Rebecca Koenig Interim Senior Editorial Director | EdSurge Research
When the School District of Indian River County in Florida decided not to renew its contract with an educational technology company, Kerri Wall, the district’s senior digital innovation administrator and student data privacy officer, found herself facing new challenges. After the contract ended, Wall was responsible for ensuring that all student and parent data had been deleted from the vendor’s systems. Despite assurances from her sales contact that she would be connected with engineering support within two weeks, months passed without confirmation.
Wall explained that this delay created a compliance risk. She is personally responsible for student data security under state law and could not confirm whether names, cellphone numbers, grades, and guardian details had been purged as required by federal regulations like FERPA (Family Educational Rights and Privacy Act) and state laws such as California’s SOPIPA (Student Online Personal Information Protection Act), Ohio SB29’s 90-day deletion rule, and Florida’s own privacy statutes.
“I worry this could open us up to liability,” says Wall. “A year from now, we might have lost access to the platform. If the company hasn’t supplied the historical communication file, how do we comply with public record requests, and does that put me at risk professionally?”
Wall's experience reflects a broader problem faced by school districts nationwide as they review their edtech tools due to budget constraints and privacy concerns. Many administrators report that when contracts end, vendors often stop responding or supporting offboarding efforts.
Steven Langford, chief information officer for Beaverton School District in Oregon, said his district has formalized its process for ending vendor relationships after finding inconsistent engagement from companies. Since February, Beaverton has retired 59 digital tools—often exceeding their contractual 60-day requirement for closure because it is difficult to reach someone accountable for data deletion.
“Sometimes it’s hard to get the right person,” he says. “Maybe one vendor signed the contract, but another one holds the data. The challenge is getting anyone to engage.”
Even when vendors respond promptly, districts struggle to verify that data has truly been deleted. Stacy Hawthorne of Learn21 recalled a Colorado district questioning how a vendor could guarantee deletion; legal representatives admitted they couldn’t prove a negative outcome.
Laura Pollak of Nassau BOCES in New York reported finding vendors retaining unencrypted student information long after contracts expired—including trial users who never became customers. “Some people think obfuscation is deletion,” says Pollak. “Maybe they can’t delete data because their systems are shared with other clients, making it impossible.”
Todd Borland of Tulsa Union School District in Oklahoma tries to test deletions using dummy files but admits full certainty isn’t possible: “At some point we’re taking their word… If they have a backup, they could still have our data.” He added: “We’re stewards of our kids’ data. If it could get compromised, that’s not OK.”
Complications also arise when companies are sold or acquired during or after contracts expire. Borland recounted situations where new owners automatically renewed agreements without understanding prior commitments or privacy standards.
Melissa Tebbenkamp experienced a breach involving an unused product years after her district stopped using it: “Why did they still have my data?” This led her to design more rigorous offboarding processes but noted reliance on trust remains high: “We just have to trust they’re doing what they’re supposed to do contractually.” She stressed contract language is essential: “A contract is not for when things are good but for when they aren’t. Lean on the language to make it right.”
Pollak advised requesting official certification of destruction—a step many districts don’t realize is possible while contractors may not expect such requests either.
Jun Kim of Moore Public Schools emphasized clear communication during transitions: “Tell me what’s broken and let me work through it… Do not ghost me.” Experts suggest negotiating strong privacy agreements before starting partnerships; however many low-cost or free tools used by teachers bypass legal review altogether—creating further gaps in oversight.
Langford's team now integrates communication throughout its offboarding workflow by alerting teachers early about changes and publicly tracking retired software lists for families' awareness.
He acknowledged balancing policy requirements with practical realities: “We have to keep working with vendors to explain what software is in use…that those data elements are removed when they're no longer needed.”
Florida law required Wall to certify proper disposal within 90 days—a deadline missed due largely to lack of response from her former vendor despite repeated outreach attempts over several months.
“It’s frustrating that I wasn’t offered the chance to speak with anyone higher up,” she says. “I shouldn’t have to work so hard for a company we had a five-year history with.”
After EdSurge contacted the vendor in October about Wall's situation, she received an apology within one day along with an explanation—the request required manual export delayed by seasonal workload—and confirmation follow-up began immediately.
Advocates argue these issues highlight need for stronger accountability measures such as standardized certifications for deletions and clearer federal guidance on retention timelines post-contract termination as schools increasingly rely on digital platforms which collect vast amounts of sensitive information.
The rapid adoption of edtech tools has made management of student records more complex than ever before—and raised questions about how responsibly companies handle personal information once contracts end.
Alerts Sign-up