Educational technology has transformed the classroom — but it's come at a steep cost to student privacy. A staggering 96% of EdTech apps share students' personal, academic, and behavioral data with third parties. With the updated COPPA rules taking full effect in April 2026, parents need to understand the risks and take action to protect their children's digital privacy.
The Scale of the Problem
Modern classrooms rely on dozens — sometimes hundreds — of EdTech apps and platforms. From learning management systems like Google Classroom and Canvas to specialized tools for math, reading, and coding, students generate enormous amounts of data every school day.
This data includes far more than grades and assignments:
- Behavioral data — how long a student spends on each question, where they click, what they struggle with
- Biometric data — some platforms use facial recognition for proctored exams or attendance
- Location data — school-issued devices and apps may track a student's physical location
- Communication data — messages, discussion posts, and collaborative work within platforms
- Personal information — names, birthdates, school IDs, parent contact information, and sometimes Social Security numbers
Between July 2023 and December 2024, over 9,300 cyber incidents targeted approximately 5,000 K-12 schools, underscoring how attractive this data is to bad actors.
The Data Broker Pipeline
When EdTech apps share data with third-party analytics and advertising companies, that data can end up in the hands of data brokers who compile detailed profiles. A child's browsing habits, academic performance, and behavioral patterns can follow them into adulthood, affecting college admissions, employment prospects, and insurance rates.
What COPPA Means for Your Child
The Children's Online Privacy Protection Act (COPPA) is the primary federal law governing children's data. The FTC finalized major updates that took effect on June 23, 2025, with full compliance required by April 22, 2026.
Key COPPA Protections
- Applies to children under 13 — websites and apps directed at children, or that knowingly collect data from children under 13, must comply
- Parental consent required — companies must obtain verifiable parental consent before collecting, using, or disclosing children's personal information
- Updated consent methods — the 2026 rules modernize how companies can verify parental consent, including new digital verification options
- Limits on third-party sharing — companies must get separate, explicit parental consent before sharing children's data with third parties
- Data minimization — apps cannot collect more data than is reasonably necessary for the child to participate in the activity
The School Consent Loophole
Under COPPA, schools can provide consent on behalf of parents for data collection that serves a legitimate educational purpose. While this streamlines technology adoption, it creates a significant gap: schools may consent to apps they haven't fully vetted, and parents may not even know which tools are being used.
The Teen Gap
COPPA only protects children under 13. Teenagers aged 13-17 fall into a regulatory grey zone where most EdTech platforms treat them like adult users, with minimal restrictions on data collection and sharing. Some states are addressing this — California's Age-Appropriate Design Code and similar state laws are beginning to extend protections to older minors.
How to Audit Your Child's EdTech Exposure
Taking control starts with understanding what apps and platforms your child uses. Here's how to conduct a privacy audit:
Step 1: Get the Full List
Ask your child's school or district for a complete list of EdTech tools used in the classroom. Many districts maintain an approved technology list on their website. Don't forget to check for apps used for homework, testing, or enrichment activities.
Step 2: Review Privacy Policies
For each app, look for the privacy policy and check:
- What data is collected from students
- Whether data is shared with or sold to third parties
- How long data is retained after the school year ends
- Whether the company has signed a Student Data Privacy Agreement with your district
Step 3: Check for Third-Party Certifications
Look for platforms that have been vetted by organizations like the Student Data Privacy Consortium or that carry iKeepSafe COPPA or FERPA certifications.
Step 4: Review Device Settings
If your child uses a school-issued device, check what management software is installed and understand what data is being collected outside of school hours. For personal devices, review app permissions and disable unnecessary access to location, microphone, and camera.
7 Steps to Protect Your Child's Privacy
- Opt out when possible — Ask the school about alternative assignments for platforms with poor privacy practices. You have the right to withdraw consent for non-essential data collection.
- Minimize personal information — When creating student accounts, use only the minimum required information. Avoid using your child's real photo as a profile picture.
- Use a dedicated email — Create a separate email address for your child's school accounts, keeping it isolated from personal communications.
- Disable unnecessary permissions — Turn off location tracking, camera access, and microphone access for apps that don't require them for core functionality.
- Request data deletion — At the end of each school year, request that EdTech platforms delete your child's data. Under COPPA, platforms must honor these requests.
- Monitor for data broker listings — Search for your child's name on major people-search sites. Children's data increasingly appears on these platforms through school records, parent records, and EdTech data sharing.
- Advocate at the district level — Attend school board meetings and push for stronger technology vetting processes, Student Data Privacy Agreements, and regular audits of approved platforms.
State Laws That Provide Additional Protection
Several states have enacted laws specifically addressing student data privacy beyond what COPPA requires:
- California (SOPIPA) — Prohibits EdTech companies from selling student data or using it for non-educational targeted advertising
- New York (Education Law 2-d) — Requires schools to have data privacy agreements with all EdTech vendors and gives parents the right to file complaints
- Illinois (SOPPA) — Requires schools to publish lists of all EdTech tools and their data practices, and gives parents the right to inspect and correct their child's data
- Colorado, Connecticut, and Virginia — Recent comprehensive privacy laws include specific provisions for children's data with stricter consent requirements
How PrivacyOn Helps Protect Your Family
While you can't control every app your child's school uses, you can control what data brokers know about your family. PrivacyOn's family plan covers up to 5 family members — including children — and continuously monitors 100+ data broker sites for their personal information.
If your child's data has leaked through an EdTech platform and ended up on people-search sites, PrivacyOn automatically submits removal requests and monitors for re-listing. Combined with dark web monitoring to catch compromised school credentials, it's a comprehensive safety net for digitally exposed families.
Your child's academic data shouldn't follow them for life. By auditing EdTech tools, exercising your COPPA rights, and using automated monitoring, you can significantly reduce the long-term privacy risks of modern education.