The data collected by EdTech platforms on their student users constitutes the most comprehensive behavioral record ever assembled on children in institutional contexts. The children could not consent. The parents were not asked.
The data collected by educational technology platforms on K-12 students falls into categories whose scope substantially exceeds any educational purpose. Each category represents a dimension of the child's behavior, cognition, and development that is now recorded, stored, and — in many documented cases — shared with entities outside the educational relationship.
Academic performance data. Grades, test scores, assignment completion rates, error patterns, response times, question-level performance breakdowns. This is the category of data that schools explicitly intend to collect and that has clear educational utility. It is also the category that EdTech companies foreground when describing their data practices — the educational core that legitimizes the broader collection.
Behavioral pattern data. Time-on-task measurements, click patterns, navigation sequences, session duration, login frequency, abandonment points, distraction indicators (tab switching, idle time, off-task browsing). This category records how the student interacts with the software at a granularity that reveals cognitive and behavioral patterns far beyond academic performance. A student's click pattern during an assessment reveals not just whether they answered correctly but how they processed the question — their hesitation patterns, their elimination strategies, their confidence levels, their frustration thresholds.
Attention and engagement data. Scroll depth, gaze tracking (where available), reading speed, content interaction time, video watch completion rates, re-engagement patterns after distraction. This category maps the student's attentional architecture — the structure of their focus, the points at which they disengage, the stimuli that recapture their attention. In aggregate, this data constitutes a developmental map of the child's cognitive profile.
Biometric data. Proctoring software deployed during remote assessments introduced facial recognition, eye tracking, ambient sound monitoring, and keystroke dynamics into the educational data collection. Students whose exams were administered through proctoring platforms had their facial expressions recorded and analyzed for indicators of "suspicious behavior," their eye movements tracked for deviation from the screen, and their ambient environments monitored through device microphones. These biometric data streams were collected from minors in their homes, under conditions of compulsory participation, with consent obtained through the school's intermediary position.
Communication and social data. Messages sent through educational platforms, discussion forum posts, collaborative document contributions, peer interaction patterns. Platforms that include communication features capture the social dimension of the student's school life — their friendships, their conflicts, their social positioning, their communication patterns.
No educational purpose requires the simultaneous collection of all five categories. The scope of collection reflects not the educational need but the data architecture of the platforms performing the collection — platforms whose business models depend on data depth and whose technical architectures are designed to capture everything the platform can access.
The collection operates continuously and automatically. It is not a survey administered at intervals. It is not a test given on specific dates. It is an always-on data extraction layer embedded in the software that the student is required to use for their education.
The student opens their school-issued Chromebook. The device authenticates them through Google's identity system, recording the login time, location, and device state. They open Google Classroom and navigate to an assignment. Every click, every page transition, every pause is recorded. They open a reading assignment in a digital reading platform. Their reading speed, scroll patterns, and time per page are captured. They take a quiz through a gamified assessment platform. Their response times, error patterns, and engagement metrics are logged. They write a response in a collaborative document. Their keystrokes, revision patterns, and collaboration interactions are recorded. They send a message to a classmate through the platform's communication feature. The content, timing, and recipient are stored.
At no point in this sequence does the student make a decision about data collection. There is no opt-in. There is no opt-out. The student cannot use the educational software without generating the data, and they cannot complete their education without using the software. The collection is structurally coercive — not because anyone intends coercion, but because the compulsory nature of education combined with the mandatory nature of the software creates a condition in which data generation is a prerequisite for educational participation.
The data flows from the student's device to the EdTech company's servers. From there, it is processed, aggregated, and — depending on the company's data practices — shared with third parties, used to train machine learning models, combined with data from other sources, or retained indefinitely. The school that authorized the software's deployment typically has no visibility into these downstream uses. The school sees the educational interface. The data pipeline behind it operates outside the school's view and outside its control.
The monetization of student data operates through four primary channels, each representing a distinct conversion of educational data into commercial value.
Advertising targeting. Behavioral profiles derived from educational data are used to target advertising to students and their families outside the educational context. A student whose reading platform data indicates interest in science fiction receives targeted advertising for science fiction products on other platforms. A student whose search history on educational platforms indicates interest in athletics receives targeted advertising for sports equipment. The educational data does not directly contain advertising. The behavioral profile derived from the educational data informs advertising targeting across the broader digital ecosystem. The connection between the data collection and the advertising is indirect, mediated through data broker relationships and cross-platform identity resolution — but it is real and documented.
Product training data. Student behavioral data is used to train artificial intelligence and machine learning models. The value of training data is proportional to its volume, diversity, and behavioral richness. Student data from educational platforms provides all three: millions of users, diverse demographics, and behavioral data captured during cognitively demanding tasks. AI models trained on this data power adaptive learning systems, assessment engines, and content recommendation algorithms — products that are then sold back to schools as improved educational technology. The students whose behavioral data trained the model receive no compensation, no notification, and no share in the commercial value their data creates.
Third-party data sharing. Independent audits consistently find that a majority of EdTech applications share student data with third parties. A 2022 Human Rights Watch investigation of 164 EdTech products endorsed by governments in 49 countries found that 89% of them engaged in data practices that risked or undermined children's rights, including sending data to advertising technology companies. The data flows through contractual relationships — data broker agreements, analytics partnerships, advertising network integrations — that the school has no visibility into and no control over.
EdTech companies are subject to COPPA and FERPA, which restrict the collection and use of student data. The data collection is regulated and compliant.
ET-004 (The FERPA Gap) documents in detail why FERPA's 1974 framework fails to protect student data in the digital context. COPPA's school exception allows EdTech companies to bypass parental consent by obtaining school consent under the "school official" designation. The regulatory framework exists — and it is structurally inadequate. Compliance with an inadequate framework is not protection. A company that complies with FERPA while sharing student behavioral data with third-party advertising networks is legally compliant and ethically indefensible. The regulations were written for paper records in filing cabinets. They are applied to behavioral analytics pipelines that process millions of data points per student per year.
Future value. Longitudinal student data — behavioral records spanning a child's entire K-12 education — represents a predictive analytics asset whose value increases with time. A complete behavioral record from kindergarten through twelfth grade, encompassing academic performance, cognitive patterns, attention metrics, social interactions, and engagement profiles, constitutes the most detailed developmental record of a human being that any commercial entity has ever possessed. The future applications of this data — employment screening, insurance risk assessment, credit scoring, political targeting — are speculative but not implausible. The data is collected now. Its future uses are determined by whoever holds it.
The consent architecture governing EdTech data collection is structurally broken at every level.
Children cannot consent. Students in K-12 settings — particularly in elementary and middle school — lack the cognitive development to understand the implications of data collection, the legal capacity to consent to it, and the practical ability to refuse it. A seven-year-old using a reading app on a school-issued tablet is not consenting to data collection. The concept of consent is meaningless in this context. The child uses the software because the teacher told them to, and they do what the teacher tells them because that is what children in school do. Calling any aspect of this interaction "consent" is a legal fiction.
Parents were not asked. In the majority of EdTech deployments, parental consent was either not sought at all or was obtained through mechanisms that do not constitute informed consent. The most common mechanism is the school's blanket technology acceptable-use policy — a document signed at the beginning of the school year that authorizes the school to use technology in the educational program. This document does not enumerate the specific EdTech products deployed, does not describe their data practices, and does not provide parents with the information necessary to make an informed decision about their child's data. It is a permission slip for an unspecified set of activities — the functional equivalent of signing a consent form for a medical procedure without being told what procedure will be performed.
The school consented on behalf of both. Under COPPA's school exception and FERPA's school official designation, the school can consent to data collection on behalf of the student and the parent. The school's consent substitutes for parental consent. This substitution relies on the assumption that the school's interests are aligned with the child's interests — an assumption that the Trust Arbitrage (ET-001) demonstrates is structurally unsound when the school's evaluation framework does not assess the dimensions of EdTech products that produce the harms.
The consent problem is not a gap that can be closed by better consent forms or more thorough disclosure. It is a structural incompatibility between the consent model and the context in which it operates. Consent requires the ability to refuse. Students in compulsory educational settings cannot refuse. Consent requires information about what is being consented to. Parents do not receive that information. Consent requires that the consenting party has the capacity to understand the implications. Children in K-12 settings do not. The consent model is not broken — it is inapplicable.
The EdTech data record on American children is, by several dimensions, the most comprehensive behavioral surveillance record ever assembled on any population.
Duration. The record spans a child's entire K-12 education — thirteen years of continuous behavioral data collection. No corporate surveillance program on adults approaches this duration. An adult can change social media platforms, switch email providers, or delete their accounts. A child in the American school system generates EdTech data from kindergarten through twelfth grade with no ability to interrupt the collection.
Compulsion. The data collection occurs in a compulsory institutional setting. Adults subject to corporate surveillance participate voluntarily — they choose to use the platform, and they can choose to stop. Students are required by law to attend school and required by institutional policy to use the software the school deploys. The collection is not voluntary at any level.
Developmental sensitivity. The data covers the most formative period of human cognitive development. Behavioral patterns captured between ages five and eighteen record the formation of attention, the development of executive function, the emergence of social cognition, and the maturation of emotional regulation. This is not a record of adult behavior — it is a record of the process by which a child becomes a cognitive agent. No other data collection regime captures human development at this granularity.
Breadth. The record encompasses academic, behavioral, social, attentional, and in some cases biometric dimensions simultaneously. An adult's social media profile captures social behavior. A search engine captures informational behavior. A financial institution captures economic behavior. The EdTech record captures all of these dimensions simultaneously in a single institutional context, from a population that cannot opt out of any of them.
The scale of the record is not incidental to the EdTech business model. It is the business model. The comprehensiveness of the data is what makes it commercially valuable. A platform that collected only academic performance data — grades and test scores — would have limited commercial value. A platform that collects behavioral patterns, attention metrics, social interactions, and cognitive profiles has substantial commercial value. The scope of collection tracks the commercial incentive, not the educational need.
The relationship between the data collected and the educational purpose claimed is the key diagnostic for understanding the EdTech business model. If the data collection serves the educational purpose, then the scope of collection should be bounded by that purpose: the platform should collect the data necessary to deliver and improve the educational service, and no more. If the data collection exceeds the educational purpose — if the platform collects data that no educational function requires — then the excess collection serves a purpose other than education. That purpose is the business model.
The data categories documented in this paper — behavioral pattern data, attention metrics, biometric data, communication content, social interaction patterns — substantially exceed what any educational purpose requires. A reading platform does not need to track eye movement patterns to teach reading. A math application does not need to record click-level behavioral sequences to deliver math instruction. A classroom management tool does not need to analyze social interaction patterns to manage a classroom. The excess is consistent across the industry: EdTech platforms systematically collect more data than their educational function requires.
This excess is not accidental. It reflects the core economic logic of the EdTech sector, which operates in the same data-as-revenue model that defines the broader attention economy. The educational functionality is the access channel — it provides the legitimate reason for the platform to be deployed in the classroom and for students to use it. The data collection is the revenue mechanism — it produces the commercial value that sustains the business. The relationship between the two is the same relationship documented in AE-001 (Saga VIII): the user is the product, and the service is the access channel.
In the attention economy, the users are adults who have voluntarily adopted the platforms that surveil them. In the EdTech sector, the users are children who have no choice. The access channel is not a social media app that the user downloaded; it is a school — a compulsory institution operating under public trust. The data extraction occurs not through voluntary engagement but through institutional authority. The business model is the same. The population is more vulnerable. The access mechanism is more coercive. The consent is less meaningful. The Data Collection Event is the attention economy's business model applied to children through the one institution their parents trust to protect them.
Internal: This paper is part of The EdTech Capture (ET series), Saga IX. It draws on and contributes to the argument documented across 22 papers in 5 series.
External references for this paper are in development. The Institute’s reference program is adding formal academic citations across the corpus. Priority papers (P0/P1) have complete references sections.