What Data Is Your Kid's School Collecting—and Who Can See It?

When you enroll your child in school, you sign a packet of forms. Buried in those forms is typically consent for the school to share your child’s educational records with vendors, contractors, and educational technology companies. A Common Sense Media analysis found that the average school district uses 1,449 edtech tools—platforms for homework, communication, learning management, testing, and student monitoring. Most of these tools collect data. Much of it is shared with third parties. The Student Privacy Compass project at George Washington University has documented extensive data sharing practices at schools nationwide, finding that many districts cannot accurately account for all the student data they generate and share. Understanding what’s being collected and what rights you have is the starting point for protecting your child’s privacy.

Key Takeaways

• Schools collect academic records, behavioral data, disciplinary records, health information, and—through edtech tools—detailed digital behavioral analytics
• FERPA (Family Educational Rights and Privacy Act) gives parents the right to review educational records and request corrections, but has significant exceptions that limit its protection
• EdTech platforms can collect data beyond what schools realize—reading pace, click patterns, emotional state indicators, and inferred attributes
• Parents have specific rights: to inspect records, request corrections, and opt out of some data sharing
• The most actionable step is requesting your child’s education records and auditing which edtech platforms the school uses

What Schools Actually Collect

Traditional Educational Records (Protected by FERPA)

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, protects students’ educational records and gives parents the right to access them. Traditional records covered by FERPA include:

• Grades and transcripts: Academic performance at every level
• Disciplinary records: Suspensions, expulsions, behavioral incidents
• Special education records: IEP (Individualized Education Program) files, evaluations, accommodations
• Health records (limited): Health information collected by the school nurse or health office
• Attendance records: Tardiness, absences, and their recorded reasons
• Counselor notes: Records from school counseling sessions (subject to some exceptions for treatment records)
• Enrollment information: School, grade, date of enrollment

These records belong to the school, but parents have a federally protected right to inspect and review them.

EdTech Data (Largely Outside Traditional FERPA Protections)

The modern classroom runs on software—and software collects data. The typical school in 2024 uses tools like:

• Learning Management Systems (LMS): Google Classroom, Canvas, Schoology—these track assignment completion, submission timestamps, grades, and communication.
• Adaptive learning platforms: Khan Academy, IXL, DreamBox—these collect detailed click-by-click interaction data including which problems a child attempted, how long they spent on each, whether they guessed, and how they responded to hints.
• Assessment platforms: Classroom assessment tools that may collect not just scores but the path taken to arrive at answers.
• Communication tools: Platforms like Remind or ParentSquare that log communication between teachers, students, and parents.
• Monitoring software: Some districts use student monitoring tools (Gaggle, GoGuardian, Bark for Schools) that scan student communications and activity for safety concerns. These collect extensive behavioral data.
• Proctoring software: For remote testing, tools like ProctorU or Respondus collect webcam footage, keyboard patterns, and screen recordings.

The EdTech Data Collection Problem

The data collected by edtech platforms goes far beyond what most parents imagine. Research by the Electronic Privacy Information Center (EPIC) and the National Education Policy Center has documented collection of:

• Reading pace and patterns (how fast a student reads, where they pause, what they re-read)
• Engagement indicators (time on task, interaction patterns)
• Inferred emotional state (some platforms claim to detect stress, frustration, or engagement from keystroke patterns)
• Predictive attributes (algorithms that claim to predict future academic performance, dropout risk, or behavioral issues)
• Biometric data (from proctoring tools: eye movement, facial recognition, keystroke dynamics)

This data is generated by students in the course of their normal schoolwork. They haven’t consented to it (children legally cannot consent), and in many cases neither have their parents in any meaningful way—consent is buried in blanket agreements signed at enrollment.

Your Rights Under FERPA

FERPA gives parents of minor students specific rights:

Right to Inspect: Parents have the right to inspect and review their child’s educational records within 45 days of making a written request.

Right to Request Amendment: Parents can request that the school correct records they believe are inaccurate. If the school refuses, parents have the right to a formal hearing.

Right to Consent to Disclosure: Generally, schools must have written parental consent before disclosing educational records to third parties.

Major FERPA Exceptions

The consent requirement has significant exceptions that substantially limit FERPA’s protection:

School officials with legitimate educational interest: Schools can share records internally with teachers, administrators, and staff without parental consent.

Directory information: Schools can designate certain information (name, address, grade level, participation in activities) as “directory information” and share it without consent—unless parents specifically opt out.

Contractors and service providers: Schools can share records with vendors they’ve contracted to perform services—which is how edtech companies receive student data without explicit parental consent.

Transfer schools: Records can be shared with receiving schools.

Financial aid: Records relevant to financial aid processing.

Court orders: Records must be disclosed pursuant to legal orders.

Relevant Data Protection Laws Beyond FERPA

COPPA (Children’s Online Privacy Protection Act)

COPPA applies to commercial websites and online services directed to children under 13, requiring verifiable parental consent before collecting personal information. EdTech companies operating in schools are subject to COPPA when their services are used by children under 13.

In the school context, COPPA allows schools to provide consent on behalf of parents—which is how edtech companies can operate in K-12 schools without obtaining individual parental consent. However, the school is then responsible for ensuring the vendor uses the data only for educational purposes.

State Laws

Many states have enacted stronger student privacy protections than FERPA. California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law § 2-d, and similar laws in Colorado, Texas, and other states restrict how edtech companies can use student data and often prohibit targeted advertising based on student information.

Check whether your state has enacted student data privacy legislation—it may give you rights beyond federal law.

Data Sharing: What Schools Often Don’t Know

The Student Privacy Compass 2022 survey found that 69% of school district privacy officers were not fully aware of all the vendors their districts were using, and 61% didn’t know what data those vendors were collecting. The problem isn’t always intentional oversharing—it’s a systemic lack of visibility into the data flows created by deploying hundreds of edtech tools.

What Parents Can Do

Action	How	Legal Basis
Request full education records	Written request to school principal	FERPA
Opt out of directory information sharing	Written opt-out to school	FERPA
Request list of edtech vendors used	FOIA request to school district	Varies by state
Request data deletion from edtech vendor	Direct contact with vendor	COPPA (for under-13); state laws
Challenge inaccurate records	Written challenge to school	FERPA
Opt out of specific edtech tools	Request alternative assignment from teacher	School discretion

Step-by-Step: Requesting Your Child’s Education Records

1. Write a letter or email to the school principal or district records officer: “Pursuant to FERPA, I am requesting complete access to all educational records maintained for [child’s name].”
2. The school must respond within 45 days.
3. Review all records for accuracy. Look specifically for: disciplinary entries you weren’t notified about, mental health or behavioral labels, any information you believe is incorrect.
4. If you find inaccuracies, submit a written amendment request.

Step-by-Step: Auditing EdTech Use

1. Ask your child’s teacher or school librarian for a list of digital tools used in their classrooms.
2. Request the district’s complete edtech vendor list from the district administration (this may require a formal records request in some districts).
3. Review the privacy policies of the tools your child uses. Look for: what data they collect, how long they retain it, whether they share with third parties, and what the data is used for.
4. For tools you’re uncomfortable with, ask the teacher if an alternative paper-based assignment is available.

What to Watch For Over 3 Months

• Month 1: Request your child’s education records from the school. This is your right under FERPA and establishes the baseline of what’s documented about your child.
• Month 2: Ask your child’s teacher for a list of all digital tools used in their classrooms this year. Review at least the top 3–4 privacy policies for how data is used.
• Month 3: Check whether your state has enacted student data privacy legislation (search “[your state] student data privacy law”). If so, you may have additional rights and the school has additional obligations.

Also watch for: schools deploying monitoring software that reviews student communications (many now do), proctoring software for remote tests, and any tool that appears to monitor student physical or emotional state.

Frequently Asked Questions

Can my child’s school share their data with colleges or employers?

Not without parental consent (until the child turns 18, at which point the FERPA rights transfer to the student). However, directory information (if you haven’t opted out) and information shared through specific authorized exceptions can reach third parties. Schools that participate in programs like College Board share relevant data with those organizations.

Does FERPA apply to private schools?

FERPA applies to any school that receives federal funding—which includes most private schools that accept federal financial aid or participate in federally funded programs. Some purely private schools with no federal funding may not be covered.

What happens to my child’s school data when they graduate?

Schools vary widely in retention policies. Under FERPA, schools must maintain records while the student is enrolled, but post-graduation retention isn’t specified. Many districts retain records for 5–7 years after graduation; some much longer. Edtech vendor retention varies by their individual policies.

Can I demand that an edtech company delete my child’s data?

Possibly. Under COPPA, you can request deletion of data collected from a child under 13. Some state privacy laws extend similar rights. Contact the vendor directly, reference the applicable law, and request confirmation of deletion. Schools can also terminate vendor contracts, which should trigger data deletion clauses in their agreements.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

---

Sources

1. Family Educational Rights and Privacy Act (FERPA). 20 U.S.C. § 1232g. https://studentprivacy.ed.gov/ferpa
2. Common Sense Media. The App Generation: How K-12 Schools Use EdTech. commonsensemedia.org. https://www.commonsensemedia.org/research
3. Electronic Privacy Information Center (EPIC). Student Privacy. epic.org. https://epic.org/issues/consumer-privacy/student-privacy/
4. National Education Policy Center. Student Data Privacy in Practice. nepc.colorado.edu. https://nepc.colorado.edu/publications/student-data-privacy
5. Federal Trade Commission. Children’s Online Privacy Protection Act (COPPA). ftc.gov. https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
6. Student Privacy Compass (George Washington University). EdTech Vendor Use in Schools 2022. studentprivacycompass.org. https://studentprivacycompass.org/resource-center/
7. US Department of Education. FERPA General Guidance for Parents. ed.gov. https://studentprivacy.ed.gov/resources/ferpa-general-guidance-parents