Student Data Privacy in the Era of Third-Party EdTech Apps

When schools require students to use third-party educational apps, parents often assume their children’s data is completely safe. However, the rapid adoption of EdTech tools has introduced severe, hidden privacy risks. Mandated but unvetted software can silently harvest a child’s personal information, location data, and digital learning habits.

The Scope of EdTech Data Collection

Over the past few years, the number of digital tools used in classrooms has skyrocketed. While technology offers exciting new ways to learn, the privacy trade-offs are alarming. Many educational apps operate exactly like commercial social media platforms when it comes to data collection.

A massive 2022 report by Human Rights Watch analyzed 164 EdTech products used by students worldwide. The findings were deeply concerning. The researchers discovered that 89% of these educational tools monitored children or had the capacity to monitor them. Worse, these apps routinely sent the gathered data to massive ad-tech companies, including Google and Meta.

Similarly, a 2022 study by Internet Safety Labs evaluated apps commonly required by schools. They found that 96% of these apps shared student data with third parties. The information collected often goes far beyond simple test scores. These applications track:

  • Exact physical locations.
  • Device identifiers and IP addresses.
  • Keystrokes and browsing habits.
  • Behavioral profiles and attention metrics.
  • Contact lists and personal device metadata.

The Problem with Mandated Software

In a standard consumer environment, you can simply uninstall an invasive app. In a school setting, students and parents lose that choice. When a teacher mandates the use of specific software for homework or exams, opting out means failing the assignment.

Schools routinely adopt platforms like Canvas, ClassDojo, or Kahoot! to manage grades, communication, and quizzes. While these specific platforms are highly popular, individual teachers also frequently download free, unvetted apps to use for quick lesson plans. These free apps almost always make their money by collecting and selling user data to data brokers.

When a school forces a student to use these tools, the school effectively strips the parent of their right to protect their child’s digital footprint. Because the software is required for academic success, families are forced into a corner where they must surrender their privacy for an education.

Real-World Breaches and Consequences

The risks of sharing student data with third parties are not theoretical. Educational vendors are prime targets for cyberattacks because they hold millions of sensitive profiles.

One of the most severe examples occurred in January 2022 with the software company Illuminate Education. The company provided grading and attendance software to schools across the United States. Hackers breached their systems, compromising the personal data of over 3 million students. In New York City alone, the breach exposed the personal information of about 820,000 current and former students. The stolen data included names, birth dates, ethnicities, and highly sensitive special education statuses.

When data brokers or hackers obtain this information, the long-term impacts on a child can be profound. Algorithms use this data to build permanent digital profiles. A student marked as having a short attention span or lower test scores in middle school could theoretically be targeted with predatory student loan ads or filtered out by college recruitment algorithms years later.

Outdated Legal Protections

You might assume federal laws strictly prohibit this kind of data sharing. Unfortunately, current privacy laws are incredibly outdated.

The Family Educational Rights and Privacy Act (FERPA) was passed in 1974. This law strictly protects official academic records like report cards and transcripts. However, FERPA was written decades before smartphones existed. It does not clearly restrict how third-party apps collect metadata, device identifiers, or location data.

The Children’s Online Privacy Protection Act (COPPA) was passed in 1998. COPPA requires online services to get verifiable parental consent before collecting personal information from children under 13. However, there is a massive loophole in the educational sector. The Federal Trade Commission allows schools to act as the parent’s proxy. This means the school district can legally consent to data collection on behalf of the parents, often without the parents ever signing a form.

How Parents Can Fight Back

Parents are not completely powerless. While the system is flawed, you can take specific steps to limit your child’s digital exposure.

  • Request a list of apps: Ask your child’s school for a complete, written list of every third-party application, software, and browser extension required for their classes.
  • Opt-out of directory information: Under FERPA, schools can share “directory information” (like names, addresses, and phone numbers) without your consent unless you actively opt out. Submit an opt-out form at the beginning of every school year.
  • Question free tools: If a teacher asks students to download a free app for a special project, ask the teacher how that app makes its money. Request a paper alternative if the app lacks a strict privacy policy.
  • Use burner accounts: When a teacher allows it, have your child use a fake name or initials when logging into casual classroom game apps.
  • Demand data deletion: At the end of the school year, send a written request to the school district asking them to direct their third-party vendors to delete your child’s data. Some states, like California with its Student Online Personal Information Protection Act, legally require vendors to comply with these deletion requests.

Frequently Asked Questions

Are schools allowed to sell student data? Schools themselves generally do not sell student data. However, schools frequently use free third-party apps that monetize user data. By requiring students to use these apps, schools inadvertently expose children to companies that do sell data to advertisers and brokers.

Can I refuse to let my child use a specific app at school? You can formally request an alternative assignment. While schools are highly reliant on technology, you can cite privacy concerns and ask the teacher to provide a paper-based version of the homework or test. Some teachers may be resistant, but raising the issue forces the school to review their software choices.

Does FERPA protect my child’s search history on a school laptop? Usually, no. FERPA protects official educational records maintained by the school. If your child uses a school-issued Chromebook, the district likely uses monitoring software (like GoGuardian or Gaggle) to track web searches and chats. This monitoring data is rarely classified as an official educational record under FERPA.