PowerSchool, Chicago Public Schools to settle student data privacy lawsuit for $17 million

Summary

PowerSchool, its subsidiary Hobsons and Chicago Public Schools have agreed to pay a combined $17.25 million to settle a proposed class-action suit alleging unlawful eavesdropping and covert data collection of students using the Naviance platform. The settlement was filed with an Illinois federal court; PowerSchool denies liability under the proposed terms.

Key settlement terms include creation of a settlement fund to be split across more than 10 million potential class members (those who logged into Naviance between August 2021 and January 2026), establishment of a PowerSchool “web governance” committee, a two-year restriction on using third-party software or code in Naviance, requirements for vendors to delete class-member data, enhanced privacy disclosures, and annual vendor privacy-certification requirements from Chicago Public Schools.

Heap Inc., an analytics firm named in the original complaint, was dropped from the Illinois case and is now being sued separately in New York. The suit originally accused PowerSchool, Hobsons and Heap of covertly recording communications and collecting sensitive personal data from millions of students. The litigation began in August 2023.

The settlement follows broader scrutiny of PowerSchool after a January 2025 breach that exposed data for millions of students and teachers — including special education status, mental-health information and disciplinary notes — and generated multiple lawsuits over alleged weak cybersecurity practices.

Key Points

PowerSchool and Chicago Public Schools agree to a $17.25 million proposed settlement for a proposed class-action alleging unlawful eavesdropping and covert data collection.
More than 10 million potential class members (Naviance users from Aug 2021–Jan 2026) are eligible to share the fund.
Settlement mandates PowerSchool create a “web governance” committee and pause use of third-party software/code in Naviance for two years.
PowerSchool must direct vendors (including Heap) to delete class-member data and significantly improve privacy disclosures; Heap was removed from the Illinois case and faces separate litigation in New York.
Chicago Public Schools will require vendors to provide annual certifications of compliance with state and federal privacy laws.
The deal arrives amid fallout from PowerSchool’s Jan 2025 breach that exposed data for 62 million students and 9.5 million teachers and led to other lawsuits over cybersecurity practices.

Context and relevance

This settlement sits at the intersection of edtech growth and mounting privacy concerns. As schools adopt more SaaS platforms and analytics, regulators, parents and students are paying closer attention to how vendors collect, store and share sensitive pupil data. The case highlights recurring problems in the sector: opaque data practices, reliance on third-party analytics, and consequences when security fails. For administrators, vendors and policymakers, the terms — vendor deletion directives, governance committees and certification requirements — may become templates for future remedies or contractual protections.

Why should I read this?

Quick take: if you care about student privacy, school IT decisions, or the safety of edtech, this matters. The payout is large, millions of students are affected, and the settlement forces practical limits on how a major vendor uses third-party code and third-party data. It’s an example of where lawsuits, breaches and public pressure are pushing vendors to fix privacy holes — and it’s worth knowing what those fixes look like in practice.

Author’s take

Punchy: This isn’t just another settlement. It knits together a sharp privacy claim (alleged eavesdropping), a massive prior breach and concrete operational remedies — and that mix makes it more than a routine payout. Read the detail if you’re in education, privacy law, or edtech procurement; the settlement terms could shape contracts and audits going forward.

Source

Source: https://therecord.media/powerschool-cps-settle-proposed-class-action