On March 27, 2025, a class action lawsuit was filed against the education technology (EdTech) company Instructure, the parent company of Canvas, a popular learning management system. The complaint alleges that Instructure violated children’s federal and state privacy rights. According to the complaint, Instructure states that it collects various account information about children, including name, gender/pronouns, academic institution and student ID, as well as profile pictures. Instructure also reportedly collects student activity data, such as messages, discussion comments, test results and grades, search activity, and user-submitted content. User-submitted content includes uploaded files, such as essays, research reports, photo/video media, and creative writing. The complaint asserts that this amount of data surpasses what is traditionally considered an education record and allows Instructure to “build dynamic, robust, and intimate dossiers of children.”
Let’s dive deeper into various allegations within the complaint and consider several themes.
Words matter
According to the complaint, Instructure’s terms state that it uses and discloses student information to, among other purposes, personalize the user experience, analyze trends, and track users’ movements around products. Specifically, the plaintiffs claim that some of Instructure’s platforms are designed to assist colleges and employers with recruitment by providing them access to data-derived student “insights.”
Companies should consider whether their uses and disclosures pertaining to personal information are transparent. If data may be used for marketing or advertising purposes, that should be clear to the consumer. If the data may be used in other related contexts, policies and terms should also make that clear. Vague words could lead to allegations of misleading statements.
The complaint also compiles various statements by Instructure and its officers regarding the organization’s data practices, including the Data Protection Officer’s statement that “privacy standards are embedded in our corporate DNA” and that Instructure’s privacy approach is “built upon five key principles: transparency, accountability, integrity, security, and confidentiality.”
Companies should be able to back up their statements about privacy practices with their actual privacy approach, or such publicly-made statements could be used against them in litigation.
Clarity of third-party access
The complaint asserts that Instructure uses an application programming interface (API) to allow third-party developers to build integrations through Instructure’s product suite. An API allows software applications to communicate and exchange data. According to the plaintiffs, Instructure’s Live Event API enables third parties to “access granular, child-specific information, such as time taken to finish a test, when a student submits a test, how long a child uses a product at a time, ‘common patterns’ among a child’s product usage, [and] what assignments are most challenging.” Furthermore, the product-specific Canvas API reportedly allows third parties to access data relating to user communications and group discussions, quiz submissions, and grades.
The average consumer does not understand “API” and “live event” nor know how an API transfers information, even if a company discloses its API use. Companies should make clear, in plain language, the nature and extent of information they share with partner institutions to avoid unauthorized disclosure claims.
Reasonably understandable information and informed consent
The plaintiffs assert that users of Instructure products cannot provide informed consent because a reasonable person would not know what they were consenting to in agreeing to use these products. The complaint lists 19 separate policies on Instructure’s data practices available on its website – including terms of use, privacy notice, and acceptable use policy – noting that “information relating to Instructure’s data practices and those of its third-party partners are scattered across its sprawling website and others’ websites.”
Companies may consider making their website terms of use and related agreements more understandable and accessible to the average consumer of that product/service to minimize the risk of “no consent” claims. For example, consumers in states with opt-out rights should easily be able to access information to exercise those rights. Providing numerous forms across varying locations could leave room for allegations that the company hid the ball regarding privacy.
Evolving role of EdTech
Among other state law claims, the complaint sets forth claims under the Fourth and 14th Amendments to the U.S. Constitution. Though claims of constitutional violations can only be brought against government entities, plaintiffs allege that Instructure is authorized to “perform a function that is traditionally and exclusively a public function performed by the government, namely, the collection and management of public-school-related data, including education records and other student information,” thereby making the company subject to constitutional requirements as a “state actor.” When our parents and grandparents went to school, digital access to student information with the click of a button did not exist. The digital transformation has allowed public and private entities to outsource various functions to third-party technology companies. In the state actor context, this evolution of roles poses an interesting question of where to draw the line on whether private technology companies themselves should become subject to the same regulations imposed on public actors in the interest of protecting fundamental rights