Parents aren’t waiting for a data breach to happen to start suing schools. Is yours next?

We’ve Seen This Movie Before

Ten years ago, many districts saw digital accessibility as a “nice to have.” Guidance was vague, budgets were tight, and it was easy to assume that a few images without alt text or an inaccessible parent portal wouldn’t create much trouble. Today, that assumption looks very expensive.

Since 2013, at least 236 schools and educational institutions have entered into formal agreements with the U.S. Department of Education’s Office for Civil Rights (OCR) to remediate inaccessible websites and digital content. One activist alone has filed roughly 1,800 OCR complaints against school and higher-ed sites that failed to meet basic accessibility standards such as alt text, keyboard navigation, and video captions. A national review of K-12 sites found that nearly two-thirds failed at least one measurable accessibility criterion, 89.3% had color-contrast issues, and 95.5% of homepages contained at least one detectable accessibility error.

Those numbers turned accessibility from a best practice into an enforcement issue, and districts had to move quickly, often on someone else’s timeline.

From Guidance to Enforcement on Accessibility

For many districts, the first noticeable impact wasn’t a courtroom battle; it was an OCR letter. Investigations and resolution agreements typically require districts to audit their entire web footprint, remediate existing content, put policies in place for all new content, and retrain staff on accessibility requirements. Spokane Public Schools, for example, estimated that building an ADA compliance plan for roughly 13,000 web pages would cost tens of thousands of dollars just to scope, with remediation and training pushing the total into the hundreds of thousands.

Meanwhile, the regulatory bar has only become clearer. The U.S. Department of Justice has finalized rules under Title II of the ADA that explicitly require public school systems to bring websites, apps, and online documents into conformance with WCAG 2.1 Level AA. Large public entities and smaller districts now have fixed deadlines over the next few years to reach compliance, after a recent one-year extension on the original timelines.

In other words: what began as broad guidance is now a defined standard, backed by complaints, investigations, and the credible threat of funding consequences or Department of Justice enforcement.

Data Lawsuits Are Even Moving Faster

Student data is following a similar trajectory, but the stakes are escalating even more quickly.

In early 2026, edtech vendors behind Naviance, a college and career-readiness platform, and the Chicago Board of Education agreed to a $17.25 million USD class action settlement over allegations that the platform surreptitiously intercepted students’ communications and shared them with third-party analytics tools without proper consent. Parents alleged that Naviance tracked and disclosed students’ activity and personal information in ways that violated federal and state privacy and wiretap laws.

Other ongoing class actions target vendors like IXL Learning and PowerSchool, claiming that these platforms harvested and monetized “millions” of children’s data without meaningful parental consent. In those suits, families argue that schools do not own students’ personal data and cannot grant blanket permission for vendors to use it for secondary commercial purposes such as targeted advertising or analytics unrelated to instruction.

Crucially, many of these cases are not about a traditional ransomware event or hacker intrusion; they are about how everyday data flows were designed and governed.

When “No Breach” Still Means Legal Risk

The College Board’s 2024 settlement with the New York Attorney General illustrates this shift clearly. The organization agreed to pay a $750,000 USD penalty over allegations that it shared student information with marketing partners in ways that violated state student privacy laws and its agreements with educational agencies—without any external breach.

The federal class action M.C. v. Curriculum Associates makes similar claims against i-Ready, alleging that the platform collects more than 80 categories of student data and transmits that information to third-party services without adequate parental consent, raising claims under the Federal Wiretap Act and state privacy statutes. Another set of consolidated cases in federal court focuses on a major PowerSchool data breach that allegedly exposed data for tens of millions of students and educators, showing that courts are now dealing simultaneously with breach-driven and architecture-driven risk.

For district leaders, the pattern is sobering: “We were never hacked” is no longer a complete defense. How data is collected, shared, profiled, and retained is now just as likely to end up in front of regulators or judges as how it is secured.

School Consent Is No Longer a Safety Blanket

Historically, many districts assumed that if they reviewed a vendor’s contract, accepted the terms of service, and clicked “I agree” on behalf of the school, they had effectively extended that consent to families. Recent legal developments are narrowing that assumption.

In litigation involving IXL Learning, the Federal Trade Commission (FTC) submitted an amicus brief explaining that the Children’s Online Privacy Protection Act (COPPA) does not create a broad agency relationship in which schools can sign away parents’ rights or bind them to arbitration clauses and expansive data-use terms they never saw. The FTC’s position is that schools may authorize limited data collection for legitimate educational purposes, but they cannot authorize commercial reuse, profiling, or contractual waivers that go beyond those purposes.

A federal court went on to deny IXL’s attempt to force families into arbitration, reinforcing the idea that districts cannot rely on generic “school consent” to validate everything a vendor might want to do with student data. This shifts the focus from “Did we sign a contract?” to “Is our ecosystem designed so that vendors only get governed, purpose-limited access to the data they actually need?”

What A Shift To Data Sovereignty Looks Like

All of this points to a fundamental shift in how districts need to think about data governance. It is no longer enough to maintain a static list of apps, trust vendors’ privacy policies, and react when something goes wrong. To reduce legal risk and maintain trust, districts need a data sovereignty posture: they remain the source of truth, they decide where data lives, and they govern how it moves across the ecosystem.

In practice, that means:

• Data authority stays with the district. Student records remain anchored in systems the district controls, and vendors receive governed access instead of custody.
• Data is exchanged, not handed over. Instead of pushing full SIS extracts into every app, districts issue purpose-limited claims, such as: “this user is a Grade 4 student in School B,” without disclosing the entire profile.
• Access is observable and revocable by design. When a contract ends or risk changes, IT can centrally revoke a vendor’s access rather than chasing down copies in multiple databases.
• Data residency and jurisdiction are intentional. Especially for international or cloud-hosted tools, districts can see and control which countries hold their students’ data, and which legal regimes apply.

These are not abstract principles; they align directly with emerging data sovereignty expectations in education, where personal and sensitive data is expected to remain under the control of the jurisdiction—and the institution—that collected it.

Moving From Reactive Oversight to Proactive Protection

The good news is that districts do not have to build this alone or rip and replace their existing ecosystem. Modern orchestration and governance platforms are emerging that sit between the SIS, LMS, HR, and downstream applications, giving districts a neutral control plane for data flows.

SchoolDay’s approach, including the newly launched School Data Sovereignty Alliance, is one example of this shift in action:

• Discover: Build a live inventory of which applications are actually being used, which data they touch, and where that data resides.
• Enforce: Configure and enforce granular policies on what data, if any, is shared, replacing personally identifiable information with tokens wherever possible, and aligning with FERPA, COPPA, and local sovereignty requirements.
• Validate: Maintain immutable logs and reliable reports so districts can demonstrate compliance, respond to regulators, and show families how their students’ data is being protected.

Accessibility taught K-12 that waiting for a complaint or a deadline is the most expensive way to change. The emerging wave of student data litigation is giving districts a second chance to get ahead of risk by treating data governance and sovereignty as core operational responsibilities, not back-office tasks.

Districts that act now can reduce their exposure, strengthen community trust, and create a safer foundation for AI-enabled learning and innovation. Those that do not may soon find themselves in the same position they were with accessibility: facing urgent, legally driven remediation on someone else’s timeline.

If your district is ready to move from reactive oversight to proactive protection, now is the moment to redesign how student data moves—before regulators, plaintiffs, or vendors do it for you. Learn how a privacy‑by‑design orchestration layer can reduce data sprawl, restore data sovereignty, and give you centralized control over your ecosystem here: The Next Generation of EdTech Ecosystem Governance.