When a school district selects a learning management system, the conversation almost always starts with features. Does it have a gradebook? Can teachers post assignments? Does it support video content? These are reasonable questions, but they overlook what may be the most consequential dimension of any LMS selection: how the platform handles student data privacy. Data privacy has emerged as a major concern, especially, after Canvas May 2026 data breach.

Student data privacy in LMS environments is not a compliance checkbox. It is a fundamental obligation that schools owe to every family they serve. The legal frameworks governing how student data can be collected, used, and shared are detailed and consequential. Violations carry real penalties. More importantly, trust violations carry costs that no regulation can fully quantify. Understanding what to look for in an LMS from a data privacy standpoint is essential knowledge for every K-12 administrator and technology director.

Why student data privacy in LMS matters more than ever

The shift to digital learning environments has dramatically expanded the volume of data that schools collect about students. Every login, assignment submission, quiz result, and reading behavior generates data. Modern LMS platforms can capture detailed behavioral and academic profiles that go far beyond what a paper gradebook ever recorded. This creates genuine educational value when used responsibly. It creates serious privacy risks when it is not.

A report from the nonprofit Internet Safety Labs found that 96% of apps used in schools share student information with third parties. Yet 86% of the schools surveyed lacked any mechanism for obtaining parental consent before deploying technology that shares student data. These numbers point to a systemic gap between the privacy obligations schools have under law and what is actually happening in practice.

When parents discover that platforms deployed by their child’s school are sharing sensitive student data without their knowledge, trust collapses. That collapse extends not just to the specific app in question but to the school’s entire digital infrastructure. Rebuilding it is slow and difficult. Prevention is far less costly.

Key student data privacy laws every school must understand

Three major regulatory frameworks shape what FERPA-compliant LMS and other school software must do. Understanding each of them is essential before evaluating any platform.

FERPA, the Family Educational Rights and Privacy Act, is the foundational federal law governing student education records in the United States. It gives parents the right to access their children’s education records, request corrections, and control disclosure of those records to third parties. Schools must have written consent before disclosing personally identifiable information from education records, with limited exceptions. Any LMS that shares student data with third parties without proper contractual protections is a potential FERPA violation.

COPPA, the Children’s Online Privacy Protection Act, applies to online services directed at children under 13. It requires verifiable parental consent before collecting personal information from these children. Schools acting as intermediaries between students and online platforms can provide consent on behalf of parents under certain conditions, but only when the platform is used strictly for educational purposes, and the school maintains direct control over the data. COPPA school software must not use data collected from children for commercial purposes, including targeted advertising.

GDPR education compliance applies to any school or platform serving students in the European Union, as well as to platforms used by EU residents, regardless of where the platform is based. GDPR imposes strict requirements on data minimization, purpose limitation, data subject rights, and breach notification. For Canadian schools, PIPEDA and provincial privacy laws such as PHIPA in Ontario and similar legislation in British Columbia add another layer of obligations.

What to look for in an LMS from a student data privacy standpoint

Evaluating student data privacy in LMS platforms requires looking beyond marketing claims. Vendors frequently use phrases like ‘privacy-first’ or ‘secure by design’ without providing the specific contractual and technical evidence that would substantiate those claims. A rigorous evaluation should examine the following areas.

Data ownership and use restrictions are the starting point. The contract between the district and the LMS vendor must clearly state that the district owns the student data, that the vendor may only use it to provide the contracted educational services, and that the vendor may not sell or use student data for advertising, analytics product development, or any commercial purpose. Any ambiguity in this language is a red flag.

Third-party sharing practices require specific scrutiny. Even if the primary LMS vendor has strong privacy practices, many platforms integrate with third-party tools that may not. Districts should request a complete list of every third party that the LMS shares data with, the purpose of each sharing relationship, and the contractual terms governing each.

Data residency and hosting location matter particularly for Canadian schools. Student data stored on servers outside Canada may be subject to foreign government access under laws such as the US PATRIOT Act and CLOUD Act. Many Canadian school boards specifically require that student data be hosted within Canada. Districts should verify not just where data is stored at rest but also where it travels during processing and backup.

Breach notification procedures are a critical but often overlooked element. FERPA requires schools to notify affected families of unauthorized disclosures. GDPR requires notification to supervisory authorities within 72 hours. An LMS vendor contract should specify exactly what the vendor will do and within what timeframe if a breach occurs, including notifying the district so it can fulfill its own notification obligations.

Red flags in LMS data privacy practices

Some warning signs in LMS data privacy practices are obvious. Others require careful reading of contracts and technical documentation. The following patterns should give any district pause before signing a vendor agreement.

Vague data use language in contracts is the most common red flag. Phrases like ‘we may use aggregated and de-identified data to improve our services’ can mask practices that effectively profile students across multiple districts. True de-identification is technically difficult to achieve, and research has repeatedly demonstrated that supposedly anonymized data sets can be re-identified.

The absence of a Data Processing Agreement or School Service Provider Agreement is another warning sign. Reputable vendors proactively offer these agreements as evidence of their commitment to privacy standards. A vendor that resists providing one is a vendor that has not invested seriously in compliance.

Platforms that route data through advertising networks, even for analytics purposes, should be disqualified for K-12 use. Student behavioral data is among the most sensitive data categories, and any exposure to advertising infrastructure creates risks that no educational benefit can justify.

How Edsby approaches student data privacy

Edsby was built with student data privacy as a design principle rather than an afterthought. The platform stores Canadian school data in Canada, using Microsoft Azure’s Canadian data centres to ensure compliance with provincial and national data residency requirements. This addresses one of the most persistent concerns for Canadian school boards: that data held by US-based vendors is potentially accessible to US law enforcement under federal legislation.

Edsby does not use student data for advertising, does not share student information with third-party advertising networks, and limits data sharing to the specific educational purposes outlined in its school service provider agreements. The platform’s architecture is designed to give districts clear visibility into what data is collected and how it is used.

For a detailed academic review of student data privacy issues in educational technology, see the research published in the Journal of Learning Analytics: Student data privacy and educational technology.

Frequently asked questions

1. What does FERPA require from a school’s LMS vendor?

FERPA requires that any vendor handling student education records serve as a ‘school official’ under a legitimate educational interest, use the data only for the educational purposes specified by the school, and not share or sell student data to third parties. The contract between the school and the vendor must explicitly establish these obligations.

2. How is COPPA different from FERPA in school technology contexts?

FERPA governs education records broadly and applies to students of all ages. COPPA specifically regulates online services directed at children under 13 and requires verifiable parental consent before collecting personal information. Schools can provide consent on behalf of parents for educational tools, but only when those tools are used strictly for educational purposes with no commercial data use.

3. Why does data hosting location matter for Canadian schools?

Student data stored on servers outside Canada may be subject to access by foreign governments under laws such as the US PATRIOT Act and CLOUD Act. Many Canadian provinces have specific guidance or requirements that student data remain within Canadian borders. Choosing a platform that hosts data in Canadian data centres addresses this concern directly.

4. What is a Data Processing Agreement, and why does it matter?

A Data Processing Agreement is a contract between a school and a technology vendor that specifies exactly what data is collected, how it is used, who it is shared with, what security measures protect it, and what happens if there is a breach. It is a fundamental requirement for GDPR compliance and is considered best practice for any school technology deployment involving student data.

5. Can a school district be held responsible for a third-party app’s privacy violations?

Yes. Under FERPA, when a school deploys a technology platform, it is responsible for ensuring that the platform handles student data in accordance with FERPA requirements. If a vendor shares student data without authorization, the school that deployed that vendor may be found non-compliant. This is why contract language and vendor due diligence are so important.