Class Action Lawsuits Against EdTech Companies for Alleged Data Privacy Violations

Below we provide a breakdown of the increasing class action lawsuits against Education Technology companies around allegations that they are misusing data of their clients. The privacy litigation world has exploded and is not just around CCPA and GDPR but rather now includes CIPA, UCL, CDAFA, and other laws that allow for a private right of action which makes it so that not only is the government or in the case of California the privacy protection authority coming after your business but also any law firm that wants to sue you now can if you are not using approved settings with your cookie consent banner and other requirements that check the box for true privacy compliance.

I.  Introduction 

This report and educational breakdown is about a lawsuit involving allegations that the defendant company collects, shares, and monetizes the personal information of its users, including millions of school-aged children, without obtaining effective consent. The complaint is reported to be approximately 80 pages in length, comprising 460 paragraphs, and asserts nine claims, including violations of the California Invasion of Privacy Act (CIPA), the Comprehensive Computer Data Access and Fraud Act (CDAFA), California’s Unfair Competition Law (UCL), invasion of privacy (public disclosures of private facts, intrusion upon seclusion), and unjust enrichment.

II.  Review of Class Action Settlements in the Education Space

• Review of Settlement and Filing News : A review of recent class action settlements and lawsuit filings reveals a list of cases primarily dated between March 3rd and March 27th, 2025 . These cases largely involve settlements related to data breaches affecting entities like Florida Central Credit Union, Tyler Technologies, and Infosys McCamish Systems, as well as issues concerning product safety and illegal prerecorded calls. Notably, none of the listed entries directly describe a lawsuit filed against an education technology company with allegations of collecting and monetizing children’s data without consent. The focus of these listed cases is predominantly on the aftermath of data security incidents in various sectors, where personal information was compromised due to alleged negligence. The absence of a case matching the user’s description in this compilation of recent legal actions suggests that either the lawsuit in question was filed very recently, after the latest date covered by this news feed, or certain details provided in the user’s query might require further scrutiny. The prevalence of settlements related to data breaches across different industries underscores a broader trend of increasing legal accountability for organizations handling personal information. This environment of heightened legal scrutiny likely extends to the education technology sector, given the sensitive nature of the data they handle, particularly that of children.
• Examination of Data Breach Reports: Another piece of information discusses a data breach affecting educational professionals (PSEA) and includes a compilation of other data breach incidents involving various organizations.

Among these listed breaches is one at VTech, which exposed the data of a significant number of children. While the PSEA breach involves professionals within the education field rather than children using an education technology product, it nonetheless highlights the risks associated with data security within the educational ecosystem. The mention of the VTech data breach serves as a stark reminder of past instances where technology companies handling children’s data have faced security failures with potentially widespread consequences.

This historical context suggests that the legal system has previously engaged with issues concerning the privacy and security of children’s data held by technology companies, although the specific allegations in the user’s query focus on collection and monetization practices rather than solely on security breaches.

The fact that data breaches affecting the education sector, including those involving children, have occurred and been reported indicates the sensitivity of this area and the potential for legal and public concern when such incidents or alleged improper data handling practices come to light.

• Analysis of FTC Action and COPPA Rule: A particularly relevant article details the Federal Trade Commission’s (FTC) finalization of updates to the Children’s Online Privacy Protection Rule (COPPA), aimed at strengthening the protection of children’s data online. This development occurs at a time when the FTC notes an increasing trend of companies profiting from children’s data. Significantly, the article mentions two existing class action lawsuits against education technology companies, IXL Learning and PowerSchool, both represented by the Ed Tech Law Center. These lawsuits allege that the providers monetized the data of millions of school-age children without obtaining parental consent. The timing of this article (published in January and updated in February 2025) indicates that these specific lawsuits were initiated prior to the “yesterday” mentioned in the user’s query. The FTC’s strengthened COPPA rule and its decision to omit an exception for ed tech providers underscore a growing regulatory emphasis on protecting children’s data within this sector. The existence of lawsuits against IXL Learning and PowerSchool for practices mirroring the core allegations in the user’s query (monetizing children’s data without consent) suggests a recognized legal concern and a potential trend of such litigation against education technology companies. The FTC’s stance implies that companies engaging in behavioral advertising towards children must obtain explicit parental consent, further highlighting the legal sensitivities surrounding the collection and use of children’s personal information for commercial purposes.
• Examination of Lawsuit Against PowerSchool for Data Breach: Another news report details a lawsuit filed by a Wisconsin school district against PowerSchool, a prominent education software company, following a significant data breach in early 2025. This breach reportedly compromised the personal information of 62.4 million students and 9.5 million educators. Subsequently, over 30 federal class action lawsuits were filed against PowerSchool by students and parents in connection with this data breach. The primary allegations in these lawsuits include breach of contract, unjust enrichment, and false advertising, focusing on PowerSchool’s alleged failure to adequately protect sensitive data. While these lawsuits against PowerSchool are substantial and relate to data privacy within the education technology sector, their primary focus on a data breach and the resulting security failures differs somewhat from the user’s query, which emphasizes the collection and monetization of data without consent as the central issue. However, the presence of an unjust enrichment claim in these breach-related lawsuits suggests a potential legal argument that PowerSchool may have unjustly benefited from holding the data that was ultimately compromised. The sheer volume of lawsuits filed against PowerSchool after the data breach indicates the potential for widespread legal repercussions when education technology companies experience security incidents involving vast amounts of sensitive personal information, particularly that of children.
• Review of FTC Action Against Edmodo: A press release from the FTC announces an order against the education technology provider Edmodo in 2023 for unlawfully using children’s personal information for advertising purposes.

The FTC found that Edmodo collected personal data from children without obtaining parental consent, in violation of the COPPA Rule. This case provides a precedent for regulatory action against an education technology company for practices similar to those described in the user’s query, specifically the use of children’s data for advertising, which constitutes a form of monetization. The FTC’s order against Edmodo prohibits the company from requiring students to provide more personal data than is necessary for participation in online educational activities and includes a suspended monetary penalty due to the company’s inability to pay. This action underscored the FTC’s commitment to enforcing COPPA and holding education technology companies accountable for their data collection and use practices concerning children. The finding that Edmodo also improperly outsourced its COPPA compliance responsibilities to schools highlights a potential area of vulnerability for education technology companies and a point that could be raised in class action litigation alleging similar violations.

• Analysis of CIPA Pen Register Provision Cases: A legal analysis discusses recent court decisions regarding the interpretation and application of the California Invasion of Privacy Act’s (CIPA) pen register provision to internet communications. These decisions indicate a trend in California courts to narrowly interpret this specific provision of CIPA, particularly in cases involving the use of website tools and the collection of IP addresses. The courts have held that CIPA’s pen register provision was not intended to cover internet communications or the alleged data collection about visitors’ devices from visitors’ devices. This evolving legal interpretation of CIPA is important context for understanding the legal landscape surrounding data privacy in California and could have implications for the success of class action lawsuits that include claims based on this particular aspect of CIPA. The increasing scrutiny of CIPA claims related to online data collection suggests that any lawsuit alleging CIPA violations, such as the one described in the user’s query, will likely face careful examination by the courts regarding the specific methods of data collection and their alignment with the statute’s provisions.

• Cherkin et al v. PowerSchool Holdings, Inc.:  Presents a court order dated March 17, 2025, from the case Emily Cherkin et al v. PowerSchool Holdings, Inc. This lawsuit that we covered in depth as a BIG wake up call for those in the Educational space involves allegations against PowerSchool concerning the collection, storage, and use of children’s information without parental consent. The plaintiffs, representing a putative nationwide and California-only class of parents and public-school students, assert a range of privacy-based claims, including intrusion upon seclusion, deceit, violations of CIPA, UCL, CDAFA, invasion of privacy under the California Constitution, statutory larceny, and unjust enrichment . The core allegations involving the collection and use of children’s data without consent, and the inclusion of the specific legal claims mentioned by the user (CIPA, CDAFA, UCL, invasion of privacy, and unjust enrichment). The remarkable alignment in the nature of the allegations and the specific legal claims makes this case a strong candidate for the lawsuit the user is seeking to identify. The fact that PowerSchool is also facing other lawsuits related to data privacy further emphasizes the company’s involvement in this area of litigation.

No Harm, No Foul – CIPA Claims Dismissed for Lack of Standing

There is a trend of courts dismissing claims under the California Invasion of Privacy Act (CIPA) due to plaintiffs lacking sufficient standing to sue. Recent court decisions have emphasized the requirement for plaintiffs to demonstrate a concrete injury resulting from the alleged CIPA violation, beyond just the statutory violation itself. For example, the case Gabrielli v. Insider, Inc. is cited, where a CIPA claim based on the capture and sharing of an IP address was dismissed because the plaintiff failed to identify any harm analogous to privacy interests protected under common law. This development in CIPA litigation highlights the increasing scrutiny courts are applying to the standing requirement in privacy cases and suggests that plaintiffs asserting CIPA violations must provide clear evidence of actual harm suffered as a result of the defendant’s actions. This legal context is relevant to the user’s query as CIPA is one of the asserted claims in the lawsuit, and the plaintiffs will likely need to demonstrate concrete harm to establish standing for this claim.

CIPA Litigation and the “Technological Capability” to Violate

California’s Privacy Laws: This analysis focuses on a CIPA case against Google, where the court considered the “technological capability” of Google to violate California’s privacy laws by allegedly listening in on and transcribing customer service calls. The court denied Google’s motion to dismiss, finding a plausible inference that Google had the technological capability to use the data collected from these calls for its own purposes, based on its terms of service. This case illustrates that in CIPA litigation involving technology companies, courts may examine the defendant’s technical abilities and terms of service to determine whether a violation could have occurred. While this case involves a different industry than education technology, the principle of examining the defendant’s technological capabilities to engage in the alleged privacy-infringing conduct could be relevant to the lawsuit in question. Plaintiffs might argue that the education technology company in the user’s query possessed the technological means to collect, share, and monetize children’s data without effective consent.

Case Brief of Greenley v. Kochava, Inc. The brief for Greenley v. Kochava, Inc., a class action lawsuit against a data broker that allegedly surreptitiously collected location data and other personal information from users of apps in which its software development kit (SDK) was embedded. The plaintiff asserted claims under the California Constitution, CDAFA, CIPA, UCL, and unjust enrichment. The court granted in part and denied in part the defendant’s motion to dismiss, finding that the plaintiff had standing and adequately stated claims under the California Constitution, CDAFA, and CIPA, while dismissing the UCL and unjust enrichment claims. While this case involves some of the same legal claims as the user’s query (CDAFA, CIPA, UCL, unjust enrichment) and concerns data privacy, the defendant is a data broker rather than an education technology company, and the focus is on location data collection rather than the broader range of personal information from school-aged children. Nevertheless, this case highlights that the legal claims mentioned in the user’s query are frequently used in data privacy class action lawsuits across various sectors, indicating a consistent legal framework for addressing alleged violations of privacy rights related to data collection and use.

III.  Identification of the Most Likely Case

• Comparison with other privacy litigation cases: The case that aligns most closely with our recently covered Emily Cherkin et al v. PowerSchool Holdings. This case involves an education technology company (PowerSchool) as the defendant and includes allegations of collecting and using children’s personal information without parental consent, which mirrors the core concerns raised by the user. Furthermore, the legal claims asserted in Cherkin v. PowerSchool include violations of CIPA, CDAFA, California’s UCL, invasion of privacy (specifically, intrusion upon seclusion and invasion of privacy under the California Constitution), and unjust enrichment.Summary of Cherkin et al PowerSchool Holdings, Inc.

• Defendant: PowerSchool Holdings, Inc., a prominent education technology company.
• Plaintiffs: Emily Cherkin, David Concepción, and their minor children, representing a putative class of parents and public-school students across the United States and within California.
• Core Allegations: The lawsuit alleges that PowerSchool harvests and commercially utilizes a wide range of sensitive personal information from students who use its various applications and software, often as part of their public-school curriculum. This data allegedly includes student enrollment details, academic records (grades, evaluations, coursework), personal demographic information, behavioral data, social-emotional learning indicators, health records, and college and career interests. The plaintiffs claim that this extensive data collection and commercial use occur without the knowledge or consent of the students’ parents or guardians. The complaint further alleges that PowerSchool employs tracking technologies to monitor students’ online activities even after they leave PowerSchool’s platforms.
• Legal Claims: The plaintiffs assert multiple legal claims against PowerSchool, including:
  • Intrusion upon seclusion under California common
  • Deceit under California Civil Code § 1709-10.
  • Violations of the California Invasion of Privacy Act (CIPA), Pen. Code §§ 630 et seq.
  • Violations of the California Unfair Competition Law (UCL), Bus. & Prof. Code §§ 17200 et seq. (This claim was dismissed with leave to amend by the court order of March 17, 2025).
  • Violations of California’s Comprehensive Data Access and Fraud Act (CDAFA), Cal. Pen. Code § 502.
  • Invasion of privacy under the California Constitution, Const. Art. I, § 1.
  • Statutory larceny, Pen. Code § 496.
  • Unjust
• Current Status as of Q1 2025: PowerSchool’s motion to dismiss several of the claims was denied, allowing the claims for intrusion upon seclusion, invasion of privacy under the California Constitution, violations of CIPA, violations of CDAFA, and unjust enrichment to proceed. The claim for violation of the UCL was dismissed with leave to amend, meaning the plaintiffs have the opportunity to revise and refile this particular claim with more specific allegations.

V. Conclusion

This case, alongside the FTC’s increased enforcement of COPPA and other lawsuits against education technology companies like IXL Learning, underscores a growing legal and regulatory focus on data privacy practices within the education sector, particularly concerning the sensitive data of school-aged children.

Works cited

1. Class Action Settlement | The org Legal News Wire, accessed March 28, 2025, https://www.classaction.org/news/category/class-action-settlement
2. PSEA Data Breach Exposes Thousands of Educational Professionals – See if Your Info Was Leaked | 3/27/2025, accessed March 28, 2025, https://www.forthepeople.com/blog/psea-data-breach-exposes-thousands-educ ational-professionals-see-if-your-info-was-leaked/
3. FTC finalizes COPPA rule to strengthen children’s data protection | K-12 Dive, accessed March 28, 2025, https://www.k12dive.com/news/ftc-finalizes-coppa-rule-children-data-privacy/73  8077/

4. Wisconsin District Sues Ed Tech Giant PowerSchool After Massive Data Breach – The 74, accessed March 28, 2025, https://www.the74million.org/article/wisconsin-district-sues-ed-tech-giant-powe rschool-after-massive-data-breach/

5. FTC Says Ed Tech Provider Edmodo Unlawfully Used Children’s Personal Information for Advertising and Outsourced Compliance to School Districts, accessed March 28, 2025, https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ed-tech-provider-edmodo-unlawfully-used-childrens-personal-information-advertising

6. Courts Hold CIPA’s Pen Register Provision Does Not Apply to Internet Communications or to Alleged Data Collection “About Visitors’ Devices, From Visitors’ Devices” | Inside Class Actions, accessed March 28, 2025, https://www.insideclassactions.com/2025/03/12/courts-hold-cipas-pen-register- provision-does-not-apply-to-internet-communications-or-to-alleged-data-colle ction-about-visitors-devices-from-visitors-devices/
7. justia.com, accessed March 28, 2025, https://cases.justia.com/federal/district-courts/california/candce/3:2024cv02706/4 29118/65/0.pdf
8. Courts Dismiss California Invasion of Privacy Act Claims Due to L, accessed March 28, 2025, https://natlawreview.com/article/no-harm-no-foul-cipa-claims-dismissed-lack-st anding

9. CIPA Litigation and the “Technological Capability” to Violate California’s Privacy Laws, accessed March 28, 2025, https://www.gibbonslawalert.com/2025/03/07/cipa-litigation-and-the-technologi cal-capability-to-violate-californias-privacy-laws/
10. Greenley Kochava, Inc. – Case Brief Summary for Law School Success – Studicata, accessed March 28, 2025, https://studicata.com/case-briefs/case/greenley-v-kochava-inc/

If you enjoyed our first litigation analysis series let us know and we’ll aim to produce more.