Resources > AI
12 Questions Every District Should Ask an AI Vendor About Student Data
From Bluum. Print this. Bring it to the meeting.
Bluum | EdTech Experts
AI tools run on data, and in a school that means children’s data, protected by federal and state law. Before you let any AI vendor near a classroom, get clear answers to twelve questions about what they collect, where it goes, whether it trains their models, and what happens when you leave.
If a vendor can’t answer these plainly, that is your answer. The full list is below, ready to copy.
Why this matters more in 2026
Two things changed. AI tools collect and process far more student input than the old gradebook software ever did. And the rules got stricter. In January 2025 the FTC finalized the first major update to COPPA since 2013, with tighter limits on sharing children’s data with third parties and new requirements that reached full compliance in 2026.¹ Translation: “we’ll figure out privacy later” is no longer a defensible position.
The 12 questions
1. What student data do you collect, exactly? Inputs, outputs, metadata, all of it. Vague answers here predict vague practices.
2. Do you use student data to train your models? The answer you want is no, or only with explicit, revocable opt-in.
3. Who owns the data? It should be the district. Always. Get it in writing.
4. Where is the data stored and processed? Including any subprocessors and which countries are involved.
5. Which third parties get access? Every vendor standing behind the vendor counts.
6. How do you comply with FERPA, COPPA, and our state law? Ask for specifics, not a compliance logo.
7. Will you sign our data privacy agreement? The SDPC National Data Privacy Agreement is a strong, widely used standard.²
8. How long do you keep data, and how is it deleted? Including after we cancel. Indefinite retention is a red flag.
9. What is your security posture? Encryption, access controls, and independent audits like SOC 2.
10. Have you had a breach, and how did you handle it? Past behavior is the best predictor of future behavior.
11. Can we export our data in a usable format? Avoid lock-in. Your data should never be a hostage.
12. Who is accountable, and how do we reach them fast? A name and a number, not a ticket queue.
How to read the answers
Plain, specific, and written down beats smooth and verbal every time. “We never use student data to train our models, and here it is in the contract” is a good answer. “We take privacy very seriously” is not an answer.
One thing not to rely on
Don’t outsource this to a compliance badge on a website. The protection lives in the contract terms and the vendor’s actual practices, not in marketing.
Frequently asked questions
Isn’t this IT’s job?
It is a shared job. Instruction picks the tool, IT and privacy vet it, leadership owns the risk.
What if a vendor won’t sign our DPA?
Treat it as a serious red flag. Strong vendors expect this and have a signed agreement ready.
Does COPPA apply if the school consents on behalf of parents?
That school-consent path exists in FTC guidance, but it is narrower than people assume, and the FTC declined to formally codify it in the 2025 rule. Get legal eyes on it.³
Are free tools riskier?
Often, because the business model may quietly rely on data. Read those terms with extra care.
Get Expert Help From a Local Representative
¹FTC, final amendments to the COPPA Rule, January 2025 (effective June 2025; full compliance 2026). https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data
²SDPC National Data Privacy Agreement, Access 4 Learning Community. https://privacy.a4l.org/
³On the school-consent exception and COPPA: K-12 Dive, 2025. https://www.k12dive.com/news/ftc-finalizes-coppa-rule-children-data-privacy/738077/
