Hidden Dangers in Terms of Service: Why One-and-Done Reviews Are Dangerous

What schools don't know about vendor agreements could destroy student privacy — and they can change while we sleep

The Set-It-and-Forget-It Trap

Picture this scenario: Your district's legal team spent weeks reviewing an educational platform's Terms of Service (TOS) in June. They gave it the green light, teachers started using it in August, and everyone moved on. But by December, that same "approved" platform has quietly updated its terms three times, each change eroding student privacy protections.

This isn't hypothetical—it's happening right now in schools across the country.

Three Horsemen of TOS Disasters

After years of exploring educational technology contracts and updating governance frameworks for AI, we've identified three critical vulnerabilities that appear repeatedly. These aren't edge cases—they've been industry norms that put student data at risk every single day.

1. The Ownership Transfer Trap

Let me show you actual language from one platform's Terms of Service (anonymized for this article):

"By submitting User Submissions, you hereby grant [Company] a worldwide, non-exclusive, perpetual, royalty-free, fully paid, sub-licensable and transferable license to use, edit, modify, truncate, aggregate, reproduce, distribute, prepare derivative works of, display, perform, and otherwise fully exploit the User Submissions..."

Read that again. Every essay, every creative project, every assessment response—the company now has perpetual rights to "fully exploit" them. And here's what makes this particularly insidious: this language often appears in updates, not in the original agreement schools reviewed.

2. The Silent Third-Party Shuffle

The second vulnerability involves third-party data sharing provisions that expand over time. Initial terms might list three data processors. Six months later, that list has grown to fifteen, including analytics companies, AI training datasets, and offshore processing centers. Without regular review, schools never know their students' data has taken a world tour.

Recent analysis shows that educational platforms increasingly add AI training provisions to their terms post-launch. What starts as a “secure testing platform” can transform into an AI training dataset through a simple TOS update—often occurring 90 days after schools have completed their initial review.

3. The Access Control Shell Game

The PowerSchool breach perfectly exemplifies this third vulnerability. Access control provisions in Terms of Service often start strong but weaken over time. What begins as “multi-factor authentication required” can quietly become “reasonable security measures” in a seemingly innocuous update.

We've seen vendors change from “encrypted at rest and in transit” — language that satisfies NIST, FERPA and other security frameworks — to “industry-standard security practices,” a meaningless phrase that provides no actual protection guarantee. These downgrades happen through TOS updates that schools (and any organization) can miss when they're not regularly reviewing agreements.

Why Regular Review Isn't Optional—It's Essential

Here's an uncomfortable truth: Terms of Service are living, legal documents designed to benefit vendors, not schools. Unlike negotiated contracts, click-through agreements can change with minimal notice. The Department of Education's guidance specifically warns against provisions allowing vendors to modify terms without explicit consent — yet that remains a common practice.

The 90-Day Reality Check

Based on our work with more than 800 schools around the US (and with hundreds of businesses around the globe, by the way), here's what typically happens in the first 90 days after a anyone adopts new technology:

• Day 1-30: Honeymoon phase. Everyone's excited about the new tool.

• Day 31-60: First TOS update notification (usually buried in an email).

• Day 61-90: Material changes take effect, often including expanded data use rights.

• Day 91+: Schools | Businesses | Organizations operate under new terms they've never reviewed.

Building Your Defense: The Quarterly Review Protocol

Regular TOS review isn't about paranoia — it's about professional responsibility. Here's a practical framework we recommend (and AI can help with the quick scan summaries - a human will confirm - and if you need help we’re here for you):

Monthly Quick Scans (15 minutes per vendor):

• Check vendor websites for TOS update notices

• Review any vendor emails for buried change notifications

• Flag any updates for deeper review

Quarterly Deep Dives (2 hours per major vendor):

• Line-by-line comparison with previous TOS version

• Focus on the "Big Three" vulnerability areas

• Document all changes, no matter how minor

• Assess impact on FERPA/COPPA compliance

Annual Comprehensive Audits:

• Full legal review of all vendor agreements

• Renegotiation of problematic terms where possible

• Sunset review—do we still need this tool?

The Governance Reality Check

I often hear, 'We don't have time for quarterly reviews.' Our response? You don't have time NOT to do them. The PowerSchool breach alone affected 60 million students. With 80% of K-12 schools targeted by ransomware — higher than any other surveyed industry — the costs are staggering.

Moreover, regular review isn't just about catching bad changes — it's about building institutional knowledge. When your team regularly engages with these documents, they develop an intuition for ferreting out problematic language. They start asking vendors the right questions before signing up, building a culture of privacy protection.

Red Flags That Demand Immediate Action

During your reviews, the following changes should trigger immediate escalation:

1. Any modification to data ownership or licensing rights

2. Addition of new third-party processors or partners

3. Changes from specific security requirements to vague standards

4. Expansion of data use beyond educational purposes

5. Removal of data deletion or return provisions

6. Changes to breach notification timelines

7. Addition of arbitration or liability limitations

Your Next Steps

Terms of Service review isn't a one-person job—it requires a team approach. Here's how to start:

1. This Week: Inventory all educational technology currently in use. You'll likely find 30-50% more than you expect.

2. Next Month: Establish your review team—include IT, legal/compliance, curriculum, and teaching representatives.

3. Within 90 Days: Complete your first quarterly review cycle. Document everything.

4. Ongoing: Build TOS Reviews into your standard governance practices, just like budget reviews or safety drills.

The Bottom Line

That innocent-looking Terms of Service update notification in your inbox? It could be the difference between protecting student privacy and enabling its distribution. In the world of educational technology governance, vigilance isn't optional—it's essential.

Remember: vendors update their terms to benefit their business model. Your job is to ensure those updates don't compromise your students' privacy. Regular review is your first and best defense against the gradual erosion of protection.

Because when it comes to student data, what you don't know absolutely can hurt you — and the students you're sworn to protect.

If you need support in protecting your students’ data, we are here to help. We can facilitate your baseline TOS review (or do it for you). And we can train leaders and teams to build TOS reviews in regularly.

We need to handle AI on our terms… safely, responsively and with an awareness of the risks and rewards of using technology in every organization. Including schools.