When Kerri Wall’s school district decided not to renew its five-year contract with an edtech company last spring, she didn’t expect the hardest part to come after the breakup.
As the senior digital innovation administrator for the School District of Indian River County in Florida — and designated student data privacy officer — Wall needed to confirm that the vendor had deleted student and parent information from its systems. Her sales contact promised to connect her with engineering “in two weeks.” That was in July.
The silence isn’t just frustrating. It’s risky. Wall signed a document with the Florida Department of Education making her personally responsible for ensuring that student data remains secure. By October, she still had no confirmation that the company had purged personally identifiable information such as names, cellphone numbers, grades and guardian details.
Data offboarding isn’t just a matter of courtesy; it’s a matter of compliance. Federal laws like FERPA (Family Educational Rights and Privacy Act) require schools to protect the confidentiality of student records, while state-level regulations such as California’s SOPIPA (Student Online Personal Information Protection Act), Ohio SB29’s 90-day data deletion requirement and Florida’s student data privacy laws set additional expectations for deletion and security.
“I worry this could open us up to liability,” says Wall. “A year from now, we might have lost access to the platform. If the company hasn’t supplied the historical communication file, how do we comply with public record requests, and does that put me at risk professionally?”
Wall’s experience is far from unique. Across the country, districts are scrutinizing their edtech portfolios — motivated by budget cuts, privacy concerns and the need to streamline. Yet many are discovering that ending a relationship with a vendor can be harder than starting one.
The Ghosting Problem
When contracts end, vendor support often vanishes.
Years ago, Wall tried to sunset a behavioral management platform, but her contact stopped responding when she mentioned switching products.
“At the end of the day, I’m still the customer,” she says. “I might even come back in a few years when you’ve worked out the bugs. Treat me professionally.”
Steven Langford, chief information officer (CIO) for Beaverton School District in Oregon, has formalized his “breakup” process because vendor engagement is so inconsistent. Since February, his district has retired 59 tools, taking an average of 72 days — longer than the 60-day contractual requirement.
“Sometimes it’s hard to get the right person,” he says. “Maybe one vendor signed the contract, but another one holds the data. The challenge is getting anyone to engage.”
Proving a Negative
Even when vendors respond, districts face a deeper dilemma: How do you prove that data no longer exists?
Stacy Hawthorne, chief academic officer at Learn21 and board chair of the Consortium for School Networking (CoSN), recalls a Colorado district asking how a vendor could guarantee deletion. The vendor’s legal team admitted: “We don’t know. You’re proving a negative.”
Laura Pollak, supervisor of NASTECH data privacy and security service at Nassau BOCES in New York, says her team has uncovered vendors holding on to unencrypted student data long after contracts ended, including information from trial users who never became customers.
“Some people think obfuscation is deletion,” says Pollak. “Maybe they can’t delete data because their systems are shared with other clients, making it impossible.”
Todd Borland, executive director of technology for Tulsa Union School District in Oklahoma, tries to verify deletions by sending files with dummy variables. “We’ll go from 15,000 students to two kids,” he says. “But at some point, we’re taking their word. If they have a backup, they could still have our data.”
The uncertainty unnerves him. “We’re stewards of our kids’ data. If it could get compromised, that’s not OK.”
When Contracts Fail
Things get even messier when companies are sold. Borland recalls having contracts automatically renewed by a new owner who didn’t understand the prior agreement — or the district’s privacy standards. “The new company may have no idea what we’ve done. It’s a nightmare,” he says.
Melissa Tebbenkamp, an independent consultant and former CIO, experienced a data breach involving a product her district hadn’t used in seven years.
“Why did they still have my data?” she asks.
That incident prompted her to design a formal offboarding process. Still, she admits, “We just have to trust they’re doing what they’re supposed to do contractually.”
That trust, she emphasizes, makes the contract language critical. “A contract is not for when things are good but for when they aren’t. Lean on the language to make it right.”
The Better Breakup
Pollak once requested official certification of data destruction and discovered the vendor had never received such a request before. “Districts don’t know they can ask, and contractors don’t know they should issue it.”
Her advice: Read the deletion terms carefully. “We all assume that by terminating the contract that means it’s getting done, but it doesn’t,” she says. In one case, her team discovered that deletion requests had to be submitted through a portal they could no longer access. (Eventually, the company had to accept the request via email.)
Jun Kim, director of technology for Moore Public Schools in Oklahoma, believes clear communication is the best protection. His top breakup trigger is when companies go silent about product issues. “Tell me what’s broken and let me work through it,” he says. “Do not ghost me.”
Experts agree that prevention starts before the partnership begins. Hawthorne calls it the golden rule: “Get a data privacy agreement in advance. You’ll have leverage if they don’t destroy your data.”
Yet Tebbenkamp notes that many districts skip legal review for low-cost or free tools. “Teachers signing up for free products do not get reviewed,” she says. “That’s a gap we can’t ignore.”
Trust, But Verify
Langford’s team in Beaverton has built communication into every step of its offboarding workflow. They alert teachers early, track tool usage, and make the list of retired software public for families.
He wants to see most closures meet the 60-day standard but acknowledges the human side. “We have to keep working with vendors to explain what software is in use, which data fields are being held, and that those data elements are removed when they’re no longer needed.”
For Wall, the stakes are more than procedural. Florida law requires her to certify proper data disposal within 90 days. That deadline passed months ago with the vendor she has been dealing with, through no fault of her own.
“It’s frustrating that I wasn’t offered the chance to speak with anyone higher up,” she says. “I shouldn’t have to work so hard for a company we had a five-year history with.”
After EdSurge contacted the vendor in October, a company representative responded within a day, apologizing for the delay. They explained that Wall’s request required a manual export delayed by the back-to-school season, and said the company was following up with her to resolve the issue. But the experience, she says, has permanently changed how she views vendor relationships.
What the Law — and the Future — Require
Enforcement often lags behind technology, leaving districts to interpret and shoulder the risk themselves.
As the number of digital tools used in schools continues to grow, so does the volume of student data crossing private servers. Advocates are calling for stronger vendor accountability, standardized data deletion certifications, and federal guidance on how long vendors can retain student information after contracts end.
The edtech boom transformed how schools teach and track students, but it also left a trail of digital fingerprints few can erase. As the next wave of privacy regulations takes shape, the real test for the industry isn’t how much data it can collect, but how responsibly it can let go.
