EdTech Student Data: Who Is Reading the School Tablet?

The new "back-to-school" supply: data exhaust When a school deploys a learning platform, the tablet that lands in a student's hands is usually instrumented end-to-end. Keystroke timing, attention metrics, browsing telemetry, gradebook signals, and — under "engagement" labels — webcam-derived biometrics. A 2022 Human Rights Watch review of 164 government-endorsed edtech products found that 89% of them surveilled children in ways that risked or actually infringed on their rights. The 2026 follow-ups show many of the same vendors still in market. What the public record shows FTC COPPA Rule — the FTC's 2025 final rule update modernised the Children's Online Privacy Protection Rule, adding new obligations on school-context processing, data minimisation, and written consent. The rule text and FAQs on the FTC site define the enforceable bar. Human Rights Watch — Students Not Products (2022) — reviewed 164 government-endorsed edtech products and found the large majority surveilled children in ways that risked or actually infringed on their rights. The report names the products and the data flows. Common Sense Privacy — runs an ongoing privacy-evaluation programme for K-12 platforms. Their per-product summaries are the most accessible public reference for what each tool does with student data. Italian DPA Garante — banned a remote-proctoring tool in doc. web n. 9703988 (2021) on the grounds that the processing was disproportionate to the educational purpose. What actually leaks Surface / Signal / Risk LMS (Canvas, Schoology) / Login times, doc views, time on task / Behavioural profile follows the student Search / browser / Every query, every URL / Sensitive identity / health hints Webcam proctoring / Eye gaze, room scan, face identifier / Biometric template retained Gradebook integrations / Cross-platform identifiers / Profile re-identification What guardians can do Read the privacy policy of every required edtech app before the school year starts. Common Sense Privacy summarises most of them. File a school-record request under FERPA (US) or GDPR (EU) for the data the school holds. You are entitled to it. Use it as the lever. Push for opt-out clauses in district-level vendor contracts. School boards increasingly accept this; they didn't five years ago. Audit the device. Many chromebooks ship with employer-grade monitoring tools enabled. Check the "managed by" section. The kid is not the customer. The kid is the dataset. Until the contract language changes, the family's job is to shrink the dataset.