Data Privacy in EdTech: A 2025 Policy Playbook for Schools and Districts

Children’s Online Privacy Protection Act (COPPA) is meant to protect children’s privacy and as early adopters of new education technology, eager teachers are deciding which tools to use that may circumvent their school or district’s approval processes. As features of their products, Education technology (EdTech) companies may share the data collected from children with third-party service providers to perform data analysis. This study reviews the privacy policies of three EdTech tools for COPPA compliance based on the Federal Trade Commission’s tips for consumers.

​Also Read: How to Make Literature Healthy?

The report includes information about the privacy implications of third-party data processing, the legal consequences of privacy violations after the collection of minors’ digital assets, and an explanation of the privacy policy evaluation reports of EdTech tools provided by Common Sense Media with suggestions for parents, teachers, and school administrators. Additional emphasis is placed on how COPPA’s verifiable parental consent, data minimization, and deletion rights interact with schools’ procurement and classroom use of digital tools, especially when teachers adopt products through click-wrap terms outside district vetting.​

Because third-party processors may not mirror the primary vendor’s compliance posture, this playbook foregrounds governance practices that reduce data footprint, clarify deletion timelines, and constrain commercial uses unrelated to a school purpose. Finally, the playbook synthesizes public breach evidence and oversight reports to prioritize safeguards, incident response expectations, and contract terms that better protect student data in the contemporary threat landscape.

Introduction

Many of these education technology (EdTech) tools provide supplemental instructional support through online engagement with students whilst capturing the data of minors which could infringe on the child’s privacy rights.​

Children’s Online Privacy Protection Act (COPPA) is intended to protect personal data and privacy for children under 13 and provides parents with the ability to control what information websites collect about their children and to have that data deleted upon request.​

Because consent pathways and account creation often flow through schools, the practical application of these rights hinges on how districts authorize tools, what vendors collect, and whether parents or schools can meaningfully review and delete records.​

In settings where teachers introduce tools to improve engagement, district procurement and legal safeguards are essential to prevent informal adoption from exposing students’ personal information beyond what is reasonably necessary for an educational purpose.​

Background

Parents may expect that the EdTech websites are safe or that they have already been vetted by the teachers or school administrators when perhaps the tools have not been vetted to check for privacy measures to ensure that the students are safe and that the tool is compliant with COPPA requirements and other privacy regulations.​

The student data collected by the EdTech companies may be used in unexpected ways in the future, just as we have seen with the data brokering from social media platforms, underscoring the need to restrict commercial profiling and secondary uses in education contexts.​

Another concern, teachers may download and save the student responses from the EdTech sites in spreadsheet format, which increases risks if stored without controls outside official district systems.​

K-12 cybersecurity reporting and federal oversight have shown that student information can be exposed through misconfigurations, weak vendor controls, and phishing, reaffirming the need for formal tool vetting, training, and incident response.​

Privacy laws

COPPA compliance is required for websites or applications that target children under 13 and collect personal information or partner with third party companies to collect personal information, or a site that knowingly collects data from children under 13 while targeting a general audience or uses a third party to collect data from children under 13 through plug-ins or ad networks.​

To be compliant with COPPA for content targeted towards kids under 13, the operator must post a privacy policy that includes a list of all third-party operators that are collecting personal information, provides descriptions of the personal information in the user profile that is collected from kids under 13, describe how that information is collected and used, and describe the rights of the user’s parents including a section that the operator will only collect what is reasonably necessary from users under 13.​

As of November 2020, California consumers have a new law, California Privacy Rights Act (CPRA) that will amend and supersede California Consumer Privacy Act (CCPA), beginning to go into effect in January 2023.​

Under CPRA, the California Privacy Protection Agency promulgates regulations and enforces provisions that strengthen limitations on selling or sharing minors’ data and expand rights to access, correct, and delete personal information.​

FERPA continues to govern education records maintained by schools and enables disclosures to school officials, including vendors under a school official exception, when contractual terms and controls meet statutory requirements.​

District playbooks should reconcile COPPA’s parental consent and deletion expectations with FERPA’s school official framework and state privacy law requirements to ensure consistent, rights-respecting vendor engagements.​

• COPPA: verifiable parental consent, data minimization, transparent notices, parent access, and deletion upon request for under-13 users when outside a valid school authorization context.​
• CPRA: agency enforcement, limits on selling/sharing minors’ data, and expanded consumer rights relevant to California students and parents interacting with EdTech services.​
• FERPA: school official exception for vendors with legitimate educational interest, written agreements, security controls, and use limitations tied to an educational purpose.​

Assessing privacy compliance

The FTC provided a list of questions that the school or districts should ask of EdTech providers to help assess the level of compliance with COPPA and the types of data that will be collected from students using the EdTech tool (FTC, 2020).​

Schools and districts should demand specificity about categories of personal information collected, the purposes for collection, retention periods, and whether any data will be used for advertising, profiling, or other commercial purposes.​

When a provider cannot support school review and deletion of student data, or relies on advertising and behavioral tracking for monetization, those conditions are incompatible with school-consented COPPA collection.​

• Identify personal information elements collected, including identifiers, device data, usage analytics, and content submissions.​
• Document educational purposes and prohibit commercial uses unrelated to school-directed services.​
• Require school and parent access to review, correct, and delete children’s data, with defined processes and timeframes.​
• Assess security measures, confidentiality protections, and integrity controls aligned with district policies and vendor obligations.​
• Define data retention schedules and deletion commitments for children’s personal information and derived data.​

Terms of service and consent

Teachers may not have the detailed knowledge of privacy laws such as COPPA and SOPIPA to make the determination as to whether the EdTech tools are compliant with the requirements for data storage, parental approval, and data deletion requests.​

When a site is considered purely educational, the FTC allows schools to obtain verifiable parental consent for the EdTech companies to collect children’s personal information.​

For purely educational sites to accept consent from the school or teacher, they cannot share data collected from children under 13 for commercial purposes, the school must be able to review the child’s information collected, and the school must also be able to request deletion of information collected.​

PTAC’s Model Terms of Service warns that click-wrap agreements can bind districts to problematic conditions if accepted casually, and it offers model clauses on definitions, de-identification, modifications, security, and prohibitions on marketing uses.​

Districts should centralize acceptance of terms, prohibit classroom-level acceptance, and require vendor agreements that incorporate PTAC-aligned protections alongside COPPA and FERPA obligations.​

• Centralize approval to prevent teacher acceptance of vendor TOS without privacy and legal review.​
• Use PTAC model clauses to address data definitions, usage limits, de-identification, changes, and security.​
• Ensure COPPA school authorization conditions are met: no advertising uses, reviewability, and deletion on request.​

Common Sense Media reports

A comprehensive three-year analysis of 150 privacy policies from education technology applications was conducted by Common Sense Media, resulting in the 2019 State of EdTech Privacy Report.​

As noted in the report, most of the EdTech applications evaluated do not adequately define within their policies how privacy is preserved for student data.​

The scoring framework highlights recurring weaknesses in data collection footprint, data sharing disclosures, security controls, data rights, advertising and tracking, and the clarity of parental consent mechanisms.​

Schools and districts can leverage these evaluations to compare products beyond features and price, prioritizing tools with stronger controls and clearer commitments to student privacy.​

Third-party data processing

Third-party service providers are used to help process information collected by EdTech companies.​

Third-party data processing often requires data transmission outside of the original organization and additional copies of the data to be stored in locations that may be outside of the original legal jurisdiction where the privacy protections can be different.​

Because downstream processors may use different security and privacy controls, contracts must impose equivalent obligations, restrict onward transfers, and mandate timely deletion across all copies.​

Districts should require comprehensive vendor inventories of subprocessors, advance notice and approval for changes, and data maps showing collection, storage, and flow, including cross-border processing if applicable.​

• Demand a current subprocessors list and change notification with district approval rights.​
• Require equal or stronger protections for all subprocessors and ban use for advertising or profiling.​
• Map data flows and specify storage locations, access controls, and encryption for data in transit and at rest.​
• Mandate deletion propagation across all vendors and backups within defined timeframes.​

Third-party data breaches

According to Data Leaks, at least 68 data breaches occurred in 2020 that led to millions of records being exposed for banks, healthcare providers, insurance carriers, telecom service providers, and other organizations.​

Specifically, WildWorks that has online safety experts on staff, had a third-party server expose 32 million usernames associated with parent accounts, encrypted passwords, and players’ birthdays and gender in November 2020.​

K-12 cyber threat reporting indicates persistent growth in incidents affecting districts and vendors, reinforcing the need for due diligence, continuous monitoring, and incident response readiness in contracts.​

Vendor agreements should require prompt breach notification, cooperation with investigations, remediation support, and credit monitoring when appropriate, alongside post-incident security improvements.​

• Assess vendor breach history and security certifications as part of procurement review.​
• Require 72-hour breach notices at minimum, with defined contents and contact pathways.​
• Include audit rights and remediation plans following security events.​
• Tie renewal to demonstrated security posture improvements and transparent postmortems.​

Privacy violations

In 2017, Edmodo confirmed that hackers stole 77 million Edmodo user accounts which included usernames, email addresses, and hashed passwords.​

Although this research did not locate any data breaches or privacy violations in the news for SplashLearn or Kahoot!, the Government Accountability Office (GAO) reported data of thousands of students was compromised in 99 school data breaches from July 2016 to May 2020.​

These events highlight the overlap of vendor and district responsibilities, where third-party failures can impact student data and require coordinated notification and remediation to comply with legal obligations and maintain trust.​

District playbooks should treat breach patterns as signals to tighten vendor onboarding, restrict data collection, and require independent security attestations or audits aligned with education contexts.​

Opportunities

Parents, teachers, and school administrators should learn more about how EdTech companies use student data.​

They should leverage the privacy evaluation reports provided by independent organizations such as Common Sense Media to help with the selection of EdTech tools, not use them solely based on price or features offered.​

A modern district playbook can operationalize these expectations with concrete controls, procurement guardrails, and accountability across the EdTech lifecycle, from selection to offboarding and deletion.​

• Establish a centralized EdTech approval process that requires privacy review, security assessment, and legal signoff before any classroom use.​
• Require PTAC-aligned contract terms covering data definitions, permitted uses, de-identification standards, change management, and security controls.​
• Enforce COPPA school authorization conditions: no advertising or behavioral tracking, school/parent review rights, and deletion on request.​
• Minimize collection to what is reasonably necessary for an educational purpose, and disable optional analytics that are not essential to instruction.​
• Maintain a system of record for vendor inventories, data maps, subprocessors, and processing purposes, with regular updates and board visibility.​
• Align with CPRA/CCPA and FERPA by documenting processes for access, correction, deletion, and opt-out rights where applicable.​
• Mandate encryption in transit and at rest, role-based access, logging, and least privilege for vendor and district staff handling student data.​
• Set explicit retention schedules, with deletion SLAs for primary vendors and all subprocessors, and require deletion certificates upon termination.​
• Prohibit data sales or sharing for cross-context behavioral advertising and require limitations on profiling unrelated to school purposes.​
• Build DPIA-style risk assessments for high-risk tools, documenting mitigations and approvals prior to deployment.​
• Require third-party security attestations or audits appropriate for the product’s risk, and track remediation of findings.​
• Define breach notification timelines, content requirements, and cooperative obligations in incident response clauses.​
• Provide recurring educator training on student privacy responsibilities and safe tool adoption practices.​
• Publish parent-facing transparency pages listing approved tools, purposes, data elements, and rights request channels.​
• Conduct annual reviews of approved tools against current Common Sense Media evaluations and updated FTC guidance.​

Concluding remarks

Common Sense Media works closely with schools and districts to provide a privacy evaluation of EdTech tools that address stakeholder concerns.​

Standards for online safety and privacy for minors must be improved and modernized to align with the digital assets that children are creating, and companies are collecting for profit.​

As COPPA updates and state privacy enforcement evolve, districts that institutionalize rigorous procurement, transparent communications, strong vendor contracts, and deletion-by-design will better safeguard student data.​

Publicly available evaluations and federal guidance together offer a practical roadmap for 2025, enabling schools and districts to choose tools that respect student rights and reduce exposure to third-party risks.