Every student account is a data liability. In a year when the two largest education data breaches in history exposed over 330 million records, the safest student data is data that was never collected.
In December 2024, PowerSchool, the most widely used student information system in North American K-12 education, was breached. A hacker exploited a basic credential vulnerability in a customer support portal that lacked multi-factor authentication. By January 2025, the scope was clear: over 62 million student records and nearly 10 million teacher records had been stolen, making it the largest breach of children's data in U.S. history. The stolen data included names, addresses, Social Security numbers, medical information, and academic records.[1][2]
Five months later, in April 2026, Canvas LMS was hit. The hacking group ShinyHunters claimed to have exfiltrated 3.65 terabytes of data from approximately 275 million users across nearly 9,000 educational institutions worldwide, including private messages exchanged between students and teachers. The breach disrupted final exams at thousands of institutions. Instructure, the company behind Canvas, ultimately paid a ransom to prevent the data from being leaked.[3][4]
These are not edge cases. Education is now the most attacked industry globally, facing over 4,300 cyberattacks per week according to Check Point Software's 2025 reporting.[5] And the targets are not just universities. K-12 schools, which hold some of the most sensitive data about the most vulnerable population, are squarely in the crosshairs.
This matters for every tool your school adopts, including your SEL curriculum.
The Problem With Student Accounts
Most digital SEL platforms require individual student accounts. This means the platform collects, stores, and processes personally identifiable information (PII) for every student who uses it: names, email addresses, login credentials, usage patterns, behavioral data, and sometimes responses to sensitive social-emotional prompts.
Each of those data points becomes a liability the moment it is stored on a server. Not a theoretical liability. A concrete one, measured in breach notifications, identity theft risk for minors, and federal penalties that now reach $53,088 per violation under the updated COPPA rule.[6]
The standard argument for student accounts is personalization: tracking individual progress, tailoring content, generating reports. For core academic platforms like an SIS or LMS, that tradeoff may be justified. But for a supplemental SEL curriculum used 15 to 30 minutes per week, the question is whether the personalization benefit justifies the data collection risk.
In most elementary classrooms, it does not.
What Changed in 2025 and 2026
The regulatory landscape shifted significantly in the past 18 months.
Updated COPPA Rule
The FTC finalized major amendments to the Children's Online Privacy Protection Act rule on January 16, 2025, the first significant update since 2013. The new rule took effect June 23, 2025, with full compliance required by April 22, 2026.[6][7]
Geolocation and biometric identifiers now count as personal information
Mandatory data retention limits (no more indefinite storage)
Separate parental consent required for advertising use of children's data
Increased accountability for third-party data processors
Tightened School Consent Provisions
Under COPPA, schools can consent on behalf of parents for educational purposes. But the updated rule clarifies that this school consent cannot authorize data use beyond educational purposes. Any commercial use of student data still requires direct parental consent.[6] This means edtech vendors who rely on school consent as a blanket authorization for data collection need to re-examine their practices.
State-Level Laws Expanding
Beyond federal regulation, an increasing number of states have enacted student data privacy laws modeled on California's SOPIPA and AB 1584. These laws prohibit selling student data, restrict use for non-educational profiling, require data deletion on request, and impose detailed contractual requirements on vendors.[8]
Enforcement Is Active
In March 2026, PlayOn Sports was fined $1.1 million for sharing student data with advertising partners without proper consent. The FTC resolved several COPPA cases throughout 2025, establishing precedent for expanded enforcement.[7]
What the Breaches Actually Exposed
The PowerSchool and Canvas breaches are instructive not because they involved exotic attack vectors, but because they did not.
PowerSchool was breached through a compromised credential on a customer support portal without multi-factor authentication. A 19-year-old college student was ultimately identified, prosecuted, and sentenced.[1][2]
Canvas was breached through a vulnerability related to Free-for-Teacher accounts, the same issue exploited twice within weeks.[4]
These were not sophisticated nation-state operations. They were basic security failures on platforms that held massive quantities of student data. The lesson for schools is not that they need better cybersecurity (though they do). The lesson is that every platform holding student data is a potential attack surface, and the most effective risk reduction is minimizing how many platforms hold that data in the first place.
When a platform does not collect student PII, there is nothing to breach. No names, no emails, no login credentials, no behavioral data, no messages. The attack surface is zero.
How This Applies to SEL Curriculum
SEL platforms that require student accounts typically collect several categories of data:
Identity Data
Names, email addresses, usernames, and sometimes grade level, classroom assignment, or demographic information used for rostering.
Behavioral Data
Which lessons a student completed, how they responded to prompts, how long they spent on activities, and sometimes their self-reported emotional states.
Communication Data
In platforms with messaging or journaling features, the content of what students write, which in SEL contexts can include disclosures about family situations, emotional struggles, and peer conflicts.
The Canvas breach included private messages between students and teachers.[3] In a K-12 SEL context, the equivalent would be stored student reflections on emotional and social topics sitting on a server accessible to anyone who compromises the platform.
The Alternative: Teacher-Led, No-Account SEL
An SEL curriculum does not need student accounts to be effective. The research on SEL program effectiveness does not attribute outcomes to digital tracking or personalized dashboards. It attributes outcomes to consistent, high-quality instruction delivered by classroom teachers using structured, sequenced lessons.[9][10]
What the Research Says Works (SAFE Criteria)
Sequenced
Activities that build skills over time
Active
Discussion, role-play, and practice
Focused
Dedicated time for skill development
Explicit
Clear skill targets students can name
None of them require a student login. All of them require a teacher, a curriculum, and time.[9]
A projector-based, teacher-led model achieves this by putting the instructional content on the teacher's screen, not on individual student devices. The teacher leads the lesson. Students participate through discussion, partner activities, and hands-on practice. No student data is collected because no student interacts with the platform directly.
✓ No Device Logistics
Getting 25 K-5 students logged into a platform with individual credentials can consume half the instructional time.[11]
✓ No Equity Gaps
A projector-based model requires only the equipment already in the classroom. No devices needed at home.
✓ No IT Burden
No account provisioning, password resets, rostering integrations, or data governance reviews for a supplemental program.
✓ No COPPA Burden
If the platform does not collect student PII, COPPA's consent requirements do not apply to student data because there is none.
What to Ask Before Adopting Any Edtech Tool
Whether you are evaluating an SEL curriculum or any other classroom tool, these questions help assess the data privacy tradeoff:
What student data does this platform collect? Get a specific list, not a general statement.
Where is that data stored, and who has access? Cloud-hosted data on third-party infrastructure means your students' information is only as secure as that provider's security posture.
How long is student data retained? Under the updated COPPA rule, data must be retained only as long as necessary for the purpose it was collected.
What happens to student data if we stop using the product? Does the vendor delete all student data upon termination?
Is the data collection proportional to the educational value? Does a 20-minute weekly SEL lesson need individual student accounts?
Does the platform share data with third parties? Under the updated COPPA rule, any sharing for non-educational purposes requires separate parental consent.[6]
The Simplest Privacy Policy Is the One You Don't Need
Student data privacy is not primarily a technology problem. It is a design problem. Every tool your school adopts makes a choice about how much data to collect, and that choice carries consequences that extend years beyond the school year.
For K-5 students, who cannot meaningfully consent to data collection and whose digital identities are just beginning to form, the standard should be especially high. If a tool can accomplish its educational purpose without collecting student data, it should.
The best way to protect student data is to never collect it in the first place.
References
- [1]
Security.org. (2026). PowerSchool data breach: What happened and what families should do.
https://www.security.org/identity-theft/breach/powerschool/ - [2]
TechPolicy.Press. (2026). Unmasking EdTech's surveillance infrastructure in the age of AI.
https://www.techpolicy.press/unmasking-edtechs-surveillance-infrastructure-in-the-age-of-ai/ - [3]
NPR. (2026). Canvas data breach rattles colleges during finals period.
https://www.npr.org/2026/05/08/nx-s1-5815956/canvas-data-breach-school-finals - [4]
Krebs on Security. (2026). Canvas breach disrupts schools and colleges nationwide.
https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/ - [5]
DeepStrike. (2025). Data breaches in education 2025: Schools under siege.
https://deepstrike.io/blog/data-breaches-education-2025 - [6]
BigID. (2025). The future of COPPA: Proposed updates and what they could mean for your business.
https://bigid.com/blog/the-future-of-coppa/ - [7]
PrivacyLawMap. (2026). COPPA rule amendments take effect April 22, 2026: What is changing and your compliance checklist.
https://privacylawmap.com/blog/coppa-rule-amendments-april-2026-compliance-checklist - [8]
TheSOC2. (2026). EdTech compliance 2026: FERPA, COPPA, and SOC 2 requirements explained.
https://www.thesoc2.com/post/edtech-compliance-2026-ferpa-coppa-and-soc2-requirements-explained - [9]
Durlak, J. A., Weissberg, R. P., Dymnicki, A. B., Taylor, R. D., & Schellinger, K. B. (2011). The impact of enhancing students' social and emotional learning: A meta-analysis of school-based universal interventions. Child Development, 82(1), 405-432.
https://doi.org/10.1111/j.1467-8624.2010.01564.x - [10]
Taylor, R. D., Oberle, E., Durlak, J. A., & Weissberg, R. P. (2017). Promoting positive youth development through school-based social and emotional learning interventions: A meta-analysis of follow-up effects. Child Development, 88(4), 1156-1171.
https://doi.org/10.1111/cdev.12864 - [11]
RAND Corporation & CASEL. (2024). Social and emotional learning in U.S. schools.
https://www.rand.org/content/dam/rand/pubs/research_reports/RRA1800/RRA1822-2/RAND_RRA1822-2.pdf
SEL Curriculum With Zero Student Data Collection
Be The Buffalo is 100% teacher-led and projector-based. No student accounts, no student devices, no student data. 40 weeks of bilingual K-5 SEL curriculum.