Your Child’s School App Was Watching: When a middle schooler logs into an education platform to research college options, fill out a career interest survey, or message a guidance counselor, they are not thinking about data brokers, analytics companies, or wiretapping statutes. They are doing homework. But according to a federal class-action lawsuit that just settled for $17.25 million, millions of students using a platform called Naviance were doing something else at the same time without knowing it: feeding a hidden surveillance layer that quietly recorded their interactions, harvested their personal data, and transmitted it to a third-party analytics firm without the knowledge or consent of students, parents, or most of the school districts that had mandated the platform.
The settlement between PowerSchool Holdings LLC, Chicago Public Schools, and a class of more than 10 million current and former Naviance users was filed in the U.S. District Court for the Northern District of Illinois on February 24, 2026, and received preliminary approval from Judge Jorge L. Alonso just two days later. It is one of the largest student privacy settlements in American history. And it lands in the middle of what is shaping up to be a full-scale legal and regulatory reckoning for the educational technology industry.
What Is Naviance and Who Is PowerSchool?
To understand the settlement, you need to understand the scale of PowerSchool’s footprint in American education. PowerSchool is not a peripheral software vendor. It is the dominant infrastructure provider for K-12 schools across North America, serving approximately 75 percent of the K-12 education market and operating in more than 90 countries, including over 18,000 schools across the United States and Canada. Its Student Information System manages grades, attendance, enrollment, scheduling, and student records for roughly 50 million students. For most American school districts, PowerSchool is not a vendor they chose from a competitive marketplace. It is the system their state or district adopted, and the data flows through it by default.
Naviance is one of PowerSchool’s most widely used student-facing platforms. Marketed as a college and career readiness tool, Naviance is the portal through which millions of high school students research universities, complete career assessments, track applications, and communicate with school counselors. Because it is often integrated directly into students’ academic workflows and assigned by schools as a required tool, students have no meaningful choice about whether to use it. When you have to use a platform to apply to college, opting out of it is not a realistic option.
What the Lawsuit Alleged
The lawsuit, filed in August 2023 by a student identified only as Q.J. in case number 1:23-cv-05689 before the Northern District of Illinois, described the case as a “first-of-its-kind action that arises out of the alleged unlawful wiretapping of, and eavesdropping upon, school students while they used school-mandated education technology products.”
At the center of the complaint was a company called Heap Inc., an analytics firm whose tracking code had been embedded inside the Naviance platform. According to the lawsuit, each time a student logged in, their communications, survey responses, behavioral interactions, and personal data were being “surreptitiously intercepted, monitored, captured and recorded and contemporaneously transmitted” to Heap’s servers. The data harvested included names, student identification numbers, graduation years, demographic information, photographs, and responses to career interest surveys.
The complaint alleged violations of the Stored Communications Act, the Illinois Eavesdropping Act, the California Invasion of Privacy Act, and the Fourth Amendment’s protection against unreasonable searches. It also alleged breach of contract between Chicago Public Schools and PowerSchool, because PowerSchool’s contracts with CPS explicitly required compliance with the Illinois School Student Records Act, a state law that bars student records from being released or disclosed without specific authorization, and the Family Educational Rights and Privacy Act (FERPA), the federal statute governing student education records.
Perhaps most damaging was the allegation that PowerSchool was a signatory to the Student Privacy Pledge, an industry commitment signed by K-12 service providers promising not to “collect, maintain, use or share student personal information beyond that needed for authorized educational or school purposes.” By embedding Heap’s analytics code in Naviance, the complaint argued, PowerSchool was in direct violation of a public commitment it had made to the exact families and students whose data it was collecting.
What the Settlement Requires
The $17.25 million settlement fund will be distributed on a pro rata basis among eligible class members, defined as anyone who logged into Naviance between August 2021 and January 2026. With over 10 million potential claimants, individual cash payouts will be modest. The more consequential outcomes are the injunctive relief provisions.
Under the settlement terms, PowerSchool is required to establish a “web governance committee” to monitor how it uses advertising and analytics technology within the Naviance platform going forward. For the next two years, PowerSchool is barred from incorporating any third-party software or code into Naviance unless that committee specifically approves it. PowerSchool must also direct Heap and all other vendors who received student data through the program to delete that data entirely.
Chicago Public Schools, for its part, agreed to mandate that all of its technology vendors supply annual certifications confirming compliance with applicable state and federal privacy laws. That vendor certification requirement could become a model that other large school districts adopt, particularly as courts and regulators scrutinize how districts oversee the third-party companies they contract with.
PowerSchool issued a statement saying the company had “jointly reached an agreement with the plaintiffs, resolving the claims with no admission of wrongdoing,” and described itself as focused on “providing our customers safe and secure technology.” That language is standard in civil settlements and does not resolve the question of what happened or why.
The Breach That Made Everything Worse
The Naviance settlement would be significant on its own. But it is inseparable from a far larger and more alarming story: the December 2024 cyberattack against PowerSchool that has been described as the largest breach of children’s personal data in American history.
PowerSchool became aware of unauthorized access to its systems on December 28, 2024, though forensic analysis later established that the intrusion had begun as early as December 19. For nine days, the attacker moved through PowerSchool’s Student Information System undetected. The entry point was not a sophisticated zero-day exploit or a state-sponsored intrusion. A hacker obtained a single employee’s password and used it to access a customer support portal called PowerSource. That portal included a “Maintenance Access” function that, once authenticated, allowed the download of student and teacher records from across thousands of districts.
PowerSchool had not implemented mandatory multi-factor authentication for that access point. In cybersecurity terms, this is not a subtle failure. Multi-factor authentication has been a baseline security requirement for systems handling sensitive personal data for well over a decade. For a company that served 75 percent of the American K-12 market and stored records on tens of millions of children, the absence of this control was, according to cybersecurity experts who reviewed the CrowdStrike incident report, a fundamental and inexcusable gap.
The breach compromised records belonging to approximately 62.4 million students and 9.5 million teachers across 6,505 school districts in the United States, Canada, and other countries. The stolen data included names, addresses, birth dates, Social Security numbers, medical information including special education status and disability accommodations, disciplinary records, individualized education plans, and family income data tied to free and reduced lunch programs. For a subset of the 62 million students, the exposure included the most sensitive categories of personal information imaginable, data about mental health conditions, behavioral interventions, and family circumstances.
PowerSchool paid a ransom to the attacker, receiving a video that allegedly showed the data being deleted. In May 2025, the same attacker began sending extortion demands directly to individual school districts, attaching samples of the stolen data as proof that the original ransom payment had not resulted in deletion. PowerSchool notified law enforcement. In May 2025, the Department of Justice announced a plea deal with Matthew D. Lane, a 20-year-old college student from Massachusetts, who pleaded guilty to unauthorized computer access, cyber extortion, and aggravated identity theft. Lane was sentenced in October 2025 to four years in federal prison and ordered to pay $14 million in restitution, a figure prosecutors acknowledged would likely never be collected in full.
The Federal and State Legal Response
The PowerSchool breach triggered enforcement and investigative activity at both the federal and state level that is still ongoing.
FERPA, the primary federal statute protecting student education records, is administered by the Department of Education. Unlike most modern privacy laws, FERPA does not include a private right of action, meaning individual students and parents cannot sue under it directly. Enforcement runs through the Department, which can condition federal funding on compliance. The Department of Education launched a review of PowerSchool’s FERPA compliance following the breach, though as of early 2026 no formal enforcement action had been publicly announced.
At the state level, the response has been more aggressive. North Carolina Attorney General Jeff Jackson issued a Civil Investigative Demand to PowerSchool in June 2025 requiring the company to disclose the exact number of North Carolinians affected, the cybersecurity measures in place before the breach, and its communications with affected families. Jackson’s office estimated that nearly 4 million teachers, students, and parents in North Carolina had their data compromised.
Multiple state attorneys general launched parallel investigations. The California Attorney General’s office issued guidance for affected families. And the wave of civil litigation that followed the breach runs into the dozens of separate lawsuits, with plaintiffs alleging everything from negligent security practices to violations of state consumer protection statutes and breach of contract.
A 2025 Study Found the Problem Goes Far Beyond PowerSchool
It would be a mistake to treat the PowerSchool case as an isolated failure by one company. Research published in 2025 found that 89 percent of educational technology products recommended by schools during the pandemic period transmitted student data to third parties, often advertising companies. The tracking, profiling, and monetization of student behavioral data is not a PowerSchool aberration. It is an industry pattern.
The structural reason is straightforward. K-12 edtech companies often offer platforms to school districts at low cost or free of charge, subsidizing that model with revenue from data partnerships, analytics licensing, or advertising technology. Students using mandatory school platforms have no ability to opt out, no visibility into what is being collected, and no practical recourse if data practices violate their privacy rights. They are, in legal terms, a captive user population.
Unlike consumer websites, where privacy-conscious users can install browser extensions, opt out of tracking, or simply choose a different service, school platforms are mandatory. A student cannot choose not to use the platform through which they are required to submit college applications. That asymmetry is precisely what makes edtech privacy violations legally and morally distinct from garden-variety consumer data disputes.
What Parents and Students Should Know Right Now
- If your child used Naviance between August 2021 and January 2026, they may be a class member in the settlement. Once the notice program is approved and launched, eligible class members will be able to file a claim for a pro rata share of the net settlement fund. Watch for official notice communications from the settlement administrator.
- If your child’s data was exposed in the December 2024 PowerSchool breach, the risk is lifelong. Social Security numbers, birth dates, and medical information do not expire. Cybersecurity experts recommend that parents request a credit freeze for minor children at all three major credit bureaus, a step that prevents criminals from opening fraudulent accounts in a child’s name.
- PowerSchool offered two years of identity protection services through Experian for affected individuals. Adults affected by the breach also have access to credit monitoring through TransUnion. If you have not enrolled in these services, contact PowerSchool directly or check with your school district.
- Ask your school district what data your child’s edtech vendors are collecting and whether those vendors have signed legally binding data processing agreements that include prohibitions on third-party data sharing. You have the right under FERPA to inspect your child’s education records and to request correction of inaccurate information.
- The ransom payment does not guarantee deletion. PowerSchool paid the attacker and received a deletion video. The same attacker then attempted to extort individual school districts using the same stolen data. There is no technical mechanism to verify that stolen data has been permanently and completely destroyed once it leaves the breached system.
- State attorneys general in multiple states are actively investigating. North Carolina’s AG has issued a formal demand for information. If you are a parent or educator in a state with an active investigation, your state AG’s office may be a resource for information about your rights and the status of local enforcement actions.
What School Districts Should Be Doing Differently
The Chicago Public Schools’ commitment under the settlement to require annual vendor compliance certifications points toward a broader standard that legal and cybersecurity professionals say all school districts should adopt. The fundamental problem exposed by the Naviance lawsuit and the December 2024 breach is not that PowerSchool was an unusually bad actor in a generally responsible industry. It is that K-12 school districts routinely lack the legal and technical resources to adequately vet the dozens or hundreds of edtech vendors in their ecosystems.
A district that mandates Naviance for college planning, uses a separate platform for attendance, contracts with a third party for special education case management, and deploys a learning management system for remote coursework may have four different companies with access to student data, each with their own data retention policies, security architectures, and third-party partner relationships. Overseeing that ecosystem requires dedicated privacy expertise that most districts simply do not have.
The legal standard, however, does not adjust for resource constraints. FERPA requires schools to ensure that vendors acting as “school officials” with access to education records use that data only for authorized educational purposes. The Arkansas complaint in the GM case used the same structural argument in the auto context: you cannot satisfy your legal obligations by pointing to a long and confusing terms document that no one reads. The same principle applies in edtech. Mandating a platform without understanding what it does with student data is not a defense. It is the violation.
The Regulatory Horizon
The PowerSchool settlement and breach have accelerated a legislative and regulatory conversation about student data privacy that had been building for years. Several states have passed or are actively considering legislation that would impose stricter requirements on edtech vendors, including mandatory privacy impact assessments before district adoption, data minimization requirements that limit what vendors can collect to what is strictly necessary for educational purposes, and private rights of action that would allow students and parents to sue directly for violations without depending on FERPA’s administrative enforcement mechanism.
At the federal level, the Student Digital Privacy and Parental Rights Act has been introduced in multiple congressional sessions, though it has not yet passed. Privacy advocates argue that FERPA, drafted in 1974 and last substantially amended in 1994, is structurally inadequate for an era of cloud-based student information systems, embedded analytics, and AI-powered educational tools. A statute written before the commercial internet was not designed to govern a world where a single edtech vendor holds the records of 62 million children.
The argument that comprehensive federal student privacy legislation is necessary has never had stronger factual support than it does in the aftermath of the PowerSchool breach and the Naviance settlement. Whether Congress acts on that argument is a different question.
Naviance $17.25 Million Dollar Privacy Settlement
The $17.25 million Naviance settlement is not primarily a story about money. Individual payouts for 10 million class members will be small. The more important outcomes are the injunctive relief requiring PowerSchool to overhaul its privacy practices, the vendor certification requirement that Chicago Public Schools must now impose on its technology partners, and the legal precedent the case establishes for holding edtech companies accountable for hidden tracking in mandatory student platforms.
But the settlement also cannot be separated from the December 2024 breach, the largest exposure of children’s personal data in American history, which came directly from a company that publicly claimed to prioritize student privacy while failing to implement a basic security control that a college student was able to exploit with a single stolen password. Together, the Naviance lawsuit and the SIS breach tell the same story in two different registers: a company that accumulated an extraordinary amount of power over American children’s data without building the legal commitments, security architecture, or institutional culture necessary to be trusted with it.
The children whose data was collected, tracked, and ultimately stolen had no say in any of it. They were doing homework.
