The push to integrate technology in education isn’t lacking in innovation or enthusiasm – what’s lagging is the guarantee of privacy. In classrooms nationwide, digital learning platforms now track everything from test scores to what time a student logs into an app. Yet safeguards for that trove of student information have not kept pace, leaving schools at a crossroads: innovate safely, or risk eroding the very trust education depends on. One recent report found that protecting student data is a top priority for 88% of district technology leaders, but many districts still lack basic privacy policies or staff training.
The question is not whether student data privacy matters–it clearly does–but whether current approaches can keep up in an era of third-party apps, data monetization, and relentless cyber threats.
This article unpacks the key privacy risks emerging from EdTech’s rise; real-world lessons from breaches and lapses; why existing defenses often falter, and practical steps education leaders and technology providers can take to build a culture of digital trust without stifling innovation.
Why the EdTech Boom Puts Student Privacy at Risk
Across the country, schools have embraced digital learning tools, cloud services, and AI-driven platforms. The benefits are real–personalized learning, efficient administration–but so are the new privacy risks riding tandem. Learning environments are increasingly digital, and that digital shift has made schools prime targets for cyber criminals. With sensitive data now flowing to third-party vendors and stored in the cloud, a single breach can expose millions of student records at once. Attackers know this: over 9,300 cyber incidents hit around 5,000 K–12 schools in just an 18-month span (July 2023–Dec 2024). Criminals perceive schools as easier prey than large corporations, given many districts’ low defenses and limited IT manpower.
It’s not just hackers eyeing the data. EdTech companies themselves often monetize student information. Nearly three-quarters of the most popular apps and online platforms used by children likely profit from user data–even when they claim not to. Instead of outright selling a child’s name or ID, many charge third parties for access to user profiles and behavioral insights gleaned from student activity. In practice, a student using a “free” educational app might be unknowingly trailed by ad trackers, with their clicks and viewing time packaged into a marketing profile. That means even on school-approved tools, children can encounter targeted ads or content influenced by their data footprint. This data monetization, often buried deep in service terms, raises obvious red flags: it blurs the line between education and commercial exploitation of minors.
At the same time, surveillance-style tools are proliferating in schools–sometimes for safety, but not without controversy. Applications like GoGuardian and Gaggle monitor students’ screens, messages, and search queries in real time. Proponents say such tools help keep students on-task or even flag mental health concerns (for instance, by scanning for signs of self-harm). However, critics warn that this normalizes a culture of surveillance and may infringe on privacy and free expression. The common thread is that today’s EdTech can collect an unprecedented volume of personal data–and without strong oversight, that data can be misused or exposed.
Perhaps the starkest illustration of risk is when a trusted education vendor is compromised. Third-party vendors now hold immense quantities of student data, making them single points of failure. A sobering case came to light in late 2024: hackers breached PowerSchool, a leading cloud student information system used by thousands of districts. These are not isolated cases; vendor breaches have ripple effects across districts, states, and even countries. In that one incident, the personal information of approximately 62 million individuals–including students, parents, and staff–was stolen. The breached data ranged from names and birthdates to grades, medical info, and even Social Security numbers. This was not a rogue school IT system but a major vendor’s platform, meaning the attack cascaded across many states at once. Such supply-chain attacks underscore how an EdTech provider’s security (or lack thereof) directly becomes each client school’s security. When you entrust student records to third-party platforms, you are effectively extending the “classroom” into vendor data centers. The risks of that arrangement, if not carefully managed, are enormous.
The Legal Landscape
Education leaders are not operating in a lawless frontier; there are laws and regulations designed to protect student information. The challenge is that these laws often trail the technology. At the federal level, the cornerstone is FERPA–the Family Educational Rights and Privacy Act of 1974. FERPA gives parents and students rights over education records and generally forbids schools from disclosing a student’s personally identifiable information without parental consent. That sounds strict, but this law was written in a paper-record era and has notable exceptions. Schools can share data with “school officials” performing institutional services, a category that can include third-party contractors or EdTech vendors–if certain conditions are met. In practice, districts often leverage this “school official” exception to use online services without individually signed parental consent for each tool. The catch is that the Family Educational Rights and Privacy Act of 1974 then requires the school to ensure the vendor is under its direct control regarding the use of the data, and that the data is used only for the purposes for which it was disclosed. In other words, the privacy burden shifts to contracts and trust. A well-crafted contract will spell out that, say, a math app provider can’t repurpose student data for any non-educational purpose. But this law itself provides no technical checklist or modern security standards – and enforcement is relatively toothless (the harshest penalty is cutting off federal funds, a measure rarely invoked).
Next comes COPPA–the Children’s Online Privacy Protection Act (1998) – which is more narrowly focused on commercial websites and apps directed at children under 13. COPPA requires those companies to obtain verifiable parental consent before collecting personal information from young children. In a school setting, this gets tricky: the Federal Trade Commission allows schools to consent on behalf of parents, but only for the use of the service in the classroom. If the company behind the service wants to use that data for anything else–say targeted advertising, building marketing profiles, or any commercial purpose beyond the educational function–then the school cannot consent on parents’ behalf. The vendor must go to parents directly for permission, which most won’t do (because many parents would likely refuse). This nuance essentially means any hidden monetization of student data by a school-approved app is illegal under the law.
Looking beyond the U.S., other countries have developed their own data privacy frameworks. The European Union’s GDPR (General Data Protection Regulation) sets a high bar globally for personal data protection – it has become the measuring stick for privacy laws around the world. This law requires organizations (including schools and their vendors) to have a lawful basis for data processing and emphasizes consent and data security, with hefty fines for violations (up to 4% of worldwide annual revenue). South Africa’s POPIA (Protection of Personal Information Act, 2013) similarly imposes strict requirements on processing personal information, especially that of children, mandating parental consent when handling minors’ data. Australia’s Privacy Act 1988 provides an overarching framework for handling personal information and outlines principles like data minimization and security, while it doesn’t explicitly single out children’s data.
The legal landscape provides a necessary framework, but it often involves minimum compliance, not true data ethics. As a result, many gaps remain between what the law expects and what actually happens on the ground.
Lessons from Breaches and Lapses in Privacy
If the abstract risks still seem distant, recent incidents bring them home. Data breaches, misuse of information, and compliance lapses have already impacted real schools and students, serving as cautionary tales. The PowerSchool breach mentioned earlier is one stark example: a single vendor hack exposing data on 60+ million individuals. Consider the human face of that: families in numerous districts received breach notices informing them that a trove of their personal details might be in criminals’ hands. Such an event erodes community trust quickly. It also illustrates how one weak link in the chain (a support portal, in PowerSchool’s case) can lead to a massive breach. Not long before that, in early 2022, another ed-tech company (Illuminate Education) suffered a breach that exposed sensitive data for hundreds of thousands of students across multiple states, after which New York City schools even temporarily banned its products pending a security overhaul. The lesson: district leaders cannot assume big-name vendors are impregnable–due diligence and continuous monitoring are vital.
Cyberattacks don’t only steal data; they can disrupt learning. In January 2022, Albuquerque Public Schools–New Mexico’s largest district–was hit by ransomware that forced the entire district to shut down for two days. The attackers had breached the district’s student information system, scrambling data and demanding payment. While Albuquerque managed to avoid paying ransom (and found no evidence that data was exfiltrated, fortunately), the incident sent a loud wake-up call. It highlighted how a lack of ready incident response plans and vendor support agreements can leave a district scrambling in a crisis.
The through-line in these incidents is that, intentional or not, gaps in privacy protection ultimately harm students–either by exposing them to security threats or by eroding the safe environment that schools strive to provide.
Why Current Safeguards Fall Short
If these problems are so well-known, why do they keep happening? The reality is that current safeguards are a patchwork of laws, policies, and practices that haven’t fully caught up to the digital transformation in education. Several structural challenges persist:
Outdated frameworks: FERPA is over 50 years old and, despite some updates, doesn’t reflect today’s data ecosystem. COPPA, while more modern, only covers kids under 13 and commercial usage, leaving a grey zone for teens’ data in school contexts.
Incomplete Implementation: Even when good policies exist, execution is inconsistent. Teachers are focused on teaching; without easy-to-follow guidance and clear district support, asking them to also be privacy experts is unrealistic.
Vendor oversight and “shadow IT”: School systems now use dozens, even hundreds, of different EdTech services. While many districts strive to vet each one, the truth is some tools fly under the radar.
Culture and awareness: Finally, there is the challenge of building a culture of privacy and security. In many schools, the concept of “student data privacy” is abstract or siloed.
Human error: Even strong policies and technology can be undone by a single mistake. A staff member falling for a phishing email or reusing a weak password might inadvertently open the door to a breach. In fact, it’s estimated that nearly 95% of cybersecurity breaches involve some form of human error (poor cyber hygiene, falling for scams, etc.), so individual vigilance and training are critical links in the chain.
In sum, current safeguards often fail because they are piecemeal and people-dependent. A chain is only as strong as its weakest link, and in the chain of student data protection, many links need strengthening. The good news is that you now know where the weak points are; the task ahead is to reinforce them in a comprehensive, lasting way.
Steps to Strengthen Student Data Protection
For education leaders and technology providers committed to protecting student data, a proactive and layered approach is essential. Here are some practical steps to fortify privacy and security in the EdTech era:
Make privacy and security a leadership priority: Set the tone from the top that student data protection is mission-critical, not an afterthought.
Invest in secure infrastructure and expertise: It’s often said that hope is not a strategy–neither is crossing fingers that your district “won’t be targeted.” Schools must invest in hardening their IT infrastructure.
Vet and monitor all EdTech vendors: Every application or service that touches student data should go through a privacy and security vetting process before it’s approved for use.
Adopt data minimization and governance practices: The less sensitive data you collect and retain, the smaller the target on your back. Schools and edtech providers should practice data minimization, collect only what is pedagogically needed, and no more.
Build a culture of privacy through training and engagement: Technology alone can’t protect student data–people play a pivotal role. Invest in ongoing training for teachers, administrators, and even students about privacy and data security.
Plan for the inevitable, and learn from it: Even with all precautions, no system is 100% breach-proof. Smart organizations have an incident response plan specifically for data breaches or cyberattacks. Make sure your district knows the drill.
Each of these steps reinforces the others. Together, they form a multi-layered defense-in-depth approach that significantly raises the bar against privacy risks. Just as important, they foster an environment of trust and transparency.
Privacy as the Foundation of Trust and Resilience
Schools are entrusted with children’s personal information, from test scores to health records, and with that comes a profound responsibility. In the EdTech era, privacy must be woven into the fabric of how you choose tools, how you train people, and how you govern technology.
The encouraging news is that a shift is underway.
You should be realistic: no single law or technology will eliminate all risks. Much like other systemic challenges in education, it takes a concerted, continuous effort. But by prioritizing privacy and security, schools and vendors can build both trust and resilience.
Ultimately, protecting student data means protecting students themselves – their future opportunities, their well-being, and the integrity of their educational journey. The digital classroom of tomorrow will either be defined by trust or by regret. The choice lies in whether schools and vendors treat privacy as a compliance checkbox or as a core value.
