Education & Student Data

The Education Data Pipeline

From the moment a child enters the public school system, their data enters a commercial pipeline that follows them through college and into adulthood. Standardized test scores, behavioral records, disciplinary histories, learning disabilities, family income, career interests, and even browsing activity on school-issued devices — all of it is collected, stored, and in many cases sold or shared with third parties.

The federal law meant to protect student privacy, FERPA (Family Educational Rights and Privacy Act), was written in 1974 and has not kept pace with the digital age. FERPA allows schools to share student data with “school officials” who have a “legitimate educational interest,” a loophole that ed-tech companies have driven a fleet of trucks through. There is no private right of action under FERPA, meaning families cannot sue for violations — only the U.S. Department of Education can enforce it, and it has never once withdrawn federal funding from a school for a FERPA violation, never imposed a financial penalty, and never invoked the five-year ban that the statute authorizes.^[1] Withdrawing all federal funding is described as the “nuclear option” because it would devastate the very students it is meant to protect — which is precisely why it has never been used and likely never will be.^[2]

The result is a sprawling ecosystem where student data is collected under the guise of education and monetized for profit. Testing companies sell student contact information to college recruiters. Student information systems are breached, exposing tens of millions of children. Monitoring software surveils students’ every keystroke on school devices. And private equity firms quietly consolidate companies that hold data on the vast majority of American schoolchildren.

Testing & Admissions Data

College Board

What they collect: Student personal information collected during SAT, PSAT, and AP exam administration, including GPA, area of anticipated study, interest in religiously affiliated colleges, family income, contact information, and academic performance data. This data is licensed to colleges, scholarship programs, and other customers through the Student Search Service for recruitment and solicitation purposes at a rate of $0.47 per student name.^[3]

Scale: Approximately 1,900 schools and organizations purchase 2 to 2.5 million student names annually through the Student Search Service.^[3] The program generated approximately $75 million in revenue in 2021.^[4] In 2019 alone, the College Board improperly licensed the information of more than 237,000 New York students. Between 2018 and 2022, the College Board made $28 million selling New York student data alone.^[5]

Enforcement: On February 13, 2024, New York Attorney General Letitia James and NYSED Commissioner Rosa secured a $750,000 settlement — the first enforcement action under New York’s Education Law §2-d (the state’s student privacy law) — for sharing and selling student data collected via in-school PSAT and SAT exams.^[5] As part of the settlement, the College Board is now prohibited from selling or using contractually obtained student data for commercial or marketing purposes.^[6] Advocacy organizations in Illinois and other states have filed similar complaints urging attorneys general to stop the data sales.^[7]

Niche.com

What they collect: Student profile data used for “Direct Admissions” programs where colleges can accept students based on their Niche profile information. Niche collects academic data, test scores, extracurricular activities, demographics, and preferences from students searching for schools and colleges.

Scale: One of the largest college and school search platforms in the United States, with millions of students creating profiles annually. The company also licenses school-level data to other organizations.

Concerns: Niche’s “Direct Admissions” model raises questions about how student data is commercialized in the admissions pipeline. Students creating profiles for research purposes may not fully understand that their data is being packaged and made available to recruiters.

Appily (formerly Cappex)

What they collect: Student profile data for college matching, including academic information, test scores, and preferences. Cappex was acquired by EAB in September 2020 and rebranded as Appily.^[8] The platform now serves as EAB’s student-facing college search, comparison, and admissions tool.

Concerns: Cappex’s privacy policy stated that services “require collecting detailed personal information and in many cases sharing personal information with colleges, universities, counselors, scholarship administrators, EAB, employers, and marketing partners.”^[8] The platform is now integrated into EAB’s broader enrollment management ecosystem (see EAB below).

ASL Marketing (formerly American Student List / AlloyASL)

What they sell: Postal mailing lists, email data, digital, social, and mobile data targeting the 15–34 year old demographic. Data includes student contact information segmented by location, class year, GPA, hobbies, and career interests. Products include the “USA High School Student Marketing Database.”

History: Founded in 1972 as a data list compiler, ASL Marketing pioneered the compilation of student databases. In 2012, American Student List merged with Alloy Direct Marketing to form AlloyASL. The company later merged with Student Marketing Group, gaining additional email and direct mailing lists of high school and college students.

FTC enforcement: In October 2002, the FTC settled charges against American Student List and the National Research Center for College and University Admissions (NRCCUA) for collecting information from millions of students who were misled into believing their data would be shared only with colleges and universities. In reality, the companies sold the information to commercial marketers. Under the settlement, the companies were barred from using student data for non-educational marketing purposes.^[9]

Student Information Systems & Ed-Tech

PowerSchool (including Naviance)

What they collect: K-12 student information system (SIS) data including names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent/guardian information, passwords, health information, IEPs (Individualized Education Programs), financial information, course enrollments, standardized test scores, GPA, ethnicity, gender, citizenship status, and career interests. Through Naviance, PowerSchool also collects college exploration activities, strengths assessments, and assigns “predictions” about college success.

Scale: PowerSchool serves more than 18,000 school organizations across 90 countries, supporting over 60 million students. It is the largest K-12 student information system provider in North America.^[10]

Private equity: Vista Equity Partners acquired PowerSchool in 2015 and took it public in 2021. On October 1, 2024, Bain Capital completed a $5.6 billion take-private acquisition at $22.80 per share, with Vista and Onex Partners each retaining minority stakes.^[11] The private equity consolidation of ed-tech — where the same firms own the student information systems, the college recruitment platforms, and the data analytics companies — has drawn criticism for making data flows increasingly opaque and difficult for families to trace or control.^[12]

December 2024 breach: Described as the largest breach of American children’s personal information to date, the attack exposed data of 62,488,628 students and 9,506,624 teachers.^[13] The breach stemmed from PowerSchool’s customer support portal, PowerSource, which lacked multi-factor authentication.^[14] Between December 19 and December 28, 2024, the attacker performed “Maintenance Remote Support operations” in PowerSource to access individual customers’ SIS instances.^[14] PowerSchool paid a $2.85 million bitcoin ransom to have the stolen data deleted.^[15]

The hacker: Matthew D. Lane, a 19-year-old college student from Worcester, Massachusetts, pleaded guilty in June 2025 to orchestrating the attack with co-conspirators. On October 14, 2025, Lane was sentenced to four years in federal prison and ordered to pay more than $14 million in restitution.^[15] At sentencing, Lane told the court he was “thankful I got caught.”^[16] Texas Attorney General Paxton separately sued PowerSchool over the breach, which compromised data of over 880,000 Texas children and teachers.^[17]

Naviance privacy lawsuit: A proposed class action alleges PowerSchool caused millions of students to hand over data without knowledge or consent through Naviance, which was allegedly riddled with third-party tracking codes (including Heap Analytics) used to intercept, track, and disclose student data. Investigations revealed student data was being profiled and marketed, with “predictions” assigned about college success as early as first grade based on race and income, and access sold to targeted advertisers.^[18]

Chegg

What they collected: Student personal information including email addresses, usernames, names, passwords (stored as unsalted MD5 hashes), and sensitive scholarship data such as dates of birth, parent’s income range, sexual orientation, and disabilities.

Scale: 40 million subscribers affected by the 2018 breach. The company experienced four separate data breaches within three years.^[19]

Enforcement: In April 2018, a former contractor used login credentials to access Chegg’s Amazon S3 buckets, exposing data of 40 million users. Chegg failed to encrypt employee and user information and used weak hashing (unsalted MD5) for passwords. By September 2018, a threat intelligence vendor discovered 25 million user passwords posted in plain text on an online forum. In October 2022, the FTC brought action against Chegg for “careless security.”^[19] The January 2023 consent order required Chegg to implement a comprehensive information security program, encrypt data, offer MFA to users, limit data collection and retention, and allow users to delete their data. Key failures cited included lack of MFA, a single login for all databases, no monitoring for malicious activity, plain-text data storage, and no written security policy until January 2021.^[20]

Collapse: Chegg’s market capitalization fell from $14 billion in February 2021 to $191 million by November 2024 — a 99% decline — after the company warned in May 2023 that ChatGPT was killing its business, triggering a 49% single-day stock drop.^[21] By April 2025, Chegg was at risk of NYSE delisting after its stock price fell below $1. On October 27, 2025, the company cut 45% of its workforce (388 employees), blaming “new realities of AI.”^[22]

Pearson

What they collected: Student academic performance data through AIMSweb 1.0 software, including students’ names, dates of birth, and email addresses, along with administrator login credentials. Pearson is one of the world’s largest educational publishers and assessment providers.

Breach and cover-up: In November 2018, hackers exploited a critical vulnerability in AIMSweb 1.0 to exfiltrate 11.5 million rows of student data and admin credentials from 13,000 school, district, and university customer accounts.^[23] The attackers were later linked to a broader Chinese government-affiliated campaign: a federal grand jury indicted two Chinese citizens, Li Xiaoyu and Dong Jiazhi, for stealing hundreds of millions of dollars of trade secrets and intellectual property, sometimes on behalf of China’s Ministry of State Security.^[24]

Pearson was notified by the FBI in March 2019 but failed to patch the vulnerability for six months. In July 2019, Pearson’s semi-annual report referred to the breach as a “hypothetical risk” when it had already occurred. Pearson falsely stated the breach “may include” dates of birth and emails when it knew those records were stolen, and claimed it had “strict protections” in place despite the six-month unpatched vulnerability. In August 2021, the SEC fined Pearson $1 million for misleading investors about the breach.^[25]

EAB (formerly Education Advisory Board)

What they sell: Student recruitment data through the Intersect platform, which connects with PowerSchool’s Naviance to facilitate college admissions matching. EAB provides enrollment management, student success analytics, and marketing services to higher education institutions.

Corporate history: Founded in 2007 as a division of The Advisory Board Company. In 2017, Vista Equity Partners acquired EAB for approximately $1.55 billion.^[26] In September 2020, EAB acquired Cappex, a college research platform, later rebranding it as Appily.^[8] EAB works with over 2,800 educational institutions.

Concerns: EAB is the exclusive reseller of the Intersect platform, meaning universities cannot recruit Naviance users unless they purchase an Intersect subscription or an EAB product that bundles it.^[27] Student data collected through school-mandated platforms is repurposed for commercial recruitment without meaningful student or parent consent. The fact that Vista Equity Partners owned both PowerSchool and EAB simultaneously created a vertically integrated pipeline from K-12 student data collection to college recruitment monetization.

National Student Clearinghouse

What they collect: Student enrollment and degree verification data from over 3,600 colleges and universities. The Clearinghouse serves as the central repository for postsecondary enrollment records in the United States, verifying enrollment status, degree completion, and attendance dates for approximately 97% of all students in public and private U.S. institutions.

MOVEit breach (2023): Between May 28 and May 31, 2023, attackers exploited a vulnerability in MOVEit Transfer file-sharing software to access the Clearinghouse’s systems, compromising data from nearly 900 colleges including names, dates of birth, Social Security numbers, and enrollment records.^[28] In 2025, the Clearinghouse agreed to a $9.95 million class action settlement, with final approval granted on May 13, 2025. The settlement covered approximately 1.5 million individuals whose Social Security numbers were compromised.^[29]

Concerns: While the Clearinghouse serves a legitimate verification function, its centralized database of nearly every college student in America makes it a high-value target. Employers, lenders, and background check companies query enrollment records, creating a data pipeline that students may not fully understand when they enroll.

School Surveillance & Student Monitoring

A growing category of ed-tech companies operates under the premise of student safety, deploying software that monitors students’ digital activity on school-issued devices and accounts. While some of these tools have genuinely helped identify students in crisis, they also represent one of the most expansive surveillance operations targeting minors in the United States. A 2023 RAND Corporation study found only “scant evidence” that AI-based student monitoring tools actually improve safety outcomes, concluding that “no research to date has comprehensively examined how these programs affect youth suicide prevention.”^[30]

GoGuardian

What they monitor: Real-time screen monitoring, web filtering, and classroom management software for K-12 schools. Teachers can view students’ screens in real time, close tabs, lock browsers, and monitor browsing history. GoGuardian Beacon monitors for self-harm indicators.

Scale: Founded in 2014 (operating as Liminex, Inc.), GoGuardian monitors approximately 27 million students across 11,500 schools in the United States.^[31] The company reached a $1 billion valuation following a Tiger Global investment in 2021, with $303 million in total funding raised.^[32]

EFF investigation: In October 2023, the Electronic Frontier Foundation published a detailed investigation titled “How GoGuardian Invades Student Privacy” and launched the Red Flag Machine, an interactive project demonstrating how GoGuardian’s flagging algorithm consistently flags innocuous content — including college websites, counseling and therapy sites, pages about LGBTQ+ issues, the Holocaust, drug abuse prevention, the Marine Corps fitness guide, and Shark Tank cast biographies.^[31] The investigation also found that GoGuardian has given teachers the ability to view student webcam footage without consent when students take school-issued devices home.^[31]

Gaggle

What they monitor: School-issued email, Google Docs, Microsoft 365 documents, and other school platform content for signs of self-harm, violence, bullying, and other safety concerns. Gaggle uses a combination of AI scanning and human content reviewers to flag student communications.

Scale: Monitors approximately 6 million students’ school accounts across roughly 1,500 school districts.^[33]

Concerns: The Electronic Frontier Foundation gave Gaggle an “F” rating for student privacy, pointing to the AI’s inability to understand context when flagging student messages.^[34] Human reviewers read flagged student communications, including private conversations conducted through school email. The system has flagged students for discussing their sexuality, sharing memes, and writing about controversial topics in school assignments. The technology has in some cases outed LGBTQ+ students to school administrators and eroded trust between students and staff.^[33] Students have no practical way to opt out, as schools mandate the use of school-issued accounts.

Bark Technologies

What they monitor: Content monitoring software that scans children’s text messages, email, YouTube, and 30+ social media platforms and apps for signs of cyberbullying, depression, suicidal ideation, online predators, and other dangers. Also offers location tracking and screen time management.

Scale: Bark for Schools is used by over 3,700 school districts and is provided free of charge to K-12 schools.^[35] The company developed the school product after the 2018 Parkland shooting as a way to help schools protect students online at no cost.

Concerns: Bark’s free-to-schools model raises questions about how the school product subsidizes and feeds into its paid consumer (parental control) product. Privacy advocates have documented that content-scanning tools disproportionately flag LGBTQ+ students, students of color, and students from marginalized communities, as the algorithms are more likely to flag language used by these groups as “problematic.”^[36] A Vice/Motherboard investigation found that school monitoring tools blocked LGBTQ+ health content while failing to block white supremacist material.^[37] The tracking can “out” LGBTQ+ students by notifying school officials of searches related to sexuality and gender identity.^[36]

The Bigger Picture

The education data ecosystem is not a series of isolated companies — it is a pipeline. A student takes the PSAT in ninth grade, and their data enters the College Board’s Student Search Service, where it is sold to approximately 1,900 organizations at $0.47 per name. Their school district uses PowerSchool, so their grades, attendance, disciplinary records, and IEPs sit in a system that was breached and exposed 62 million students. Through Naviance, their college exploration activity is tracked and fed to EAB’s recruitment platform — which universities can only access by purchasing an EAB subscription. Every keystroke on their school Chromebook is monitored by GoGuardian. Their email is scanned by Gaggle. Their browsing is logged.

By the time a student graduates high school, dozens of companies have collected data about them — most of it without any meaningful consent from the student or their parents. FERPA’s enforcement mechanism has never once been used to its full extent. No school has ever lost federal funding for a privacy violation. No financial penalty has ever been imposed. The FTC has brought actions against individual companies like Chegg and ASL Marketing, but the structural incentives remain unchanged.

The private equity consolidation of ed-tech makes the problem worse. Vista Equity Partners acquired PowerSchool (2015) and EAB ($1.55 billion, 2017). EAB acquired Cappex (2020). EAB became the exclusive reseller of PowerSchool’s Intersect platform. When Bain Capital took PowerSchool private for $5.6 billion in 2024, Vista and Onex retained minority stakes. The data flows become increasingly opaque and increasingly difficult for families to trace or control. The children whose data fills these systems had no say in the matter. They were simply enrolled in school.

Sources & References