Module 712 min read · AI in Education

Student Data, Privacy, and Ethics

The data generated by students interacting with AI-powered educational tools is among the most sensitive data in existence. It reveals cognitive abilities, learning patterns, emotional states, behavioral tendencies, and development trajectories. Protecting this data — and using it ethically — is not merely a compliance obligation but a fundamental duty of care that educators and institutions owe to the children and families they serve.

The Data Landscape in Modern Education

Contemporary educational technology generates staggering quantities of data. Every click, pause, keystroke, response, and revision in a digital learning environment can be logged and analyzed. Adaptive learning platforms track performance on thousands of micro-tasks. Learning management systems record time-on-task, discussion participation, and resource access patterns. AI writing tools analyze draft iterations. Attendance systems track physical presence. Some schools even use facial recognition and emotion detection software in classrooms.

The cumulative picture that emerges from this data is a remarkably detailed profile of each student — one that has commercial value, research value, and, if misused, the potential to harm students in ways that follow them into adulthood. A record of a student's learning struggles at age ten, their behavioral interventions, or their emotional state during class could affect their educational opportunities, employment prospects, or insurance eligibility if it fell into the wrong hands or was retained indefinitely.

Foundational Principle

Student data collected in educational contexts exists for one purpose: to improve learning for that student. Any use of that data beyond this purpose — for commercial targeting, research without consent, predictive profiling, or sale to third parties — represents a betrayal of the trust that students and families place in educational institutions. This principle should be non-negotiable in any AI tool evaluation.

Key Legal Frameworks: FERPA, COPPA, and GDPR

In the United States, two federal laws govern student data privacy. The Family Educational Rights and Privacy Act (FERPA) gives parents (and students over 18) the right to access, review, and request corrections to educational records. It restricts the disclosure of those records to third parties without consent. Schools that accept federal funding — effectively all public schools — must comply with FERPA.

The Children's Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13 by commercial websites and online services. This has significant implications for EdTech products that may interact with younger students, though COPPA has notable gaps and enforcement limitations.

The European Union's General Data Protection Regulation (GDPR) sets a higher standard than either US law, requiring explicit consent for data collection, granting individuals the right to erasure, and imposing strict limits on data transfers outside the EU. Many international EdTech companies operate under GDPR standards globally because the bar it sets is both more principled and more practically unified than the patchwork of US regulations.

FERPA's Limitations

FERPA was written in 1974 — before personal computers, the internet, or AI existed. Its provisions do not adequately address the kinds of data collection and use that modern EdTech enables. Notably, FERPA's "school official" exception has been interpreted broadly enough to allow substantial sharing of student data with vendors. Educators should not assume that a vendor's FERPA compliance claims mean student data is well-protected; the law sets a floor, not a ceiling.

Evaluating EdTech Privacy Practices

When evaluating AI-powered educational tools, educators and administrators should conduct a thorough privacy review that goes beyond asking whether a vendor claims FERPA compliance. Key questions include:

  • What data does the tool collect, and is it limited to what is necessary for its educational purpose?
  • Where is the data stored, and what security measures protect it?
  • Is student data used to train AI models? If so, with what protections?
  • Does the vendor sell or share student data with third parties?
  • How long is data retained, and what are the procedures for deletion?
  • What happens to student data if the company is acquired or goes out of business?
  • Does the tool use AI to make predictions or inferences about individual students beyond its stated educational purpose?
Best Practice

Several US states have enacted student data privacy legislation that goes beyond FERPA, including prohibitions on behavioral advertising to students, requirements for data inventory transparency, and mandatory data breach notification. Many advocacy organizations publish annual "privacy ratings" of popular EdTech tools. Consulting these resources — and requiring vendors to complete data privacy impact assessments — are concrete steps schools can take to protect students.

Algorithmic Profiling and Its Risks

One of the most ethically complex dimensions of AI in education is the use of student data to generate predictive profiles. "Early warning systems" that identify students at risk of dropout, disciplinary action, or academic failure are now widely used in secondary and post-secondary education. These systems can help allocate support resources more effectively — but they also carry significant risks.

Predictive algorithms trained on historical data may embed the biases of past educational outcomes. If low-income students or students of color were disproportionately disciplined or failed in the past, a model trained on that data may predict that current students from similar demographic groups are at higher risk — creating a self-fulfilling prophecy that channels certain students toward lower expectations and more restrictive interventions.

Avoid Deterministic Use of Predictions
Algorithmic predictions should inform professional judgment, not replace it. A prediction that a student is "at risk" should trigger increased support and attention — never automatic restriction, reduced expectations, or tracking into lower-level programs.
Audit for Disparate Impact
Any AI system used to make consequential decisions about students should be regularly audited to determine whether its outputs systematically disadvantage students from particular demographic groups. If they do, the system must be adjusted or discontinued.
Maintain Transparency with Families
Students and families have a right to know when AI systems are being used to make predictions or recommendations about them, what data those systems use, and what decisions those predictions influence. Opacity in algorithmic systems violates the trust relationship that schools depend on.

Teaching Students About Their Own Data

Data literacy — understanding what data is collected about you, by whom, for what purposes, and with what consequences — is itself a critical competency that schools should teach. When students understand that their digital learning interactions generate data, that this data may be retained for years, and that it has value to third parties, they are in a better position to make informed choices about their digital lives.

This is not about making students paranoid; it is about making them literate. The goal is for students to understand the terms of the data exchange they participate in every time they use a digital tool — and to be equipped to advocate for their own privacy rights as citizens in an increasingly data-driven world.