Proctorio's AI flags "suspicious" behaviour including looking away from the screen, having a messy room, having dark skin (causing lighting algorithm failures), and fidgeting — all of which disproportionately affect students with disabilities, people of colour, and those in small living spaces. Multiple studies found the AI flagged Black and brown students at higher rates due to facial detection bias.

The FTC took action against Chegg in 2022 for four data breaches between 2017 and 2020 that exposed personal data of 40 million users, including students' religious affiliation, sexual orientation, disabilities, and parents' income. The FTC found Chegg stored data in plaintext, used a single encryption key for all data, and allowed employees to use a single shared login credential for third-party databases.

A New York Times investigation found Gaggle monitors the emails, Google Docs, and chat messages of millions of students, flagging content containing keywords related to suicide, violence, drugs, and sexuality. LGBTQ+ students were disproportionately flagged because their private communications about identity and relationships triggered the keyword filters. Some students were outed to parents and school administrators.

Independent studies found Turnitin's AI detector produced false positive rates of 1-10%, disproportionately flagging non-native English speakers whose writing patterns were interpreted as "AI-like." Students were accused of cheating based on an algorithm that confused second-language writing with machine writing. Some students faced academic discipline or expulsion based solely on Turnitin's AI score.

89% of teachers report monitoring tools are used in their schools. 44% say students have been contacted by police as a result. In Baltimore, GoGuardian flags are shared automatically with school police — including nights and weekends. A direct pipeline from a child's homework to law enforcement, with no warrant and no parental notification.

In December 2024, a hacker used a compromised employee password — with no multi-factor authentication — to access PowerSchool's support portal and exfiltrate 62 million student records and 9.5 million educator records from 18,000 schools. Data included SSNs, medical conditions, disability accommodations, IEPs, disciplinary records, family income, and bus stops. PowerSchool paid a $2.85M ransom. The attacker then individually re-extorted school districts with the same data.

A 2022 FTC complaint by EFF and other groups alleged Google tracked students' browsing across non-educational Google services (YouTube, Maps, Search) and used the data to build advertising profiles. New Mexico's Attorney General sued Google in 2020 for collecting personal data from children under 13 through Chromebooks and Google Education tools without parental consent.

ShinyHunters breached Canvas LMS in April-May 2026, claiming 3.65TB of data from 8,809 institutions including Harvard, MIT, and Oxford. This was the second breach in 8 months — the first was September 2025. Exposed names, emails, student IDs, and billions of private messages. 404 Media called it "the biggest student data privacy disaster in history."