Protecting Student Data on Chromebooks

Chromebooks have become the standard for classroom learning in the United States, with millions of devices issued to students annually. While these devices bridge the digital divide and simplify assignment management, they also introduce significant privacy risks. Parents and educators must understand exactly what data is being collected, who has access to it, and how educational software monitors students both inside and outside the classroom.

The Reality of EdTech Surveillance

When a student logs into a school-issued Chromebook, they are entering a managed environment. This is different from a personal laptop. The device is often loaded with third-party monitoring software designed to filter content and track activity.

The Role of Monitoring Software

Schools often install safety management platforms to comply with the Children’s Internet Protection Act (CIPA). However, these tools go far beyond simple pornography filters. Market leaders like GoGuardian, Gaggle, and Securly provide deep visibility into student behavior.

  • GoGuardian: This software allows teachers to see a student’s screen in real-time during class. It also logs browsing history and can alert administrators if a student searches for concerning keywords related to self-harm or violence.
  • Gaggle: This service focuses on analyzing communications. It scans emails, documents, and chat messages within the school’s Google Workspace for suspicious keywords. In some cases, human moderators review flagged content before alerting school officials.

The concern arises because this monitoring often does not stop when the school bell rings. If the student is logged into their school account, the software may continue to track browsing history, location data, and app usage at home. A report by the Center for Democracy and Technology (CDT) found that 89% of teachers reported their schools use student monitoring software, yet many parents remain unaware of the extent of this surveillance.

Google Workspace for Education: What is Collected?

Google is the infrastructure behind the Chromebook, and their data practices differ depending on which services a student uses. Google separates its offerings into two categories: Core Services and Additional Services.

Core Services

These include Gmail, Calendar, Classroom, Docs, Sheets, Slides, and Drive. Google’s privacy statement for Education accounts asserts that:

  • They do not scan Core Services content for advertising purposes.
  • Student data in these services is not used to create ad profiles.
  • Data is owned by the school, not Google.

Additional Services

This is where privacy leaks often occur. If a student uses their school account to access YouTube, Google Maps, or Google Search (which are considered “Additional Services” unless contractually modified), Google may collect data differently.

  • Search History: Unless the school administrator specifically disables it, search history on a logged-in account can be tied to the student’s profile.
  • YouTube: Watch history and preferences can be tracked if the student is logged in.

Parents should ask their school administrators if “Additional Services” are enabled for student accounts and what privacy settings are applied to them.

Legal Protections and Their Limitations

Federal laws provide a baseline for privacy, but they were written before the explosion of cloud-based classroom tools.

  1. FERPA (Family Educational Rights and Privacy Act): This law protects the privacy of student education records. However, it contains a “school official” exception. This allows schools to share student data with third-party vendors (like software companies) without parental consent, provided those vendors perform a function the school would otherwise handle.
  2. COPPA (Children’s Online Privacy Protection Act): This regulates the collection of data from children under 13. While it usually requires parental consent, schools can consent on behalf of parents for educational tools. This means parents are often bypassed in the approval process for new apps.
  3. SOPIPA (Student Online Personal Information Protection Act): Originating in California, this model legislation (adopted by several other states) specifically prohibits operators of educational websites from selling student data or using it for targeted advertising.

Risks of Third-Party Extensions

Beyond the core software, Chromebooks often accumulate browser extensions. Teachers may ask students to install specific extensions for math help, grammar checking (like Grammarly), or creative projects.

Every extension represents a potential data privacy vulnerability. Many free extensions monetize by collecting browsing data or selling user insights.

  • Data Aggregation: An extension meant to help with spelling might require permission to “read and change all data on websites you visit.” This grants the developer access to everything the student types or views in the browser.
  • Lack of Vetting: While district IT departments vet major software, individual extensions sometimes slip through the cracks.
  • Ownership Changes: A reputable extension can be sold to a different company that changes the privacy policy to monetize the user base, often without notifying the school or the student.

Practical Steps for Parents

While you cannot opt out of every school technology, you can take specific steps to minimize data exposure.

  • Establish Device Boundaries: Treat the school Chromebook strictly as a tool for schoolwork. Do not allow your child to log into personal accounts (like personal Gmail or social media) on the school device. This prevents the school’s monitoring software from capturing personal data.
  • Use a Camera Cover: Physical privacy is vital. Buy a simple sliding webcam cover or use a piece of tape when the camera is not in use for class.
  • Review Installed Extensions: Open the Chrome browser, click the puzzle piece icon (Extensions), and review the list. If you see unrecognized extensions, ask the school IT department about their purpose and data practices.
  • Request the Student Data Privacy Agreement: Schools usually sign a Data Privacy Agreement (DPA) with vendors. You have the right to ask the school administration to view these contracts to see what data is collected and when it is deleted.

Frequently Asked Questions

Can school administrators access the Chromebook camera remotely? Technically, software exists that allows remote access, but it is rarely configured to allow spying without an active session. However, to be safe, always cover the webcam when it is not being used for a specific video lesson.

Does using Incognito Mode stop the school from seeing activity? No. On managed Chromebooks, “Incognito Mode” is usually disabled by the administrator. Even if it is active, the school’s network filters and monitoring tools (like GoGuardian) can still capture web traffic and screen activity.

What happens to the data after my child graduates? This depends on the school’s retention policy. Google allows schools to delete accounts and associated data. However, you should confirm with your school district that they have a process for purging student data upon graduation to ensure it does not remain on third-party servers indefinitely.

Can I opt my child out of having a Google account? It is difficult. Most public schools integrate Google Workspace deeply into their curriculum. Opting out may require an Individualized Education Program (IEP) or a specific arrangement with the administration, and it may result in your child using paper alternatives that isolate them from classroom workflows.