Study highlights security & privacy flaws in public educational agency websites

By Darin K. Jones and Cathie L. Fields for AALRR


Across the country, students, parents, and community members rely on websites as a primary source for information about their children’s education, meal planning, and community events. The websites may be operated by a school, a district, a county office of education, or a state-level educational agency.

A recent study entitled Tracking: EDU: Education Agency Website Security and Privacy Practices, produced by consulting firm EdTech Strategies, LLC, highlights significant privacy, online surveillance, and other security issues with the websites of many school districts and state departments of education.

The study illuminates the nearly universal presence of third-party ad trackers and online surveillance software embedded in educational agency websites. According to the study, approximately 90% of state departments of education and all but one of the 159 large school districts analyzed employed Google Analytics services to gather website user data for targeted advertising. School district websites surveyed also deployed tools from approximately 40 other ad tracking services, including Facebook and Twitter.

Another concern highlighted by the study is a lack of clear and appropriate website privacy policies. Only 19% of the school districts studied had privacy policies published on their websites. And even when policies were published, most were incomplete or misleading. For example, the privacy policy on one school district website asserted that the website would not place “cookies” on users’ devices. But the same school district website used tools from Google Analytics and other ad tracking services that do, in fact, deploy cookies.

The study also points out a widespread failure to adopt the “https” secure browsing protocols on school district websites. Such protocols help protect website users from viruses, third-party snooping, and hijacking. Fewer than half of the school district websites analyzed in the study consistently supported secure browsing.

Nothing in the study indicates any of the agencies were intentionally misleading website users about these privacy and security issues. Instead, the study’s author suggested that — given limited budgets, staff, and resources — school district IT departments and policy makers might simply be unaware of or unable to address the privacy and security issues “under the hood” of their websites.

If you need assistance navigating the complicated intersection of education and technology, AALRR's experienced attorneys are eager to help.


Read more about similar EdTech topics here and check out more of ACSA’s professional development events, trainings, workshops, and conferences on similar topics here.

ACSA is dedicated to providing K-12 administrators with relevant content and building events that focus on today’s most important school administration issues. Become a member and join us for our world-class Leadership Summit, Every Child Counts Symposium, professional development events, one-on-one mentorship program, ongoing Equity Project, statewide advocacy efforts, members-only benefits, and much more.

Previous Flipbook
Cyber Misconduct, Discipline and the Law
Cyber Misconduct, Discipline and the Law

When does a school district have jurisdiction to discipline a student or employee for cyber speech?

Next Article
22 Education TED talks to make you think
22 Education TED talks to make you think

These education-focused TED talks aim to answer the question: "As a country, how can we better inspire our ...