropic may collect verification data, including ID and biometric-like verification data in some circumstances. However, it does not provide a K–12 school-consent pathway for COPPA/FERPA student use in this consumer policy. (Anthropic) |
| 7 | T — Third-party Management | 2 | Anthropic discloses categories of affiliates, service providers, business partners, legal recipients, research publications, and third-party integrations. It also points users to Trust Center details for third parties and data-transfer locations. (Anthropic) |
Recommended Conditions Before Approval
Require:
- A signed DPA / NDPA / district privacy addendum.
- Confirmation that student inputs and outputs are not used for model training.
- Written retention terms for district data, deletion, backups, and termination.
- A current subprocessor list with notice of material changes.
- Clear guidance that consumer Claude accounts are not used by students under 18 unless Anthropic provides a school-authorized pathway.
Discover more from Another Think Coming
Subscribe to get the latest posts sent to your email.
Another Think Coming 