The latest wave of a backlash against Big Tech’s takeover of the K-12 education system has been building around the country in recent months.After the jump we’re covering a few of the symptoms of this takeover first and then take a look at what solutions might be brewing here in Illinois:

• Yet another international ed data breach last week
• Multi-million dollar settlement for students exploited by Naviance college application platform
• CPS ends contract with mental health tech company amid unresolved privacy issues
• What’s happening with regulating genAI in Illinois schools?
• Student Educational Technologies Rights Act introduced in ILGA

Is this an area you’d like to advocate with us on? Let us know via email or sign up here and select "human-centered ed"!

Another huge data breach + ransomware attack on student data

Last week there was yet another massive education data breach in the news. This time it wasn't Powerschool or AimsWeb or Illuminate, it was Canvas, a “learning management system” with data from 275 million users breached. Canvas is used heavily in colleges and universities, but also in many K-12 school districts in Illinois. Despite reassurances earlier in the week from Infrastructure, the company that sells Canvas, that the breach was controlled, days later many systems were still down; the University of Illinois at Urbana-Champaign postponed finals due to the attack. Some of the largest K-12 districts in Illinois use Canvas, including U-46, Indian Prairie D204 and Oswego D308.

Under the Student Online Personal Protection Act, companies holding student data must notify schools of a breach within 30 days, and schools must notify families within 30 days of learning of a breach. If you don’t know whether Canvas is used by your child’s school, in theory this should be an easy search on your district website for a list of all vendors getting student data—another requirement under SOPPA (but compliance varies!) Contact your school or district if you have questions about this breach. School districts must also list on their website any breaches within the last five years that affected more than 10% of students.

Unfortunately, SOPPA can only be enforced by our state attorney general. Parents and students can’t bring their own lawsuits under it, so vigorous advocacy is the best way to make sure school districts are in compliance. IL-FPS lobbied for an amendment to include a private right of action in SOPPA last spring, but that bill stalled in the Illinois Senate after passing the House.

Class action lawsuit settlement for student data privacy violations in Naviance—pass it on!

Although SOPPA lacks a private right of action, companies can be sued by families and students for violations of other state and federal privacy laws. A recent settlement of a class action lawsuit brought by a student against the companies that own Naviance and against Chicago Public Schools is an important example of this, where some of the laws in question are wiretapping laws.

PowerSchool, the current owner of Naviance, agreed to pay $17.25 million to resolve the lawsuit that alleged they—along with Hobsons, the previous owner of Naviance; Heap, a third-party data collection and analytics firm; and the Chicago Board of Education—unlawfully intercepted students’ sensitive education data and records when students used Naviance.

Naviance is software that schools use for college and career planning, including coordinating the college application process in many districts. In addition to extensive education records, like transcripts, test scores, and teacher recommendation letters, it also frequently has data from surveys with highly sensitive personal questions. Heap, according to their own website, “collects all the data on your customers — automatically. What they click. Where they go. What they do, even when you’re not looking.”

If your child used Naviance from August 2021 to January 2026, in any US school district, not just Chicago Public Schools, then they are likely a class member eligible to claim a payment under the settlement. Students who are now over 18 should be directly contacted by the company processing the settlement, Kroll Settlement Administration; students who are under 18 should be contacted via their parent. If you haven’t received a notice but think you should have, you can still submit a claim here. The claim deadline is July 27, 2026. We are interested to hear if people are getting postcards or emails about the settlement: [email protected]

Although CPS stopped using Naviance after the 2022-2023 school year, many Illinois school districts are still using Naviance. Naviance is primarily used in high schools, but also in some middle and elementary schools.

In 2022, Naviance was in the news for privacy and data exploitation issues, including paid promotions from colleges and universities disguised as suggestions within the app, some of which were targeted to exclude students of color. Targeted advertising using student data has been illegal in Illinois since 2017 under SOPPA as it was originally passed (despite an attempt by Hobsons and testing companies to weaken the law in 2018.)

One additional component of the settlement is that CPS' vendors will now have to annually attest (pp. 8-9) that they are following state and federal privacy laws. This may seem trivial given that they already sign contracts agreeing to such a provision, but it closes a loophole for future litigation to prevent companies from asserting that they were unaware of violations.

CPS ends contract with mental health tech provider

As we shared previously, Chicago Public Schools is ending a controversial contract with Hazel Health, a mental health tech company that was providing teletherapy counseling services to CPS high school students.

We brought up questions to the district a year ago and, along with other advocacy organizations, again last fall about whether the incredibly sensitive student data collected and processed by Hazel was being protected in accordance with SOPPA. Hazel’s merger with another mental health tech startup with an AI-based platform and a CEO who previously worked at Palantir raised additional questions.

The contract will end June 30th, and If your child received services from Hazel Health, we encourage you to 1) ask Chicago Public Schools to provide you with a copy of all records and information that Hazel is holding on your child, and then 2) request that the district have Hazel destroy any records they are holding. These are requests that you can make under state privacy laws. Please reach out if you have questions about how to exercise your rights under SOPPA and the Illinois School Student Records Act.

Hazel is also in use in several charter schools in Chicago. We do not know if the CPS contract included services to those schools. In addition, Hazel’s website lists East St. Louis 189 as another Illinois school district using Hazel. Parents should be demanding answers on exactly what student data Hazel holds and what they are using that data for given the problematic language in Hazel’s parental consent form.

What’s happening with generative AI use in Illinois schools?

Last month Fairplay, a watchdog organization protecting children from commercial exploitation released a position statement signed by 142 experts and 120 organizations, including IL-FPS, calling for “a five-year pause on all student-facing generative AI products in PreK-12 schools.” Read more about the motivation for issuing this statement here: “Pause GenAI in PreK-12 Schools for 5 Years, Orgs and Experts Say.”

Like the other signatories, we have serious concerns—around pedagogy, privacy and ethics—about the impact of generative AI use in schools. Our longtime advocacy work on protecting student data from security threats and commercial exploitation, going back to the 2013 battle against InBloom, has shown us again and again that Big Tech and others profiteering from public schools do not have the well-being of students, including their educational outcomes, as a priority. Most of what we are now being told about the promise of AI, generative and otherwise, has been falsely promised for decades about earlier education technologies.

Unfortunately, our state simply isn’t meeting the moment on this issue yet. Last year ILGA did pass a law directing the Illinois State Board of Education to issue “statewide guidance for school districts and educators on the use of artificial intelligence in elementary and secondary education” and, optionally, convene a statewide council “to consult on the further development of guidance, resources, and other support for school districts and educators.“

Unfortunately, we haven’t seen any transparency around the development of the guidance or opportunities for public input nor heard whether a council has been convened. There does not appear to be any mention of the public act on the ISBE website or discussion of how ISBE is carrying out the requirements of the law. (Have we missed something? Please let us know! [email protected]) Also, guidance is not policy nor legislation, and it has limited ability to protect students and their educational experiences.

Unfortunately, this is similar to what’s happened in the state’s largest school district so far. Chicago Public Schools first issued guidance for AI usage in the summer of 2024. The committee that created the guidance included no teachers, students or parents, and, to our knowledge, the process to create it did not include any input from these stakeholders. The most recent version of the CPS AI Guidebook lists a steering committee and operating committees (as does the CPS website) which still does not include these key stakeholders. Moreover, none of these committees appear to include anyone but district employees, i.e. no outside researchers with deep expertise of what we know (and don’t know!) about the impact of AI on human development, cognition, learning, and data privacy.

CPS policy has been updated to refer to the guidance, but it merely says “For CPS guidance and ethical use of AI, review the AI Guidebook at cps.edu/aiguidebook.” The guidebook itself has significant problems. We won’t go into detail here, but just as one telling example: it lists two generative AI applications that teachers are permitted to use, Google’s Gemini and Microsoft’s Copilot. But the listings for those applications in the district’s database for approved software under SOPPA simply say, “Approved for teachers with or without student data. Not approved for student use.” There is no data-sharing agreement available for either app, and families therefore have no idea what student information may be being processed by those applications, nor for what purpose.

Protecting human-centered education with the Student Educational Technologies Rights Act

One proposed remedy to some of these issues could be a bill introduced in Springfield this session by Sen. Robert Martwick, SB 3735, the Student Educational Technologies Rights Act, an initiative of two current university students concerned about how their personal data is being used.

The bill would establish three new student rights regarding education technology. The right to:

1. opt out of school-issued personal electronic devices, electronic textbooks, electronic required reading, or electronic or online assignments, and, instead, be provided with a non-digital equivalent;
2. request that a human teacher review any score or grade generated by artificial intelligence or an automated process; and        
3. opt out of predictive analytics systems without penalty.

SB3735 would also update SOPPA's definitions and requirements to explicitly apply to training artificial intelligence models. Importantly, it also updates the current restrictions on biometric info in the School Code. Right now, public schools can collect and process students’ biometric information, though only with parental consent and only for the purpose of fraud prevention or identification. SB 3735 would prohibit any collection of biometric information. Given the inability of districts and companies to keep data safe and secure, there is no justification for the collection of biometric information in schools that outweighs the risks to data that, as Illinois law itself says, “are biologically unique to the individual; therefore, once compromised, the individual has no recourse…”

SB 3735 allowing parents to opt children out of the use of digital technology altogether is a response to the overuse of screens in schools. Screen time, escalating for the past decade or more, but skyrocketing due to the requirements for remote learning during the pandemic, has finally ignited a backlash around the country. Some schools are getting rid of screens altogether, like this middle school in Kansas, or implementing screen time limits, like Los Angeles United School District recently did for older grades, along with removing screens from first grade and below entirely. New York City parents and privacy advocates are calling for a two-year moratorium on generative AI in schools and stopped the approval of an AI-focused high school.

Families in Illinois have been pushing back in some districts. Evanston D65 has an active group, Evanston Screen Sense, that is asking the district to allow parents to opt students in the early grades out of tech usage. Distraction Free Schools Illinois supports removing cellphones from schools, but it is also concerned about overuse of school-assigned devices and ed tech.

The General Assembly looks likely to implement a ban on cellphones in schools this month, an initiative of Gov. Pritzker. But we note that this is a relatively easy political lift for legislators: it’s a matter of telling schools to control the behavior of children and young people, and students have no lobbying organizations swarming the Capitol during session.

Unfortunately, ILGA and the Governor do not appear as motivated when it comes to policies that would actively rein in Big Tech’s influence in our schools. As we saw with the bill to add a private right of action last year to SOPPA mentioned above, there are big impediments to making changes that tech companies don’t want in Springfield. No legislation adding a private right of action to consumer or education privacy laws in Illinois has passed since the very robust Biometric Information Privacy Act back in 2008, which Big Tech and the business lobby have tried to water down ever since.

The Senate Executive subcommittee did hold a lengthy subject matter hearing on April 9th and 10th covering dozens of bills related to social media and AI, and there is a chance that some constraints on data centers and social media access for under 18 year olds could pass this session. (Read about some of the privacy and 1st Amendment concerns that latter bill raises here.)

Only a tiny number of bills at that Senate subcommittee hearing were related to K-12 education, including SB 3735. The deadline to move bills in the Senate out of committee has been extended for some legislation until May 15th. However, even if the Student Educational Technologies Rights Act doesn’t advance by the end of Spring Session, it is helpful for it to build momentum before then. So please ask your State Senator to sign on as a sponsor to this important bill: call and say that Illinois needs to do more to stop Big Tech exploitation of our kids and their private data.

As we said above, if you are interested in protecting human-centered education in K-12 from the overuse and inappropriate use of tech, especially the threats posed by generative AI, let us know, as the need for advocacy work in this area continues to grow!

Here are some good resources if you’d like to dig deeper into these issues: