PowerSchool's $17.25M Settlement Over Naviance Student Tracking

PowerSchool's $17.25M Settlement Over Naviance Student Tracking

A $17.25 million class-action settlement against PowerSchool is drawing renewed attention to a practice many families never knew existed: the silent, continuous surveillance of students through the very platforms schools assign them to use. The lawsuit centered on Naviance, a widely used college and career readiness tool, and alleged that the platform embedded third-party tracking software that collected student keystrokes, clicks, and private communications without consent from 2021 through 2026. The case is one of the clearest examples yet of how student data tracking edtech privacy failures can persist for years before anyone is held accountable.

What Naviance Was Actually Collecting — and For How Long

Naviance is not a niche tool. Used by millions of high school students across the United States, it serves as a hub for college application tracking, career assessments, and academic planning. Because schools assign it, students and families typically have no choice but to use it.

According to the lawsuit, the tracking embedded in Naviance went far beyond standard analytics. Third-party software allegedly captured keystroke-level data, meaning every character a student typed could be recorded. Clicks, navigation patterns, and private communications were also reportedly harvested. This type of data collection is not passive. It is granular, behavioral, and in many cases, far more revealing than a simple login record.

Perhaps most striking is the timeline. The alleged tracking spanned from 2021 to 2026, a five-year window during which millions of students may have had sensitive information collected without their knowledge or the knowledge of their parents or guardians. No consent was obtained. No clear disclosure was made. The surveillance was, by design, invisible.

Why School-Issued Platforms Are a Blind Spot for Student Privacy

When a company sells a consumer app and embeds trackers, users at least have the theoretical option to decline. When a school mandates a platform, that option disappears. Students must use the tool to complete assignments, submit applications, or access resources. This creates a fundamental consent problem that existing laws have struggled to fully address.

Federal frameworks like FERPA (the Family Educational Rights and Privacy Act) and COPPA (the Children's Online Privacy Protection Act) provide some baseline protections, but they were not designed with the complexity of modern edtech ecosystems in mind. A school can contract with a vendor. That vendor can embed third-party code. Those third parties can collect data. Each step may technically comply with existing rules while still resulting in student data flowing to entities that families have never heard of.

This dynamic is what makes the PowerSchool case significant beyond the dollar amount. It is a documented example of the gap between legal compliance and genuine transparency. The fact that the tracking allegedly continued for five years without public notice underscores how little visibility parents and students typically have into what school platforms actually do.

This problem is not limited to passive tracking. As the ShinyHunters breach of Canvas demonstrated, student data exposure spans both covert surveillance and active cyberattacks. When nearly 275 million student records were put at risk through that incident, it reinforced that the edtech sector faces vulnerabilities from multiple directions simultaneously.

How Hidden Keystroke and Communication Tracking Works

For readers unfamiliar with the technical mechanics, it is worth understanding how this type of tracking operates in practice. Third-party tracking scripts are typically embedded by platform developers during the build process. When a user loads a page, those scripts execute automatically in the background. The user sees nothing unusual.

Keystroke logging scripts can record input in real time, capturing what someone types before they even hit submit. Session replay tools can record mouse movements, scrolling behavior, and click patterns to reconstruct exactly what a user did during a session. Communication interception can occur when messages sent through a platform's internal system pass through third-party infrastructure before reaching their destination.

None of this requires special access to a device. It happens inside the browser, within the platform itself. Standard antivirus software does not flag it. Parental controls do not block it. Even privacy-focused browser extensions may not catch it if the scripts are deeply integrated into the platform's own code.

This is why consent and disclosure at the contract level, between schools and vendors, matters so much. By the time a student opens Naviance, the data pipeline has already been established.

What Families Can Do to Limit Edtech Surveillance

The PowerSchool settlement will not be the last of its kind. Edtech adoption continues to expand, and the financial incentives to monetize behavioral data remain strong. That said, families are not entirely without recourse.

Ask for the data inventory. Under FERPA, parents of students under 18 have the right to request access to educational records. Schools should also be able to provide a list of third-party vendors they share student data with. Requesting this list puts schools on notice that families are paying attention.

Review school technology policies annually. Many districts update their acceptable use and data privacy policies at the start of each school year. Reading these documents, even at a summary level, can reveal which platforms are in use and what data practices are disclosed.

Use browser-level protections where possible. While families cannot always opt out of school-assigned platforms, students using personal devices for schoolwork can benefit from privacy-focused browsers or extensions that limit third-party script execution, where such tools do not interfere with required platform functionality.

Engage school boards and administrators. The most effective long-term protection comes from institutional accountability. Parent-led questions at school board meetings about vendor contracts and data audits create pressure for stronger oversight.

Stay informed about edtech incidents. The PowerSchool case and the ShinyHunters Canvas breach are part of a broader pattern. Understanding that student data breaches and surveillance are recurring issues, not isolated events, is the foundation for demanding better protections.

The $17.25 million settlement against PowerSchool is a meaningful outcome, but the real significance is what it reveals about standard industry practices. If a platform used by millions of students for five years could embed undisclosed tracking software, the question worth asking is not just what Naviance was doing, but what other edtech platforms may be doing right now. Families, educators, and policymakers all have a role to play in demanding answers before the next settlement, not after.