How educators can teach students about data privacy

As technology becomes increasingly prominent in the classroom and at home, adults and children alike find themselves frequently engaged in their devices. A 2021 report by Common Sense Media found that among children ages 8-12, 57% own a tablet and 43% own a smartphone.

Children are becoming more involved with technology at a younger age than ever. While there are many upsides to technology — such as connectedness, educational opportunities, and entertainment — it’s important to be aware of the risks as well. In today’s society, it's essential for educators to address the importance of protecting student privacy.

What is Student Data Privacy?

The Storage Networking Industry Association defines data privacy as an area of data protection that concerns the proper handling of sensitive data including personal data. Understanding and implementing data privacy practices can help protect individuals from the harmful consequences of data breaches and exploitation.

Websites and apps collect personally identifiable information from their users such as their name, location, birthday, occupation, address, payment methods, and more. Often, users are asked for this information when signing up for a new account, taking online quizzes, shopping online, playing games, and using apps. 

It may seem harmless, but providing websites with personal information can leave individuals vulnerable for cyberattacks and identity theft. Additionally, the data collected can be used to exploit children through online advertising.

Statistic Graphic: "Among children ages 8-12, 57% own a tablet and 43% own a smartphone."

Alt Text: Graphic text reading: "Among children ages 8-12, 57% own a tablet and 43% own a smartphone."

Why is Data Privacy Important?

With even the best of intentions, parents and educators can put children’s information at risk. Many websites and applications intended for educational purposes collect sensitive data from underage users.

 The Human Rights Watch, a worldwide advocacy group, performed an analysis on educational apps and websites regarding data collection and student privacy for 164 different educational apps and websites across 49 countries. 

The results indicated that almost 90% of the educational apps and websites surveyed had features designed to collect information for the purpose of sharing it with advertising companies. This is an alarming statistic that emphasizes the risks children are exposed to when using technology.

While legislators and school officials are taking steps to protect student data privacy and security in education institutions, online privacy continues to be a struggle. According to the K12 Security Information Exchange’s 2022 Annual Report, there have been 1,331 publicly disclosed cyber incidents affecting U.S. school districts since 2016.

A reported 33% of these incidents were student data breaches. If these are the numbers for data breaches in education, just imagine how much greater the risk becomes when children use social media applications on their own personal devices.

Educators and parents will not always be able to fully prevent children’s personal information from being exposed, but they can encourage students to understand and respond appropriately to those risks. 

However, before teachers begin building lessons, they should spend some time familiarizing themselves with the legal frameworks that govern student data: FERPA, COPPA, and CIPA. Reviewing these laws helps educators avoid unintentional missteps and provides context in which to ground classroom discussion. 

Student Data Privacy Laws

Educators who teach digital privacy are already thinking about how students interact with the internet, but students aren't the only ones whose actions matter.

Teachers need to ensure legal compliance, and that starts by having a working understanding of student privacy laws can help with recognizing the boundaries of what should and shouldn’t be shared. 

FERPA (Family Educational Rights and Privacy Act)

FERPA, which stands for the Family Educational Rights and Privacy Act, gives parents access to student records and grants the right to request corrections if the information is inaccurate or misleading. F

It also protects student data by limiting how school officials can use and share that data. Educators must have a legitimate reason to access children's education records, and sharing that information without written parental consent is only allowed under very specific exceptions.

In practice, this means educators need to be thoughtful about how they handle student data, especially when using digital platforms. For instance, emailing a student’s report card to the wrong parent, even by mistake, would be a clear violation of FERPA. On the other hand, using a secure school platform to review student medicals records, like 504s, is allowed because it directly supports the student’s education and falls within the educator’s professional responsibilities.  

COPPA (Children’s Online Privacy Protection Act)

Students, especially younger children, require special privacy protections because they cannot fully weigh the risks and benefits of data collection.

COPPA is a federal law that protects the privacy of children under 13 by restricting how websites and online services collect their personally identifiable information. While it's aimed at tech companies, the impact on schools and districts is real, especially when teachers use apps or platforms that collect student data in the background.

Most educational tools ask schools to grant permission on behalf of parents, which is allowed under COPPA if the tool is being used solely for classroom purposes. But that doesn’t mean every app is compliant, and it doesn’t guarantee that it will protect student data. If a tool is tracking browsing behavior or serving targeted ads, it’s not just a student privacy concern. It could be a legal one.

COPPA has pushed many schools to provide more support and training for educators on student data collection. The more clearly teachers understand what personal information a platform collects and why, the more confidently they can evaluate whether a tool aligns with student privacy expectations in the classroom.

CIPA (Children’s Internet Protection Act)

CIPA was passed to help school districts and libraries keep students safe online by requiring any institution receiving federal internet funding to use filters that block harmful content and to adopt policies around responsible internet use. While much of the technical setup falls to IT departments, enforcement largely falls to the classroom teachers. 

Understanding CIPA gives teachers background knowledge to turn digital interactions into educational opportunities. 

When a student encounters a blocked site, that moment can open up a conversation about why filters are in place. Yes, they block inappropriate content, but they also reduce exposure to passive demographic data collection like trackers, pop-ups, and embedded advertising that collect student information.

Teaching students how filters work can lead directly into discussions about behavioral targeting or why certain ads follow them from one site to the next. A blocked site becomes a prompt for students to think critically about how their sensitive data is being collected  and by whom. Pairing these discussions with shared vocabulary and space for student research encourages awareness outside the classroom, where filters don’t exist. 

Infographic:

Federal Student Data Privacy Laws

FERPA – Family Educational Rights and Privacy Act
Requires schools to protect student education records and get written parental consent before sharing personally identifiable information.

COPPA – Children’s Online Privacy Protection Act
Requires websites/online services to obtain parental consent to collect personal data from children under 13. 

CIPA – Children’s Internet Protection Act
Requires schools using federal internet funding enforce internet safety policies and filter inappropriate or harmful content. 

Alt Text: Graphic titled "Federal Student Data Privacy Laws" with summaries of FERPA, COPPA, and CIPA. FERPA requires schools to obtain written consent before sharing personal information. COPPA mandates online services to receive parental consent before collecting data from children under 13. CIPA requires schools receiving federal internet funding to implement content filters to protect students from harmful or inappropriate content. 

State-Level Student Data Privacy Laws

While federal laws like FERPA, COPPA, and CIPA form the foundation for protecting student data, there are also state student privacy laws that go even further. These state laws often add legal requirements around how student information is collected, shared, and stored especially when third-party vendors are involved.

These protections typically apply not only to schools but to all educational institutions responsible for student data privacy—including school districts, charter networks, and in some cases, state education departments. Many of these rules were influenced by guidance from the Department of Education and advocacy by national organizations like the Data Quality Campaign focused on protecting student privacy.

How Can Educators Teach Students About Data Privacy?

Explicitly Teach Data Tracking Vocabulary Terms

From geometry to chemistry, academic concepts across the board require repeated, explicit teaching of vocabulary terms to support student mastery. This same concept applies when teaching students about key terms in student data privacy. Whether you start out with a lesson introducing all of these, or you give each concept its own activity, here are a few vocabulary terms that educators should introduce to students:

Cookies: Cookies are small files of information that are passed from a website to a personal computer. This is often done without the user’s knowledge or consent. Stored cookies are intended to remember information like logins and preferences for the future, but the saved data can leave personal information vulnerable for breaches.

Behavioral Targeting: Behavioral targeting is an advertising technique that uses data and information about a user to create ads relevant to their interests.

According to Common Sense Media, “Behavioral profiling is particularly problematic for kids because it happens at a unique time of development — when both their brains and identities are developing and forming.”

Retargeting: Retargeting is an advertising technique that uses stored data (cookies) to identify a product or service that a user has looked at in the past. For example, if an underage user put a toy in an online shopping cart but did intend to complete the purchase (and may have misunderstood the purpose altogether), that child could be retargeted for that item.

An ad for a specific product may appear months later, guiding the child’s opinion about their wants and needs.

Biometrics: Biometrics is the process of identifying physical and behavioral characteristics. This is the technology behind features like facial recognition, digital fingerprints, digital signatures, and voice recognition.

The collection of biometric data allows for a more complete and accurate database of identity, which is why it’s crucial for youth to be cautious about who they share biometric data with. 

Machine Learning: Machine Learning is a branch of artificial intelligence that collects data to use for algorithms and decision making. The data collected over time contributes to the improvement of a machine or software’s decision-making process.

Digital Citizenship: Digital citizenship is the responsible use of technology to learn, create, and participate. Anyone who uses the internet is a digital citizen.

Digital Footprint: A digital footprint is the impact that your comprehensive online activity (anything that you’ve ever posted online) leaves on you. This is one of the most important concepts for students to understand, emphasizing that once something is put online it is very hard to remove.

Explain the Difference Between Credible Information and Misinformation

A study conducted by Data Reportal reveals that Internet users between the ages of 16-64 spend an average of 6 hours and 37 minutes online each day. That’s over one third of the day spent scrolling, gaming, shopping, and browsing.

With so much time spent online, people are constantly being exposed to a plethora of information on varying topics. To prepare students to stay safe and informed while online, it’s important to teach them the difference between reliable information and misinformation.

A dangerous example of this phenomenon is the mental health content shared on TikTok. There is an influx of “mental health influencers” providing advice on the mobile app, but research has revealed that around 84% of mental health videos on TikTok are misleading. 

Helping students understand how to differentiate quality information from misinformation can save them from potential harm when exposed to misinformation online. Educators should teach them to think critically about the source of information. Here are a few things to keep in mind:

• Analyze the source’s credibility (i.e., is the content shared from Psychology Today or a Reddit thread?)

• Consider the potential bias of the author

• Always be cautious when content contains advertisements and affiliate links 

• Beware of clickbait titles  

Statistic Graphic:  Internet users between the ages of 16-64 spend more than 1/3 of their day online. 

Alt Text: Graphic reading "Internet users aged 16 to 64 spend more than one-third of their day online."

Additionally, the date and location of a source’s publication may impact its relevance to students. Teach these concepts and actively practice evaluating online information to ensure students are equipped with the skills to think critically for themselves.

Provide Opportunities for Students to Research Data Privacy

Hands-on learning is the most effective and relevant way for students to master concepts. Data privacy lends itself perfectly to hands-on, research-driven projects. Assigning a digital research project allows students to learn about data privacy while also practicing data privacy.

Teachers can assign students a topic from the key terms listed in this article and instruct them to research and investigate that term. Students can put together a research paper or a digital presentation such as Google Slides or PowerPoint and present their findings to the class. 

They could also do the same type of research project, focusing instead on the data privacy of a particular app. For example, a student may focus on investigating how Snapchat collects users’ data and what that data is used for.

Along the way, students will be judging the quality of online sources, practicing online safety, and building digital literacy skills. The presentations will also open classroom discussions that lead to meaningful conversations and memory retention.

Use Relatable Examples

Students learn best when they are engaged in content and find it relatable. Educators should take the complex concept of data privacy and find relevant, real-world ways to help students digest complicated terms. Here are a few examples of activities that students may find relevant.

Digital Footprint: Find a local news article about a person who lost their job, college acceptance, or scholarship due to something posted online. Review it in class to show a real-world example of a digital footprint’s impact.

Misinformation: Find or write an article that is blatantly false. This can even become a cross-curricular activity if you tie it into what students are currently learning about. Students will enjoy thinking critically as they move through the content and identify misinformation.

Behavioral Targeting & Retargeting: Ask students to keep a journal of online advertisements they encounter over the span of a week. Ask them to consider why they think they are seeing these ads and what type of advertising technique it may be. Students can share and discuss their answers in class.

Create Lesson Plans About Data Security

Data privacy is extremely important and should not be an afterthought for educators. It is important to plan for explicit teaching time and well-thought lessons to educate students on data privacy. 

Educators can create their own resources or use one of the many pre-made lessons available online. Here are a few high-quality websites that provide free resources for teaching data privacy.

• Teaching Privacy 

• Media Smarts

• Student Privacy Compass

• Common Sense Media 

Securing the Safety of Students

With so much time spent online, everyone has to do their share in safeguarding student data privacy. Students should understand when and how their sensitive information is being used. Luckily, online resources and innovative teaching practices make it easy for educators to equip students with the knowledge and critical thinking skills required to stay safe online.

How safe are your students?

Try Monitor in your district for 30 days at no cost. You'll learn which online safety categories are most prominent and we'll alert you to at-risk students who need timely intervention.