In December 2022, the U.S. Department of Education completed a four-year review of 1,504 school districts to see how they communicated student privacy information on their websites. The results were never published with much fanfare, but they revealed something troubling: most parents had no clear way to understand what data their children's schools were collecting, who had access to it, or what would happen if it leaked.

This opacity sits at the heart of educational technology's privacy problem. Schools have rapidly adopted digital learning tools—a trend that accelerated dramatically during the pandemic—but the legal frameworks governing student data were built for a different era. FERPA, the primary federal law protecting student education records, became law in 1974. The internet was barely a concept. The idea that third-party vendors would process millions of students' behavioral data, reading habits, and assessment scores through cloud-based platforms wasn't on anyone's radar.

When Old Laws Meet New Technology

FERPA gives parents the right to inspect their children's education records and generally requires schools to obtain consent before sharing personally identifiable information. Straightforward enough when "education records" meant file cabinets in the principal's office. Less straightforward when a single learning app might track how long a student hesitates before answering a math problem, flag patterns that could indicate learning disabilities, and share anonymized versions of that data with researchers—all before lunch period ends.

The law does allow schools to share student data with "school officials" who have "legitimate educational interests" without parental consent. Many schools interpret this exception to include education technology vendors acting as service providers. Parents often don't know this is happening. Even when schools send home technology consent forms, they're frequently dense, legalistic documents that few people read thoroughly.

COPPA—the Children's Online Privacy Protection Act—adds another layer of complexity. Designed to protect children under 13 from commercial data collection online, it requires websites and apps to obtain verifiable parental consent before collecting personal information. But as Sara Kloek, Vice President of Education Policy at the Software & Information Industry Association, noted in February 2026, COPPA "was designed to work outside the school context." When schools provide ed tech tools to students, COPPA's requirements can conflict with FERPA's provisions, leaving educators confused about which rules apply.

The Breach Problem Nobody Wants to Talk About

Data security isn't just a technical concern—it's a privacy rights issue. When school systems suffer ransomware attacks or data breaches, student information ends up exposed. We're not talking about abstract "data." We're talking about Social Security numbers, special education diagnoses, disciplinary records, and home addresses.

Ransomware attacks on school districts have become common enough that the Department of Education now provides specific guidance on responding to them. The February 2026 National Winter Webinar Series dedicated an entire session to data security best practices and simulated data breach training. The fact that such training is necessary tells you everything about the current threat environment.

The challenge multiplies when breaches happen at vendor companies rather than schools themselves. A district might have excellent cybersecurity practices, but if the reading app they use gets hacked, student data leaks anyway. Schools often lack clear protocols for managing third-party breaches, and parents may never be informed that their children's information was compromised by a company they'd never heard of.

The Transparency Gap

In February 2026, Education Week featured Kloek discussing growing concerns among parents and policymakers about "ineffective ed tech, data privacy, and lack of clear communication about the value and purpose of digital learning tools." That lack of communication cuts both ways. Parents don't understand what data is being collected or why. Educators don't always understand the privacy implications of the tools they're asked to use.

The Department of Education's Student Privacy Policy Office has tried to address this through resources and training. They've created audience-specific materials for school officials, parents, vendors, and researchers. They've developed interactive flashcards on cybersecurity basics like phishing and multifactor authentication. In December 2018, they implemented a risk-based approach to processing FERPA complaints, trying to provide more timely responses.

But resources and training only help if people know they exist and have time to use them. The third session of the February 2026 webinar series focused on "Transparency and Vetting Educational Technology"—teaching schools how to assess ed tech tools for privacy protections before implementation. This is the right approach, but it places an enormous burden on already-stretched school technology coordinators who may lack privacy law expertise.

Fixing What's Broken

The path forward requires more than better training or clearer guidance documents. We need updated laws that reflect how education actually works in 2026. FERPA amendments should explicitly address cloud computing, artificial intelligence in learning platforms, and the role of ed tech vendors as something more than "school officials." COPPA needs carve-outs or clarifications for educational contexts that don't undermine its consumer protections.

States have started filling the federal void. Several have passed their own student privacy laws, creating a patchwork that makes compliance harder for vendors operating nationally. Federal modernization would provide consistency while raising baseline protections everywhere.

Schools, meanwhile, need to treat data minimization as a core principle. Just because a platform can collect behavioral data doesn't mean it should. The most privacy-protective approach is often the simplest: collect only what's necessary for the educational purpose at hand, keep it only as long as needed, and delete it thoroughly when done.

Parents deserve clear, jargon-free annual notices explaining what data their children's schools collect, which vendors access it, and how they can exercise their inspection and amendment rights under FERPA. Not 20-page PDF documents buried on a website—actual communication designed to inform rather than merely comply.

The promise of educational technology is real. Adaptive learning platforms can meet students where they are. Data analytics can help identify struggling learners before they fall too far behind. But none of that justifies treating student privacy as an afterthought or accepting security practices that would be scandalous in any other context. Students are entitled to learn without becoming products.