Keystone Oaks Fails to Audit Third-Party App Compliance | The Locally Times
The district's student privacy plan relies on publishing vendor policies but includes no documented process for auditing the third-party apps students are authorized to use.
An April 22, 2026, notice from the Keystone Oaks School District outlines a plan to meet federal student privacy rules by publicizing vendor information rather than auditing their practices. The district states its goal is to achieve full compliance with the Children’s Online Privacy Protection Rule (COPPA) by publishing an online list of approved digital tools and linking to each company’s privacy policy. COPPA requires online services for children under 13 to be clear about data collection and obtain parental consent. The district presents this searchable list as its primary method for families to review how student information is protected. ## District Shifts Audit Burden to Families The district’s plan for COPPA compliance contains no documented process for auditing or independently verifying that third-party applications adhere to their own privacy policies or federal law. This approach places the responsibility of reviewing vendor policies on families. While the district’s notice acknowledges a duty to be transparent about student app usage and data handling, the provided documents show no evidence of a district-led verification system. The plan focuses on providing transparency about vendor claims rather than on the district verifying those claims before approving applications for student use. ## Unspecified Apps Authorized by Administrators District documents confirm students use Google Workspace for Education, which includes core services like Gmail and Classroom, as well as what Google terms additional services like YouTube and Google Maps. The district’s April 22 notice also states that students can access other third-party services through their Google accounts. According to the notice, school administrators authorize student access to these services. However, the public record does not identify these applications by name or detail the criteria administrators use for approval. A source document from the district is incomplete, ending mid-sentence after noting that an administrator authorizes access, leaving the scope of this authority undefined. ## Parental Consent and Compliance Metrics Undefined The district’s public notice does not explain how it obtains and manages parental consent for third-party applications, a central requirement of COPPA. While the district set a goal of achieving full compliance by its April 22, 2026, deadline, the notice does not define the metrics for measuring this status. The public record also does not specify what, if any, audit procedures are in place to ensure the ongoing safety of student data across the digital tools used in the district.