If you’ve been hit with a recent privacy lawsuit or received a letter for a violation
CONTACT US IMMEDIATELY TO HELP REMEDIATE
In a landmark case filed in the U.S. District Court for the Northern District of California, Cherkin et al. v. PowerSchool Holdings, Inc. (Case No. 24-cv-02706-JD), parents Emily Cherkin, David Concepción, and their minor children have sued PowerSchool Holdings, Inc., a provider of educational software used in public schools. With the lawsuit dated March 17, 2025, the court’s order partially dismissed the complaint but allowed key privacy claims to proceed, spotlighting the growing legal risks businesses face over data privacy. The privacy experts here at Captain Compliance breaks down the lawsuit, its outcomes, and why business owners especially those handling sensitive data should invest in privacy software from Captain Compliance to shield against similar pitfalls that can lead to extremely costly lawsuits that can be easily avoided.
The Lawsuit at a Glance
PowerSchool offers a suite of software tools to public school districts, used by students and teachers for tasks like grading, attendance tracking, and coursework management. The plaintiffs allege that PowerSchool collects extensive student data that ranges from grades and demographics to behavioral records and browsing habits without parental consent. Beyond mere collection, they claim PowerSchool analyzes, packages, and sells this data to third parties or uses it to enhance its own products, all while embedding tracking technologies on students’ personal devices to monitor their online activity even after they leave the platform.
The complaint, filed on behalf of nationwide and California only classes, asserts eight privacy-based claims under California law: intrusion upon seclusion, deceit, violations of the California Invasion of Privacy Act (CIPA), the Unfair Competition Law (UCL), the Comprehensive Data Access and Fraud Act (CDAFA), invasion of privacy under the California Constitution, statutory larceny, and unjust enrichment. PowerSchool moved to dismiss the entire complaint, arguing the allegations lacked plausibility or legal grounding. The court’s March 17, 2025, order dismissed three claims (deceit, UCL, and statutory larceny) with leave to amend but upheld the rest, signaling that the core privacy allegations hold water—at least for now.
Key Rulings and Reasoning
Intrusion Upon Seclusion and Constitutional Privacy: The court found that PowerSchool’s alleged data collection covering sensitive details like health records and web-browsing habits—plausibly violates students’ reasonable expectations of privacy. Citing laws like the Family Educational Rights and Privacy Act (FERPA) and California Education Code § 49076, which protect student data, the judge deemed the collection and commercial use of this information without consent “highly offensive” to a reasonable person. PowerSchool’s argument that schools can share data with contractors under certain conditions didn’t sway the court, which emphasized the context-specific nature of privacy rights.
CIPA and CDAFA: The California Invasion of Privacy Act claim survived, with allegations that PowerSchool enables third-party data interception via APIs and plug-ins. Similarly, the CDAFA claim—focused on unauthorized data access—held up, as the court rejected PowerSchool’s narrow interpretation of “without permission” and found the privacy loss sufficient to meet the statute’s “damage or loss” threshold. If you’ve been following the Swigart Law and Pacific Trial Attorney lawsuits over privacy violations than you will be very familiar with CIPA otherwise you would not be as informed as its not so much a modern day privacy law but has been brought into the spotlight by plaintiffs attorneys.
Unjust Enrichment: The court allowed this claim to proceed as a standalone cause, recognizing that PowerSchool may have unjustly benefited from students’ data at plaintiffs’ expense, pending further refinement.
Dismissed Claims: The deceit claim faltered due to a lack of specific allegations about plaintiffs relying on PowerSchool’s privacy statements. The UCL claim failed because the plaintiffs didn’t show a clear economic injury, like lost money or property. Statutory larceny was dismissed, as student data wasn’t deemed “property” capable of exclusive possession under California law.
Non-California Residents: PowerSchool’s bid to dismiss claims by Washington residents (Cherkin and her child) under California law was denied as premature, to be revisited at class certification.
What This Means for Businesses
This lawsuit underscores a critical reality: businesses handling personal data especially sensitive information like children’s records face mounting legal exposure. The court’s willingness to let most claims proceed at this early stage reflects a judicial trend toward protecting privacy rights, particularly when minors are involved. For PowerSchool, the allegations paint a picture of a company leveraging its role in education to profit from data, potentially breaching trust and legal boundaries. The surviving claims could lead to significant penalties (e.g., up to 4% of annual turnover under GDPR-like frameworks) and reputational harm if proven.
For business owners, the takeaways are stark. First, collecting data without clear, informed consent especially from vulnerable populations invites lawsuits. Second, using that data commercially amplifies the risk, as courts view such actions as egregious breaches of social norms. Third, even technical data (e.g., device info or browsing history) isn’t immune to scrutiny if collected surreptitiously. Finally, compliance with laws like FERPA or state privacy statutes isn’t optional; missteps can unravel defenses based on contractual roles.
Why Privacy Software Is a Must
Businesses can’t afford to navigate this landscape manually. Privacy software offers a proactive shield against the risks highlighted in *Cherkin v. PowerSchool*. Here’s why it’s essential:
- Consent Management: Tools like consent management platforms (CMPs) ensure users are informed and opt in explicitly, preventing unauthorized data collection—a core issue in this case.
- Data Mapping: Software can inventory what data you collect, where it’s stored, and how it’s used, helping you spot vulnerabilities before they become legal liabilities.
- Compliance Automation: Privacy platforms align operations with laws like GDPR, CCPA, FERPA, and CIPA, reducing the guesswork PowerSchool allegedly ignored.
- Tracking Control: Solutions can detect and manage embedded trackers or APIs, avoiding the kind of third-party data sharing that bolstered the CIPA claim.
- Audit Trails: Robust logging proves compliance and consent, offering a defense if regulators or lawsuits come knocking.
Without such tools, businesses risk repeating PowerSchool’s alleged missteps: opaque practices, unchecked data use, and failure to respect user rights. Privacy software isn’t just a safeguard—it’s a competitive edge, signaling trust to customers and regulators alike.
Action Steps for Business Owners
Review Data Practices: Audit how you collect, store, and use personal data. Are you transparent? Do you have consent? PowerSchool’s case shows that assumptions about “acceptable” data use don’t hold up in court.
Invest in Tech: Deploy privacy software tailored to your industry—education, healthcare, or otherwise. Look for solutions with real-time monitoring and user-friendly consent interfaces.
Train Your Team: Educate staff on privacy laws and risks. Human error or ignorance can sink even the best systems.
Prepare for Scrutiny: As regulators and courts tighten the screws (e.g., the EDPB’s 2025 focus on erasure rights), proactive compliance beats reactive damage control.
So What Does This Privacy Education Lawsuit Mean For Your Business?
It means you should hurry and get compliant right away. DO NOT DELAY. We have seen too many times a client waits and gets slapped with a multi-million dollar lawsuit. The Cherkin v. PowerSchool lawsuit is no different than the other cautionary tales we have shared and warned other businesses that touch personal data. With privacy claims advancing and regulators doubling down (did you see how the CPPA fined Honda $632,000 the other day?), the stakes are higher than ever. Privacy software isn’t a luxury it’s a necessity to dodge legal bullets, protect your reputation, and stay ahead. For business owners, the message we share over and over again is clear: act now, or pay later.
