The average K-12 school district in the United States has signed data-sharing agreements with more than 1,400 third-party application providers. This is not a scandal. It is the standard procurement workflow. A district subscribes to a learning management system, a classroom response tool, a formative assessment platform, a student information system, a communication app for parents — each contract authorizing a flow of data that the district staff who signed them could not have read in full if they spent their entire careers on it.
The average student in that district will use 67 distinct EdTech applications over the course of a single academic year, according to industry analysis. Each application is nominally covered by a Data Privacy Agreement — a document that exists because the Student Privacy Project at the Data Quality Campaign started requiring them in 2014, and states began passing laws mandating them shortly after. The DPAs are supposed to be the consent layer. They are not.
The architecture that makes this pipeline legal is not a loophole in the conventional sense — it is a feature. FERPA, the Family Educational Rights and Privacy Act of 1974, prohibits schools from disclosing "education records" without parental consent. But it includes a carve-out called the "School Official Exception" that permits data sharing with vendors who are, in the statute's language, performing an "function for which the school would otherwise use employees" and who have "a legitimate educational interest" in the data.
In practice, this means a district can designate any vendor as a school official. The designation requires no audit trail, no demonstration of necessity, no notification to parents. A single district contract with Google Workspace for Education — used by more than 170 million students and educators globally — authorizes Google to collect name, email, keystrokes, browsing history, watch history, location, assignment submissions, and interaction patterns. The same Google account infrastructure that serves a student's schoolwork also serves their personal use. The data exists in one system regardless.
"While there is some adherence to data privacy agreements in terms of which data fields are being collected by the EdTech companies, some apps are collecting data elements that are not included in privacy agreements and sharing this data with third parties, including advertisers."
— Utah EdTech App Data Collection and Sharing: 2023–25 Investigation, published August 20, 2025
FERPA governs schools. It does not govern vendors. The moment data leaves the school's official systems and enters a vendor's infrastructure, FERPA has no jurisdiction. The vendor is subject to whatever state laws apply — and 20 American states have minimal student data privacy laws beyond the federal baseline. This is not a security failure. This is the designed outcome of a 50-year-old law that never anticipated an ecosystem of 1,400 application providers per district.
The Utah State Attorney General's office, in partnership with Brigham Young University and Internet Safety Labs, examined 85 EdTech applications that had signed Student Data Privacy Agreements with Utah schools. The results were published in August 2025. Sixty-one percent of those applications were sharing student data with third parties. Thirty-six percent were sharing data specifically with advertisers. Some of those applications were transmitting student information to 32, 33, or 54 separate advertising companies simultaneously, in violation of their own signed agreements.
The investigators then contacted 36 vendors who were sharing data with advertisers and asked them directly whether they engaged in behavioral or targeted advertising. Twenty of those 36 vendors — 56 percent — said no. Network traffic analysis conducted by Internet Safety Labs contradicted every one of those denials.
One application was tested twice at different points in the investigation. The first test found it sharing data with nine third parties, eight of which were advertising-related. The second test found no such sharing. The application had changed its data practices between the two testing windows, not because of regulatory pressure or a conscience, but because the investigation had made contact.
Children aged 10–11 cannot reliably distinguish dark patterns from normal interface design. In controlled studies, only 5.9 percent of children in this age group identified pre-selected privacy-invasive options — what researchers call Bad Defaults — as manipulative.
— Schäfer et al., "Growing Up With Dark Patterns," NordiCHI 2024
The most commonly shared unauthorized data element was the Unique User Identifier — UUID. UUIDs are not listed in any DPA as a permissible collection. They are, however, exactly what advertising networks require to build cross-site behavioral profiles. A UUID is not a name. It is better than a name for the purposes of retargeting.
The question of whether a third grader can meaningfully consent to a data-sharing agreement seems, on its surface, absurd. It is not the question the EdTech industry wants to answer. The industry prefers to discuss DPA compliance, COPPA safe harbors, and opt-out mechanisms. These are legitimate technical conversations. They are also, in a meaningful sense, beside the point.
The point is this: consent, in the context of data privacy law, is structurally predicated on the subject's ability to understand what they are agreeing to and to evaluate whether the terms are favorable. Research conducted at RWTH Aachen University and published at NordiCHI 2024 tested 66 fifth-graders — children aged 10 and 11 — on their ability to recognize manipulative interface design. The children were shown dark patterns embedded in cookie banners and asked to identify which ones were trying to manipulate them.
They could not. Detection rates varied by pattern type: 47.1 percent identified a trick question format, 47.1 percent identified sensory manipulation, 25.5 percent identified confirmshaming. For Bad Defaults — pre-checked boxes that authorize data sharing — the detection rate was 5.9 percent. Three children out of 66 correctly identified that a pre-selected privacy-invasive option was designed to manipulate them into giving up more than they intended.
The regulatory assumption that children above a certain age possess "persuasion knowledge" — the ability to recognize when they are being sold something and to adjust their behavior accordingly — derives from a 1994 model proposed by Friestad and Wright. Subsequent research has progressively complicated this model. A 2020 study published in the Journal of Youth and Adolescence found that early adolescents aged 12 to 14 required extensive disclosure of both the advertising nature and the persuasive intent of content before their persuasion knowledge activated. Older adolescents needed only the advertising disclosure. The age threshold is not where the law assumes it is, and the mechanism by which knowledge translates into resistance is not what the model predicted.
COPPA, the Children's Online Privacy Protection Act, sets the age of digital consent at 13 in the United States. Below 13, parental consent is required before collecting personal data. Above 13, the child is assumed competent to consent on their own behalf. The EU sets its baseline at 16, with member states permitted to go as low as 13. The UK's Children's Code sets 13 as its threshold. These are not coincidentally aligned. They are not independently derived from developmental science. They are convention, inherited from COPPA's 1998 passage, propagated through regulatory alignment across jurisdictions because alignment is easier than investigation.
The EdTech consent pipeline assumes a child of 13 can read a terms-of-service agreement, understand what data will be collected, why, and to whom it will be disclosed, evaluate whether the exchange is favorable, and decide freely whether to proceed. The data from the Utah investigation suggests this assumption is not merely optimistic. It is architectural — it is built into the system precisely because questioning it would require dismantling the pipeline.
The pipeline runs. The agreements are signed. The 1,400 applications per district continue to load. The child in front of the screen is not asked to consent to most of this. The school district consented on their behalf decades ago, in a configuration that has never been audited against what actually flows through it. What flows through it is behavioral data, device identifiers, learning patterns, and sometimes — in 36 percent of cases, per the Utah findings — information about those children sold to the people who want to sell them things.
The consent architecture does not malfunction. It functions exactly as designed. The problem is the design.