Skip to main content
Demo Now
Button Text

The AI Privacy Gap in K-12 Vendor Vetting

AI is changing how K-12 districts need to review edtech vendors. This article explains the “AI privacy gap,” why traditional vendor vetting is no longer enough, and how districts can better evaluate privacy, AI risk, accessibility, COPPA consent, and documentation before tools reach students.

The AI Privacy Gap in K-12

The AI Privacy Gap in K-12 Vendor Vetting

By Jim Onstad
President & Co-Founder, edprivacy

For years, K-12 technology leaders have been asked to do more with less. More apps. More teacher requests. More privacy laws. More parent questions. More documentation. More pressure to say yes quickly, while still protecting students and the district.

Now AI has added a new layer to an already difficult job.

The problem is not that districts are ignoring AI. In my experience, most technology leaders understand the risk very clearly. They know AI-powered tools are entering classrooms through new products, existing products, browser-based tools, teacher recommendations, and vendor feature updates. They also know that once a tool reaches students, the district may be responsible for explaining what was reviewed, what was approved, and whether student data was properly protected.

The real problem is that AI is moving faster than the vendor vetting process most districts have in place.

That is the AI privacy gap.

It is the space between how quickly AI tools are being adopted and how difficult it is for districts to evaluate them with confidence.

Vendor vetting was already stretched

Before AI became part of every vendor conversation, district technology teams were already responsible for reviewing privacy policies, terms of service, contracts, data sharing agreements, security practices, accessibility concerns, and compliance with laws like COPPA, FERPA, and state student privacy requirements.

That work is important, but it is rarely simple. Many districts still manage the process through spreadsheets, shared folders, email threads, vendor forms, and manual reviews. A teacher submits a request. Someone tracks down the vendor policy. Someone looks for a data privacy agreement. Someone checks whether the tool is used by students. Someone tries to determine whether the vendor collects personal information, uses data for advertising, or allows parents to request deletion.

That process can work when the volume is low and the questions are familiar. But most districts are no longer dealing with a small number of static tools. They are managing hundreds or thousands of online resources, many of which change their terms, features, ownership, or data practices over time.

AI makes that harder because it changes the questions districts need to ask.

AI changes the review

With AI tools, it is no longer enough to ask whether a vendor collects student data. Districts also need to understand how that data may be processed, analyzed, stored, reused, or shared.

A vendor may use AI to generate feedback, summarize student work, recommend content, evaluate responses, personalize learning, monitor behavior, or power a chatbot. In each case, the district needs to know whether student data is involved and whether the vendor’s practices are appropriate for a school-authorized educational purpose.

The most important question may be this:

Is student data being used to train, improve, or develop AI models?

That question matters because there is a meaningful difference between using AI to provide a service to the school and using student data to improve a vendor’s broader commercial product. If student prompts, uploaded documents, chat history, usage data, behavioral data, or persistent identifiers are used for purposes beyond the educational service, the district needs to know that before approval.

This is also where COPPA becomes more complicated. Schools may be able to provide consent on behalf of parents when an online service is used for a school-authorized educational purpose and the data is used only for that purpose. But if a vendor uses student data for advertising, profiling, unrelated product development, or broader AI model training, the district’s analysis changes.

That is not a small detail. That is the heart of responsible AI governance in K-12.

AI policies are not enough

Many districts are working on AI policies, responsible use guidelines, and staff expectations. That is good and necessary work. But a policy alone does not review a vendor. It does not answer a teacher’s app request. It does not determine whether student data is being used for AI training. It does not create a record showing why the district approved or rejected a tool.

The hard part is turning policy into daily practice.

That means technology leaders need a process that can help them answer practical questions quickly:

  • Can this tool be used by students?
  • Is it only appropriate for staff use?
  • Does the vendor use AI?
  • Does the vendor disclose how AI works?
  • Is student data used to train models?
  • Does the tool raise accessibility concerns?
  • Can the school grant consent under COPPA?
  • Can we explain this decision to a parent, superintendent, board member, or auditor?

These are not abstract governance questions. These are the questions district technology leaders face every week.

The risk is not just approval. It is documentation.

One of the biggest challenges I hear from districts is not just deciding whether a tool should be approved. It is being able to prove how that decision was made.

That matters because vendor review is no longer just an internal technology function. It touches curriculum, legal, accessibility, student services, purchasing, communications, and the classroom. When something goes wrong, the question is rarely, “Did someone care about privacy?” The question becomes, “What did the district know, when did it know, and what process was followed?”

That is why spreadsheets are becoming less useful for this work. A spreadsheet may show that a vendor is approved, denied, or pending. It may include a link to a privacy policy. But it usually does not provide a clear, consistent, and defensible explanation of the privacy risk, AI risk, accessibility concerns, COPPA consent analysis, contract status, and approval guidance in one place.

Districts need more than a list. They need a review record.

The goal is not to slow innovation

AI absolutely has a place in education. Many tools can help teachers save time, support students, improve feedback, and make learning more accessible. District technology leaders are not trying to stop innovation. They are trying to make sure innovation does not create unnecessary risk for students or the district.

That is an important distinction.

A good vendor review process should not be designed only to say no. It should help districts say yes with confidence when a tool meets the right standards. It should also help districts place reasonable limits on tools that are appropriate for staff but not students, or tools that need a signed agreement before student use.

The best outcome is not a slower approval process. The best outcome is a clearer one.

Teachers deserve timely answers. Students deserve protection. Parents deserve transparency. District leaders deserve documentation they can trust.

Closing the AI privacy gap

The AI privacy gap exists because vendor vetting has changed. It is no longer just about privacy policies and contracts. Districts now need to account for AI risk, accessibility, COPPA consent, public transparency, and ongoing vendor monitoring.

EdPrivacy was built for this reality. We help K-12 districts bring those pieces together so they can review vendors faster, identify privacy and AI risks, document accessibility concerns, and make safer edtech decisions before tools reach students.

In today’s environment, the question is not whether districts should use technology or AI. The question is whether they can review it, document it, and explain the decision with confidence. That is where K-12 vendor vetting has to go next.

Share this post
Privacy Management
Compliance