BreachExpress

Cybersecurity, explained for the rest of us.

Family & Kids Online

EdTech Apps and Their Privacy Tradeoffs: What Parents Need to Know About Data Collection

Margot 'Magic' Thorne@magicthorneJune 8, 202612 min read
Illustration of a tablet displaying a colorful educational app interface with data collection icons floating above it

Your kid's math app knows more than you think. It knows how long they stared at problem 14 before giving up. It knows they get fractions wrong more often on Tuesdays. It knows their location when they open the app after school. It might know their full name, their teacher's name, and the names of the other kids in their class.

Educational technology apps promise personalized learning, instant feedback, and engagement that traditional worksheets can't match. Around 90 percent of teachers in the United States use digital tools in the classroom, according to industry reports. Many of these tools are genuinely useful. But the tradeoff is data collection at a scale that would alarm most parents if they understood what was happening.

Here's the underlying mechanism: how EdTech apps collect data, what they do with it, who sees it, and what you can actually control as a parent.

The Data Collection Mechanism

Educational apps collect data in three layers.

Layer 1: Account creation and profile data. When your child creates an account or the school provisions one for them, the app collects identifying information. This typically includes full name, age or grade level, email address (often a school-issued address), and sometimes a student ID number. Some apps request a profile photo. Others ask for gender, home language, or learning preferences during setup.

This layer is visible. You see a form. You fill it out. The data exchange is explicit.

Layer 2: Behavioral and performance data. This is where the collection becomes granular. The app tracks every interaction: which problems your child answered, how long they spent on each question, which answers were correct, which were wrong, how many attempts they made before succeeding or giving up, and the sequence in which they navigated through activities.

Reading apps track reading speed, comprehension scores, and vocabulary errors. Math apps track problem-solving strategies and common mistake patterns. Language apps track pronunciation attempts and grammar corrections. Adaptive learning platforms use this data to adjust difficulty in real time, but they also store it for analysis.

This layer runs silently. The app doesn't announce "now recording your child's sixth failed attempt at long division." It just does it.

Layer 3: Device and environmental data. Many apps request permissions that extend beyond the educational activity itself. Location access lets the app know where your child is when they use it. Camera access enables features like scanning worksheets or taking photos of completed work. Microphone access supports voice-based exercises or recording audio responses. Contact access might be requested for features that involve sharing work with classmates.

Device identifiers (advertising IDs, device serial numbers) allow the app to track usage across sessions and sometimes across different apps from the same vendor. Some apps collect data about other apps installed on the device or the device's operating system version.

This layer often surprises parents. You installed a spelling app. Why does it need to know your child's location?

What Happens to the Data

The data doesn't sit idle. Apps use it, analyze it, and in many cases share it.

Internal use for app functionality. The app uses behavioral data to personalize the experience. If your child struggles with fractions, the app serves more fraction practice. If they excel at vocabulary, the app increases difficulty. This is the stated purpose of data collection and the benefit parents are told to expect.

Analytics and product improvement. App developers aggregate data across users to improve the product. They analyze which features engage students, which lessons cause frustration, and which design elements lead to better outcomes. Aggregated data is less privacy-invasive than individual tracking, but the line between aggregated and identifiable data is not always clear. Small datasets or unusual patterns can sometimes be re-identified.

Third-party sharing. Many EdTech apps share data with third-party services. This includes analytics platforms (to track app performance), cloud storage providers (to host student work), advertising networks (to serve ads in free versions), and sometimes data brokers or research organizations.

The FTC has taken action against EdTech companies for sharing children's data with advertisers without proper consent. But enforcement is inconsistent, and many apps continue practices that push the boundaries of what's allowed under COPPA (Children's Online Privacy Protection Act).

School and district access. When a school adopts an EdTech app, administrators and sometimes teachers can access student data through dashboards. This might include performance metrics, time-on-task reports, and behavioral flags (like repeated incorrect answers or incomplete assignments). Schools use this data for progress monitoring and intervention decisions.

The question is whether parents know this access exists and whether they've consented to it. In many cases, schools sign agreements with vendors under FERPA (Family Educational Rights and Privacy Act) exceptions that allow data sharing without explicit parental consent.

The Legal Framework (and Where It Falls Short)

Two federal laws govern children's data in educational apps: COPPA and FERPA. Both have significant gaps.

COPPA applies to apps targeting kids under 13. It requires operators to obtain verifiable parental consent before collecting personal information, disclose data practices in a clear privacy policy, and limit collection to what's reasonably necessary for the app's purpose. COPPA also requires operators to provide parents with access to their child's data and the ability to delete it.

The problem: COPPA has a school exception. If a school signs a contract with an EdTech vendor for educational purposes, the school can provide consent on behalf of parents. This shifts the burden from the app developer to the school, and many schools lack the expertise or resources to evaluate vendor data practices rigorously.

FERPA applies to schools that receive federal funding. It protects the privacy of student education records and requires schools to obtain parental consent before disclosing those records to third parties. But FERPA includes exceptions for "school officials" with "legitimate educational interests," and many schools interpret EdTech vendors as falling under this exception.

The result: schools can share student data with app vendors without asking parents, as long as the vendor agrees to use the data only for educational purposes and not to build marketing profiles. Enforcement of these agreements is weak. The FTC has noted that schools often lack the capacity to monitor vendor compliance.

State laws add another layer. Some states have enacted student privacy laws that impose stricter requirements than COPPA or FERPA. California's Student Online Personal Information Protection Act (SOPIPA) bans EdTech vendors from selling student data, using it for advertising, or building profiles for non-educational purposes. Other states have similar laws, but coverage is uneven and enforcement remains limited.

What Gets Collected (Specific Examples)

Let's get concrete. Here's what specific categories of EdTech apps typically collect:

Reading and literacy apps (like Epic, Raz-Kids, Lexia): reading speed (words per minute), comprehension quiz scores, time spent on each book, books started but not finished, vocabulary words looked up, audio recordings of oral reading (if the app includes a read-aloud feature), and sometimes behavioral flags like "struggled with decoding multisyllabic words."

Math apps (like Khan Academy Kids, Prodigy, IXL): problem-solving time, correct and incorrect answers, number of hints requested, patterns of repeated errors, adaptive difficulty adjustments, and sometimes video recordings of problem-solving processes (if the app includes a "show your work" feature).

Communication and classroom management apps (like ClassDojo, Seesaw, Google Classroom): messages between students and teachers, messages between parents and teachers, student work submissions (including photos, videos, and documents), behavioral tracking points (like "participated in class" or "needs reminder to stay on task"), attendance records, and sometimes location data (if the app includes check-in features).

Assessment and testing apps (like Kahoot, Quizizz, Edulastic): test scores, time spent on each question, question-by-question performance data, comparison metrics (how the student performed relative to classmates or national averages), and sometimes biometric data (if the app includes proctoring features like webcam monitoring or keystroke analysis).

Creative and collaboration apps (like Minecraft Education Edition, Scratch, Flipgrid): project files, collaboration logs (who worked with whom), video or audio recordings (if the app includes presentation features), and sometimes social interaction data (like comments or messages between students).

Not every app in these categories collects all of these data points, but many collect most of them. The privacy policy is supposed to disclose what's collected, but privacy policies are often vague, use broad language, and bury the details in legal jargon.

The Surveillance Creep Problem

EdTech data collection creates a detailed longitudinal record of a child's academic performance, behavioral patterns, and sometimes social interactions. This record accumulates over years.

A child who uses the same suite of apps from kindergarten through fifth grade generates thousands of data points: every quiz score, every reading level, every behavioral flag, every struggle with a concept, every time they excelled. This data paints a picture of the child's strengths, weaknesses, learning style, and trajectory.

The concern is not just what the data reveals now, but what it could be used for later. Some researchers worry about the potential for EdTech data to feed into predictive algorithms that make judgments about a child's future potential. If an algorithm flags a third-grader as "unlikely to succeed in advanced math" based on early performance data, does that child get tracked into lower-level courses? Does the prediction become self-fulfilling?

These concerns are not hypothetical. Predictive analytics in education is a growing field. Some schools use algorithms to identify students at risk of dropping out or falling behind. The inputs to these algorithms often include data from EdTech apps.

The Electronic Privacy Information Center (EPIC) has raised concerns about the long-term retention of student data and the lack of transparency around how it's used. Many EdTech vendors retain data indefinitely unless parents explicitly request deletion. Even then, deletion is not always complete. Aggregated or de-identified data often remains.

What You Can Control (and What You Can't)

You have more control over EdTech data collection than you might think, but the control is fragmented and requires active effort.

At the device level, you can limit permissions. Both iOS and Android allow you to control which apps have access to location, camera, microphone, contacts, and photos. Go to Settings → Apps → [App Name] → Permissions and disable anything the app doesn't absolutely need for its core function.

If a spelling app requests location access, disable it. If a math app requests microphone access but your child never uses voice features, disable it. The app might complain or limit some features, but the core functionality usually remains.

At the app level, you can review privacy settings. Many apps include settings that let you limit data sharing or opt out of certain types of tracking. These settings are often buried. Look for a "Privacy" or "Data" section in the app's settings menu. Some apps let you disable analytics, opt out of personalized ads (if the app is ad-supported), or limit data sharing with third parties.

At the school level, you can ask questions. Schools are required under FERPA to provide parents with access to their child's education records, and some states require schools to disclose data-sharing agreements with EdTech vendors. Ask your child's school:

  • Which EdTech apps does my child use?
  • What data do these apps collect?
  • Who has access to the data?
  • Does the school have data-sharing agreements with these vendors? Can I see them?
  • How long is the data retained?
  • Can I request deletion of my child's data?

Some schools will be responsive. Others will be evasive or claim they don't have the information. Persistence helps. Asking the question in writing (email to the principal or district technology coordinator) creates a record and sometimes prompts a more thorough response.

At the vendor level, you can request data access and deletion. Under COPPA, you have the right to access your child's data and request deletion. Contact the app's support team (usually via email or a web form) and ask for a copy of all data associated with your child's account. Then request deletion.

Some vendors make this easy. Others make it difficult. You might need to provide proof of identity and proof of your relationship to the child. The process can take weeks. But it's your legal right, and exercising it sends a signal that parents are paying attention.

What you can't control: mandatory school apps. If the school requires your child to use a specific app for assignments or assessments, you can't opt out without opting your child out of the assignment. This creates a coercive dynamic. You can still limit permissions and ask questions, but you can't prevent the data collection entirely.

Some parents respond by having their child use the app only on a school-issued device (if the school provides one) rather than a personal device. This limits the app's access to data outside the school context.

The Practical Middle Ground

I'm not suggesting you ban all EdTech apps. Many are genuinely useful. The goal is informed consent and proportionate data collection.

Here's the decision framework I use when evaluating an app for my own household:

  1. Is the app mandatory or optional? If the school requires it, my leverage is limited. I focus on limiting permissions and asking the school for transparency. If the app is optional (a supplemental learning tool or a parent's choice), I apply stricter scrutiny.

  2. What data does the app collect, and is it proportionate to the function? A math app that tracks problem-solving performance is collecting data proportionate to its function. A math app that tracks location, accesses contacts, and shares data with advertising networks is not.

  3. Does the app have a clear, readable privacy policy? If the privacy policy is vague, uses broad language like "we may share data with partners," or doesn't specify retention periods, that's a red flag. Good privacy policies are specific. They name the types of data collected, the purposes for collection, the categories of third parties who receive data, and the retention periods.

  4. Can I limit data collection through settings or permissions? If the app lets me disable analytics, opt out of personalized features, or limit permissions at the device level, that's a point in its favor.

  5. What's the vendor's track record? Has the vendor been involved in data breaches or FTC enforcement actions? A quick web search for "[App Name] privacy" or "[App Name] data breach" often surfaces relevant history.

  6. Is there a less data-intensive alternative? Sometimes the answer is yes. A paper workbook collects zero data. A web-based tool that doesn't require account creation collects less data than an app that does. An open-source app with local data storage is more privacy-preserving than a cloud-based app with centralized data collection.

These questions don't always yield a clear answer, but they structure the decision. If an app fails on multiple criteria and there's a viable alternative, I choose the alternative. If the app is mandatory and fails on multiple criteria, I limit permissions, disable optional features, and make my concerns known to the school.

The Bigger Picture

EdTech data collection is part of a broader shift toward pervasive surveillance of children. Social media platforms, gaming apps, smart toys, and wearable devices all collect data on kids. The cumulative effect is a generation growing up under constant monitoring, often without understanding the extent of it.

The FTC has taken steps to strengthen COPPA enforcement and has proposed updates to the rule that would close some loopholes. But regulatory action is slow, and the technology moves faster.

Parents can't solve this problem individually. We need stronger laws, better enforcement, and a cultural shift that treats children's data as sensitive and worth protecting. But while we wait for systemic change, we can make informed choices about the apps our kids use, the permissions we grant, and the questions we ask of schools and vendors.

Your kid's math app will keep tracking their progress. That's what it's designed to do. But you can decide whether it also tracks their location, accesses their contacts, or shares their data with a dozen third parties. The controls exist. You just have to use them.

Parent and child reviewing app permissions together on a tablet screen
→ Filed under
educational appskids privacydata collectionCOPPAschool technologyparental controls
ShareXLinkedInFacebook

Frequently asked questions

Educational apps commonly collect names, ages, email addresses, grades, test scores, time spent on activities, wrong answers, behavioral patterns, location data, and device identifiers. Some also request access to cameras, microphones, and contacts.
Yes. COPPA (Children's Online Privacy Protection Act) requires apps targeting kids under 13 to obtain verifiable parental consent before collecting personal information, disclose data practices clearly, and limit data collection to what's necessary for the app's purpose.
It depends on the agreements the school signs with app vendors. Many EdTech contracts allow data sharing with analytics providers, advertising networks, or other third parties, sometimes without explicit parental consent under FERPA exceptions.
Review the app's privacy policy, check the permissions it requests on your device (Settings → Apps → [App Name] → Permissions), and ask your child's school for copies of data-sharing agreements with EdTech vendors.
Disable unnecessary permissions (location, camera, microphone) at the device level, use privacy-focused settings within apps when available, and ask schools which apps are mandatory versus optional so you can make informed choices.

You might also like

A parent and child sitting together looking at a tablet screen showing blocky game graphics
Family & Kids Online

Roblox and Minecraft: the risks parents miss

Roblox and Minecraft expose kids to chat predators, data harvesting, and spending pressure. Here's how the platforms work and what you can control.

11 min · Margot 'Magic' Thorne · May 28

Parent and teenager looking at phone screen together, conversation about social media safety
Family & Kids Online

Is TikTok Safe for Kids? The Mechanism Behind Social Media Risk

TikTok, Instagram, and Snapchat expose kids to algorithmic manipulation, data harvesting, and predatory contact. Here's how the platforms work and what parents can control.

12 min · Margot 'Magic' Thorne · May 20

Parent and child looking at phone screen together in conversation
Family & Kids Online

Group chat moderation for kids' phones: Step-by-step setup and what you can actually control

Configure monitoring, set boundaries, and establish check-in routines for kids' group chats. Here's what works, what doesn't, and how to balance safety with trust.

11 min · Margot 'Magic' Thorne · Jun 1