Federal and state enforcement actions involving student data violations, tracked from official government sources.
17
Total Actions
$16.1M
Total Fines
7
Jurisdictions
Illinois Attorney General Kwame Raoul, joined by 16 other attorneys general, filed a lawsuit against the U.S. Department of Education to stop new data collection requirements under IPEDS that threaten student privacy by requesting sensitive personal information including income, test scores, and GPA.
Connecticut Attorney General William Tong joined a coalition of 17 attorneys general in filing a lawsuit against the U.S. Department of Education to stop new data reporting requirements under IPEDS that demand detailed student information. The coalition argues the requirements are unlawful, arbitrary, and jeopardize student privacy by requesting in-depth data that could lead to inadvertent errors and baseless investigations. The lawsuit seeks an injunction to block the implementation of these requirements.
New York Attorney General Letitia James, joined by 16 other states, sued the U.S. Department of Education over a new survey requiring colleges to submit extensive student data, arguing it violates the Administrative Procedure Act and threatens student privacy. The lawsuit seeks to block the mandate and prevent penalties for non-compliance.
California Attorney General Rob Bonta filed a lawsuit against the U.S. Department of Education to block the expansion of IPEDS data collection requiring colleges to submit race-linked student data. The lawsuit argues the demand is arbitrary, capricious, and burdensome, and could enable costly partisan investigations. A multistate coalition co-led the challenge.
Connecticut Attorney General William Tong, joined by 17 other attorneys general, filed a lawsuit against the U.S. Department of Education to block new IPEDS data reporting requirements that demand student information disaggregated by race and sex. The coalition argues the rushed implementation is unlawful, invades student privacy, and risks unreliable data and baseless investigations. They seek an injunction to halt the data collection and protect student privacy.
Massachusetts Attorney General Andrea Campbell co-led a coalition of 17 attorneys general in filing a lawsuit against the Trump Administration to stop new data reporting requirements for colleges and universities through IPEDS. The requirements demand detailed student data disaggregated by race and sex, retroactive for seven years, which the coalition argues jeopardizes student privacy and could lead to baseless investigations.
The FTC proposed a consent order against Illuminate Education, Inc. for failing to secure student data, leading to a breach affecting over 10 million students. The company allegedly had security failures and delayed breach notifications. The order requires a data security program, data deletion, and a retention schedule.
Illuminate Education, Inc. experienced a data breach in 2022 that exposed personal information of millions of students due to inadequate security measures. A multistate investigation by New York, California, and Connecticut Attorneys General resulted in a $5.1 million settlement requiring Illuminate to enhance cybersecurity practices and pay penalties.
$5.1M
Illuminate Education, Inc. suffered a data breach in 2021 due to security failures, exposing sensitive student data including medical conditions across millions of students. The company has agreed to pay $5.1 million in settlements to California, Connecticut, and New York and implement injunctive relief to strengthen data security practices.
$5.1M
Connecticut Attorney General William Tong, along with California and New York Attorneys General, settled with Illuminate Education, Inc. for failing to protect student data in a breach that exposed personal information of millions of students. The settlement, the first under Connecticut's Student Data Privacy Law, requires Illuminate to pay $5.1 million and implement enhanced cybersecurity measures.
$5.1M
Connecticut Attorney General William Tong joined 18 other attorneys general in filing a comment letter opposing a U.S. Department of Education proposal to expand data collection on race, admissions, and student performance from colleges and universities. The coalition argues the proposal is unreasonably burdensome, unlikely to yield quality data, and could be misused to target lawful diversity, equity, and inclusion initiatives, raising student privacy concerns.
California Attorney General Rob Bonta led a coalition of 18 attorneys general in submitting a comment letter opposing the U.S. Department of Education's proposal to collect extensive student data on race, admissions, and financial aid. The coalition argues the data collection is burdensome, unlikely to yield quality data, and may be misused to target lawful diversity, equity, and inclusion efforts.
Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool, a provider of cloud-based services for K-12 schools, following a data breach that exposed the personal and health information of over 880,000 Texas school-aged children and teachers. The breach occurred in December 2024 when a hacker gained administrative access through a subcontractor's account and stole unencrypted data including Social Security numbers, medical details, and disability records. The lawsuit alleges PowerSchool violated Texas law by failing to implement basic security measures and by misleading customers about its security practices.
College Board licensed student data to third parties and used it for marketing without proper consent, violating New York law. The settlement requires College Board to pay $750,000 and prohibits future commercial use of student data from school-administered exams.
$750K
The FTC has proposed amendments to the COPPA Rule to enhance children's privacy protections. Key changes include requiring separate parental consent for targeted advertising, prohibiting conditioning access on data collection, limiting push notifications, strengthening data security and retention requirements, and restricting commercial use in educational technology. The proposal shifts responsibility from parents to companies to safeguard children's data.
Marymount Manhattan College suffered a data breach in 2021 affecting 99,097 New Yorkers. The New York Attorney General found that MMC failed to secure its network infrastructure and update security policies. As part of the agreement, MMC must invest $3.5 million over six years to improve data encryption, enable multi-factor authentication, and implement other security measures.
The FTC finalized an order against Chegg Inc. for failing to secure student data, leading to breaches that exposed personal information of about 40 million users and employees. Chegg must implement a comprehensive security program, limit data collection, offer multifactor authentication, and allow data access and deletion.