As adults, we all kind of have at least a vague peripheral sense that the devices and software we use are probably up to some kind of shenanigans with our personal data. Kids, however, are probably not thinking as closely about what they tell the devices they use, and what data those devices then share — especially if they’re school-owned tools. And yet, a new report finds, some of the learning technology schoolchildren are required to use every day are some of the worst when it comes to explaining and protecting users’ privacy.

The EFF’s new “Spying on Students” report [PDF] pulls together two years’ worth of research and data trying to find out whether educational technology (ed tech) companies are protecting students’ privacy. The answer is, unfortunately, largely not.

One third of all K-12 students are using school-issued ed tech devices, the EFF finds. About half are Chromebooks, and more than 30 million total students, teachers, and administrators are using Google’s education suite of software. And parents are being largely left in the dark.

The EFF surveyed parents to see if software was transparent about how it handled student privacy — and, in fact, if schools were being transparent with how they used software. In both cases, the answer was no.

“We were given no information about our first-grader receiving a tablet this year,” one parent responded. “And when we ask questions, there is little information given at every level.”

Teachers and students reported the same kind of, “surprise, you’re using this now” approach to technology in the classroom. 57% of parents the EFF surveyed said they were sure they had not received written disclosure of schools’ practices and policies about tech, and another 23% of parents said they didn’t know if they had or not. Together, that’s 80% of parents who have basically no idea what their children’s’ schools are doing with regard to technology.

Lack of awareness, however, is not to be conflated with lack of interest. Parents who answered the survey expressed concerns about what data was being collected on their kids and where it was going, but were unable to get answers.

One told the EFF, “They are collecting and storing data to be used against my child in the future, creating a profile before he can intellectually understand the consequences of his searches and digital behavior.”

Another echoed the sentiment, adding, “The school system does not even acknowledge that our child’s data is being collected and possibly sold.”

In total, survey respondents generated a list of 152 distinct programs and platforms being used for school. Of those:

• 118, or 77%, had a privacy policy posted online at all
• 78, or 51%, included a stated policy on data retention
• 46, or about 30%, said the vendor used encryption
• 51, again about a third, mentioned de-identification or aggregation of user data

Nor could parents easily opt out, either in theory or in practice.

The legal situation around students’ data is complicated, the EFF then explains. It’s basically a nexus where two other laws meet: FERPA, the Family Educational Rights And Privacy Act, and COPPA, the Children’s Online Privacy Protection Act.

FERPA forbids schools from sharing student information without parental consent, the EFF notes, but it has weaknesses. For one thing, it only applies to districts and schools that receive federal funding — so it would apply to kids in public school, but not most private schools.

For another: It only applies to certain types of data. That includes “education records” and personally identifiable information about a student. Usage history is also covered, unless the identifying information is stripped.

Here’s the challenge, though: While the law requires written parental consent to share students’ data with third parties, it has a big loophole for “third parties.” If any ed tech company is qualified as a “school official,” it can access your kid’s data. That has included Google and other companies that sell educational technology.

COPPA likewise requires parental consent from a company before it collects or shares data from children under 13. That right there rules out protections for your junior high and high school set, who are ages 14 and up.

However, for kids who are covered, the FTC is fairly clear on schools’ obligations, the EFF reports. The FTC’s guidelines are that if a service is going to use or disclose children’s personal information “for its own commercial purposes in addition to the provision of services to the school, it will need to obtain consent.” The school district cannot consent on behalf of a parent if advertising or user profiles are going to be involved.

But if parents aren’t even getting told what platforms and devices their kids are using, odds aren’t high that schools are providing them with proper opt-out opportunities, either.

Nor is industry self-regulation sufficient, the report adds. Many entities have signed the voluntary Student Privacy Pledge since 2014, but it has loopholes one could basically drive a school bus through. It doesn’t define terms like like “personally identifiable information” or “school service provider,” leaving gaping holes where a school could violate students’ privacy and yet still claim to comply.

“Our report shows that the surveillance culture begins in grade school, which threatens to normalize the next generation to a digital world in which users hand over data without question in return for free services—a world that is less private not just by default, but by design,” report co-author and EFF Researcher Gennie Gebhart said.

Gebhart added, “The data we collected on the experiences, perceptions, and concerns of stakeholders across the country sends a loud and clear message to ed tech companies and lawmakers: families are concerned about student privacy and want an end to spying on students.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.