Parts I and II of this series mapped the problem: the data your child generates at school flows through systems most parents have never heard of, governed by laws written before the internet existed, enforced by agencies that react to scandals rather than prevent them. If you read those pieces and felt a creeping sense of institutional failure — good. That's the accurate read. This piece is about what you do with it.
The architecture of children's digital surveillance isn't going to be dismantled by any single piece of federal legislation in the near term. Congress moves slowly. Vendors move fast. The realistic power is distributed: in household decisions, in school board meetings, in state capitals, and in the collective pressure that small numbers of organized, informed people can apply when they understand what they're actually looking at.
What follows is organized by scope — from the things you can do today in your own home, to the school-facing actions that require more effort but produce institutional change, to the legislative levers that are more accessible than most people realize. None of it requires technical expertise. All of it requires some time and a willingness to be the person who asks the annoying questions.
- ✓ Digital hygiene at home reduces your child's exposure footprint regardless of what the school does.
- ✓ FERPA gives you specific, enforceable rights to see records and challenge third-party vendor access — most parents never use them.
- ✓ School boards respond to organized, documented constituent pressure. Vendor contracts get renegotiated. Tools get dropped.
- ✓ State-level advocacy is more accessible than federal lobbying and is where children's privacy law is actually moving in 2025–2026.
- ✓ The PowerSchool breach of December 2024 — exposing an estimated 62 million students' records — is the clearest argument you have for why this matters right now.
01 Digital Hygiene at Home: What You Control Directly
The school environment is governed by institutional decisions that take time to change. Your home network and your child's devices are governed by you, and changes there can be made this week. This is the tier where you have the most immediate control and the lowest barrier to action.
The goal of home digital hygiene is not to eliminate all data collection — that ship has sailed — but to reduce unnecessary exposure, slow down the accumulation of behavioral profiles, and give your child a basic education in why these choices matter. That last part is as important as the technical steps.
School-issued devices are outside your direct control — treat them as school property, used for school tasks, and nothing else. For home devices your child uses, the following baseline configuration reduces the most common data collection vectors.
- Use the built-in parental controls your OS already provides before installing any third-party monitoring app. Apple Screen Time and Google Family Link handle app limits, screen time, content filtering, and location sharing without routing your child's data through a third-party company's servers. They are not perfect, but their data stays closer to home.
- Review app permissions quarterly. On both iOS and Android, go to Settings → Privacy → and audit which apps have microphone, camera, location, and contacts access. Revoke anything that doesn't have a clear, necessary reason for it.
- Disable advertising identifiers. On iOS: Settings → Privacy & Security → Tracking → turn off "Allow Apps to Request to Track." On Android: Settings → Privacy → Ads → Delete advertising ID. This does not stop data collection, but it breaks the persistent cross-app profile tied to a stable device ID.
- Turn off "precise location" for apps that don't need it. Weather apps need your general location. They do not need your front door. Set location access to "While Using" or "Approximate" rather than always-on precise.
- Use a browser with tracking protection enabled by default. Firefox with Enhanced Tracking Protection, or Brave, as a daily driver. Google Chrome on a child's device is an audience-building tool for Google. That's not conspiratorial — it's the business model.
- Set the device search engine to DuckDuckGo or Startpage. Search queries build detailed interest profiles over time. This is one of the highest-yield, lowest-friction changes on the list.
DNS-level filtering is the single highest-leverage network-side change available to most households. DNS is the system that translates domain names into IP addresses — it's involved in every request any device on your network makes. A privacy-focused DNS resolver intercepts requests to known tracking, ad, and malware domains before the connection is even established.
- CleanBrowsing Family Filter is free, requires no account, and blocks adult content and malware domains across all devices on your network. Set your router's DNS to 185.228.168.168 and 185.228.169.168. Takes about five minutes.
- NextDNS is a more configurable option that lets you build custom block lists, see logs of what your devices are connecting to, and block specific ad-tech and tracking domains by category. The free tier handles 300,000 queries per month — enough for most households.
- OpenDNS FamilyShield (208.67.222.123 / 208.67.220.123) is another no-account-required option with content filtering built in. Less granular than NextDNS but dead simple to deploy.
- Whatever you choose: set it at the router level, not on individual devices. Router-level DNS filtering covers every device on the network, including smart TVs, gaming consoles, and school-issued devices when they connect from home.
Every account your child has is a data collection relationship. Not all are worth having, and the ones that are worth having are worth configuring properly.
- Don't use a child's real birth date on non-essential accounts. On platforms that don't need to verify age for legal or financial reasons, a generic year is sufficient. Real birth dates, combined with name and school, are enough to anchor a detailed profile.
- Avoid using Google or Facebook "Sign in with" for a child's accounts. Single sign-on is convenient and is one login to track across every service it touches. Create standalone credentials for each service instead.
- Set up a dedicated email address for school-related signups — separate from any primary account. This limits cross-service tracking and makes it easier to audit what your child has signed up for.
- Before installing any app, check it on Mozilla's Privacy Not Included guide (foundation.mozilla.org/privacynotincluded). It rates apps and connected devices by how much data they collect, what they share, and what security track record they have. It takes two minutes and has saved more than a few holiday gift decisions.
- Review social media privacy settings twice a year. Platforms change their defaults with every major update, often toward more sharing. "Checking settings" is not a one-time task.
The goal is not to eliminate all data collection. It's to reduce unnecessary exposure and give your child an education in why these choices matter — because that education will outlast any setting you configure.
02 School-Facing Actions: Using the Rights You Already Have
FERPA gives parents specific, legally enforceable rights that most never use — not because the rights are hard to invoke, but because schools aren't required to advertise the most useful parts of them. Understanding what you can actually demand, in writing, from your child's district is the foundation of everything else in this section.
The December 2024 PowerSchool breach is the most useful recent illustration of what's at stake. A single compromised employee credential — and no multi-factor authentication on a customer support portal — gave an attacker access to an estimated 62 million students' and 9.5 million teachers' records across more than 6,500 school districts in the U.S. and Canada. The exposed data included names, addresses, dates of birth, Social Security numbers, medical information, and academic records in some districts — four decades of historical data in the case of Toronto's school board. PowerSchool paid a ransom to suppress the data, then watched as the same attacker subsequently attempted to extort individual school districts. A 19-year-old college student in Massachusetts was charged and pleaded guilty. SecurityWeek ↗
That breach did not happen because of exotic technical sophistication. It happened because a vendor holding decades of children's data did not require basic authentication hygiene. The data was there because districts had signed contracts with PowerSchool and had no visibility into how it was secured. That is the systemic pattern — and it is exactly what school-facing advocacy is designed to interrupt.
03 How to Actually Use FERPA
FERPA is a blunt instrument wielded with surgical precision by almost nobody. Here is how to use it.
Under FERPA, you have the right to inspect and review your child's education records. The school must comply within 45 days of your written request; some states require a shorter window. Submit the request in writing to the principal or district records officer and explicitly ask for records maintained by or on behalf of the district — including records held by third-party vendors under contract. That phrase matters. Without it, the district may return only the records it directly maintains and technically comply with the request while leaving out the behavioral data, monitoring flags, and AI-generated risk scores sitting in vendor systems. Ask specifically for any records related to behavioral monitoring, AI safety or wellness assessments, and learning analytics dashboards. Ask whether any AI-generated scores or flags about your child exist and, if so, what data they are based on. Get the school's response in writing.
FERPA's "directory information" exception allows schools to disclose certain basic student information — name, grade level, participation in activities, and similar data — without parental consent, as long as the school provides annual notice and an opportunity to opt out. Most parents never opt out because they don't know it's an option. Submit a written opt-out request to the district records officer before the beginning of each school year; your state's law may specify a deadline. Opting out does not prevent the school from sharing records for legitimate educational purposes, but it does close a disclosure channel that has historically been exploited by data brokers, marketing firms, and military recruiters. The district is required to honor the request.
No federal law requires districts to proactively publish the list of ed-tech vendors they share student data with. But several state laws do — notably Illinois, which requires districts to publish complete vendor lists publicly — and in every state, you can file a public records request for vendor contracts and data sharing agreements. In some states this is a formal Freedom of Information Act or state equivalent request; in others, a direct written request to the district will suffice. Ask for: the full list of ed-tech vendors with student data access, the data processing agreements or data sharing agreements with each vendor, documentation of what categories of student data each vendor receives, and whether any vendor uses student data for product improvement, research, or any purpose beyond the contracted educational use. The responses will tell you a great deal. The gaps in the responses will tell you even more.
If a school shares student data without proper authorization, allows a vendor to use student data for commercial purposes outside the educational contract, or denies a valid records request, that's a potential FERPA violation. Complaints are filed with the U.S. Department of Education's Student Privacy Policy Office at studentprivacy.ed.gov. The office investigates complaints and has authority to require districts to correct violations; in serious cases, it can refer matters to the Secretary of Education for enforcement action including the potential loss of federal funding — which is meaningful leverage. If the violation involves a COPPA issue (a commercial service collecting data from children under 13 without proper consent), file separately with the FTC at reportfraud.ftc.gov. The FTC's enforcement priorities are shaped in part by complaint volume. Individual complaints do move the needle over time.
04 Engaging the School Board: How Institutional Pressure Actually Works
School boards are elected bodies that respond to constituents in ways that regulatory agencies do not. They can require districts to publish vendor lists, mandate privacy impact assessments before new ed-tech tools are adopted, terminate contracts with vendors who exceed their data use terms, and establish standing privacy advisory committees with genuine authority. None of this requires waiting for the state legislature or Congress.
The pattern that works — documented in cases including the Lawrence, Kansas Gaggle lawsuit and multiple districts that have dropped surveillance vendors under community pressure — involves three elements: specific factual claims rather than general privacy concerns, organized numbers rather than individual complaints, and a clear ask rather than an open-ended grievance.
A school board meeting speech that says "I'm concerned about student privacy" achieves little. A speech that says "This district has a contract with Vendor X. That contract allows Vendor X to use de-identified student data for product development. Here is the contract language. Here is the FTC guidance that says school consent under COPPA does not extend to commercial product development. I am asking the board to direct the superintendent to renegotiate this term before the contract renews in June" — that is actionable. Get the vendor contracts through a public records request. Read them. Find the language that doesn't match what the school told you, or what the law requires. Bring the specific page and paragraph number.
Ten parents showing up to a board meeting with the same prepared remarks are materially more effective than one parent showing up ten times. The math is not subtle — elected officials count constituents. Build a small coalition before you go public: three to five parents who have read the contracts, prepared coordinated remarks, and are willing to follow up in writing after the meeting. Librarians, school counselors, and teachers are natural allies — surveillance platforms affect their professional relationships with students as much as they affect families. A prepared group that can document what it asked and what response it received creates a paper trail that the board cannot easily walk back from.
Vague asks get vague commitments that evaporate. Specific asks produce specific answers that go on the record. Effective asks at a school board level include: requiring the district to publish its full vendor list and data sharing agreements on a publicly accessible page on the district website; requiring a privacy impact assessment before any new ed-tech tool is adopted; requiring that any AI monitoring or behavioral analytics tool be reviewed by an independent committee before renewal; requiring that the district notify parents when any vendor changes its data use terms. Ask for a specific timeline and a specific person responsible for follow-up. Put your contact information in the record so the board cannot claim it could not reach you.
School districts are sensitive to local press coverage in ways they are not sensitive to individual parent complaints. If you have documentation of a privacy-related vendor contract issue, a pattern of student data being used outside its stated educational purpose, or a board that has declined to act on specific documented concerns, a well-prepared briefing to a local reporter — with the contract, the relevant law, and the board's non-response in hand — often produces results that direct advocacy does not. Education reporters are chronically under-resourced and actively look for stories with documentation. The PowerSchool breach generated national coverage precisely because documents existed and parents could point to specific harms. Local vendor contract issues can do the same at the district level.
05 The Transparency Gap: What Schools Should Be Publishing — and Aren't
A meaningful transparency standard for a school district would include, at minimum, a publicly accessible vendor registry showing every third-party ed-tech company with student data access; the specific categories of data each vendor receives; what the vendor is contractually permitted to do with that data; how long it is retained; and what parental rights exist with respect to each tool. Some districts publish this. Most do not. A handful of states require it.
- · Annual FERPA rights notice (often buried in a parent handbook)
- · A general statement that student data is protected
- · Technology acceptable use policies
- · A list of required software for specific classes
- → Full vendor registry with data categories received by each
- → Data sharing agreements available on request or by default
- → Clear disclosure of any AI monitoring or behavioral analytics tools
- → Retention schedules for each vendor
- → Opt-out mechanisms for each tool where possible
- → Privacy impact assessments before new tool adoption
Illinois requires districts to publish complete vendor lists. California's SOPIPA and AB 1584 require vendors to provide parents with access to their children's data and to notify families when data practices change. These are the models worth pointing to when making asks of your own district or your state representative.
06 State Legislation: Where Children's Privacy Law Is Actually Moving
Federal action on comprehensive children's privacy is stalled in the same place it has been for years. Congress is aware of the problem, holds hearings periodically, and has not passed meaningful reform. The states are where the actual movement is happening — and as of 2025 and into 2026, it is moving fast enough that individual constituent engagement genuinely affects outcomes.
The legislative landscape as of early 2026 is substantially different from what it was even two years ago. Twenty states now have comprehensive privacy laws in effect, with new laws in Indiana, Kentucky, and Rhode Island taking effect in 2026. States like Connecticut and Arkansas have tightened privacy protections for minors, with new age-appropriate design code requirements and restrictions on the sale and use of minors' personal data.
On children's privacy specifically, states enacted laws regulating children's and teens' access to social media in Arkansas, Louisiana, Nebraska, Oregon, and Virginia, while Nebraska's Parental Rights in Social Media Act bars minors from being social media account holders without parental consent. Oregon and Louisiana now explicitly prohibit the sale of minors' personal data and bar the use of minors' personal data for targeted advertising.
The legislative trend is bipartisan and it is accelerating. That is useful context for constituent engagement — state legislators on both sides of the aisle have political incentive to be seen as protecting children online, and the policy window is genuinely open in a way that federal policy is not.
When engaging your state representative or senator on children's privacy, the most effective asks are tied to specific, already-enacted models in other states. You are not asking them to invent something — you are asking them to adopt what is working elsewhere.
- Student data vendor registry requirement — modeled on Illinois' mandate that districts publish complete vendor lists. Applicable in any state without a similar requirement.
- SOPIPA-style advertising prohibition — California's Student Online Personal Information Protection Act prohibits ed-tech vendors from using student data for targeted advertising or building commercial profiles of students. More than 20 states have adopted similar laws; those that haven't are still operating without this baseline.
- Age-appropriate design code requirements — modeled on California's AADC and similar laws gaining traction across states, these require platforms likely used by minors to configure their defaults in ways that minimize data collection and prioritize children's interests.
- Sale of minors' data prohibition — Oregon and Louisiana enacted explicit bans in 2025. Any state without a similar prohibition is leaving a significant gap.
- Privacy impact assessments before ed-tech adoption — requiring districts to conduct or commission a formal assessment before deploying new tools with student data access. This creates a bureaucratic speed bump that filters out the worst actors before they're in the classroom.
- Meaningful enforcement authority for the state AG — the weakest link in most state student privacy laws is enforcement. Laws that give the state attorney general clear authority to investigate and fine vendors, with per-violation penalties large enough to matter, are substantially more effective than laws that rely on the federal complaint process.
The Student Privacy Compass at studentprivacycompass.org, maintained by the Future of Privacy Forum, tracks state-level student privacy laws and provides a searchable database by state and topic. The Parent Coalition for Student Privacy at studentprivacymatters.org publishes state law summaries and grades state frameworks on their coverage and enforceability. Before you contact a legislator, spend 20 minutes understanding what your state already has and where the gaps are. Going in with "my state has no SOPIPA equivalent and here is the California model" is more credible than a general ask for "stronger student privacy laws."
State legislators are significantly more accessible than federal ones. Many state legislators have small offices, answer constituent emails personally, and are genuinely influenced by a handful of well-prepared constituents raising a specific issue. The formula that works: identify yourself as a constituent with school-age children, name the specific issue (e.g., "our state has no prohibition on ed-tech vendors using student data for commercial purposes"), name the specific bill or model you'd like to see introduced or supported, and offer to provide additional information or meet. Keep it to one page. Follow up once if you don't hear back. Organizations like the Parent Coalition for Student Privacy periodically organize coordinated advocacy campaigns around specific state legislation — joining those amplifies individual contacts.
State legislative hearings on children's privacy and ed-tech regulation frequently include public testimony periods, and they are often poorly attended. A parent who shows up with a specific, factual story — "here is what I found when I requested my district's vendor contracts; here is what those contracts permit; here is why the current law does not address it" — is among the most persuasive forms of testimony available to a committee. Check your state legislature's website for the education and technology committee calendars. Bills that reach the hearing stage are at their most moveable; constituent testimony at that point can change outcomes in ways that letter-writing campaigns cannot.
07 Talking to Your Kids About This
None of the above produces lasting change if children don't understand the environment they're operating in. The technical protections you put in place now will eventually be navigated around or superseded by new platforms; the understanding of why those protections matter will not. This is not an argument for surveillance of your own child — it's an argument for teaching them what surveillance is.
The conversations that work are calibrated to age. For younger children, the concept of "digital footprints" — that things you do online leave traces that other people can see and keep — is the foundational idea. For older children and teenagers, the more specific mechanics of how platforms make money from attention and behavioral data are both understandable and genuinely useful. Most teenagers, when they understand that their usage patterns are being packaged and sold to advertisers, are significantly more interested in privacy settings than when privacy is framed as abstract parental concern.
The goal is not to produce anxious, paranoid teenagers who refuse to use any technology. It's to produce people who understand the transaction they're entering when they sign up for an account and who have enough context to make informed choices — the same context that the platforms' designers, user experience teams, and legal departments have, and that users are systematically denied.
"The platforms' designers know exactly what they're building. The question is whether the people using those platforms do."OccuNX — The Dispatch
08 Resources
- Mozilla's Privacy Not Included
Rates apps, devices, and services by data collection practices, security track record, and privacy policy quality. Invaluable before buying any connected product or downloading any app for a child. foundation.mozilla.org/privacynotincluded ↗ - CleanBrowsing — DNS Family Filter
Free DNS filtering for home networks. No account required. Blocks malware, phishing, and adult content domains across every device on your router. cleanbrowsing.org ↗ - NextDNS
Configurable DNS filtering with per-device logs and custom block lists. Free tier covers most households. More granular than CleanBrowsing for parents who want visibility into what their devices are connecting to. nextdns.io ↗
- U.S. Department of Education — Student Privacy Policy Office
Official FERPA and PPRA guidance, parent rights explainers, and complaint filing. The place to go if you believe your district has violated FERPA. studentprivacy.ed.gov ↗ - FTC — Report Fraud / COPPA Complaints
File consumer complaints about ed-tech or children's app violations. COPPA enforcement priorities are shaped by complaint volume — they matter. reportfraud.ftc.gov ↗ - Student Privacy Compass
State-by-state student privacy law tracker maintained by the Future of Privacy Forum. The fastest way to understand what your state has and hasn't enacted. studentprivacycompass.org ↗
- Parent Coalition for Student Privacy / Student Privacy Matters
State law database, district report cards, parent guides, and coordinated advocacy campaigns around specific state legislation. The most practically useful advocacy organization in this space. studentprivacymatters.org ↗ - Public Interest Privacy Center — State Student Privacy Resource
Policy analysis, legislative models, and guidance for parents and policymakers building stronger state-level frameworks. publicinterestprivacy.org ↗ - Electronic Frontier Foundation — Student Privacy
Research, surveillance vendor analysis, and digital rights resources. Particularly useful for understanding the technical architecture of ed-tech surveillance tools before bringing them to a board meeting. eff.org/issues/student-privacy ↗ - Knight First Amendment Institute at Columbia University
Litigation and legal analysis on school surveillance overreach. Source of some of the most detailed documentation of how AI monitoring tools operate in practice. knightcolumbia.org ↗
