1. Overview
In 2024, Internet Safety Labs (ISL) added 3rd parties observed in app network traffic to our app Safety Labels viewable in AppMicroscope.org. Recently, we reviewed the network traffic of the original 1541 apps, looking for data brokers and the results were clear: 16% apps that were recommended or required in schools were sending student data to registered data brokers. Every state (and District of Columbia) had at least three or more schools with apps communicating with data brokers. In total, 442 of the 663 (or 67%) studied schools had apps with data broker traffic.
Importantly, “registered” data brokers don’t count apps sending data to platforms destined for data brokers, nor does it include entities that should be registered data brokers but aren’t.
This report details our findings and analysis on Edtech apps observed communicating with data brokers, as well as our recommendations for educators and app developers.
1.1 The Inadequacy of “Data Broker” Legal Definitions
This analysis counts only registered data brokers found in either the California Data Broker Registry or the Vermont Data Broker Registry.1 Readers should be aware that the legal definition of “data broker” in the US fails to properly account for and hold responsible the full data supply chain feeding data brokers. Specifically, it fails to include:
- First parties who sell personal information, such as mobile carriers who were found as recently as last year to be selling some of the most sensitive of personal information, location data2.
- Entities who sell or share personal in bulk for marketing and advertising purposes, including identity resolution platforms (IDRPs) and customer data platforms (CDPs), both designed to ingest and synthesize personal data from a multitude of services/platforms
a. This also includes adtech entities including Supply Side Platforms (SSPs), ad exchanges, Demand Side Platforms (DSPs), and Data Management Platforms (DMPs). These entities aggregate personal data shared via the real-time bidding (RTB) messages (aka “bidstream”). Note that these entities figured prominently in the recent Gravy Analytics analysis3.
Thus, we must assume that the volume of student data making its way into data brokers is substantially larger than this analysis conveys.
1.2 Methodology
In 2022, ISL conducted a privacy audit on recommended and required technologies for students in a representative sample of K-12 schools across the US. In total, ISL examined 1541 mobile apps, including analysis of the network traffic between the app, the first party, and all third-party servers.
Next, ISL researchers determined the corporate owner of every subdomain that appeared in the network traffic collected for the apps.
Finally, we determined if the corporate owner was a registered data broker by matching against companies in the California and Vermont data broker registries; note that this reflects data broker registries as of 2024.
2. Findings
2.1 Overall
243 apps or 15.8% of tested apps sent data to registered data brokers. The 243 apps sending data to data brokers communicated with a shocking 6.7 data brokers on average. This means that when children use these apps, their information will be sent to several data brokers.
The top app categories sending data to data brokers were:
-
- News apps (77% of audited news apps)
-
- Reference apps (37%)
-
- Sports apps (32%), and
-
- Community Engagement Platform (CEP) apps (26%).
News, reference and sports apps are not surprising; news apps are known to be rife with adtech and martech. See Figure 7 for all category counts.
As noted in all three previously published findings reports, Community Engagement Platform apps were among the leakiest apps observed. The CEP developers with apps found to be communicating with data brokers are shown in Table 1.
| CEP App Developer | total # of apps | # apps with data broker traffic | % with data brokers |
| Apptegy | 129 | 16 | 12% |
| Filament Essential Services | 5 | 1 | 20% |
| Finalsite | 122 | 42 | 34% |
| Focus School Software | 6 | 1 | 17% |
| From NowOn | 4 | 1 | 25% |
| Heather Hanks | 2 | 2 | 100% |
| Intrado Corporation | 42 | 8 | 19% |
| Mascot Media | 10 | 2 | 20% |
| SchooInfoApp | 14 | 2 | 14% |
| SchoolPointe | 8 | 2 | 25% |
| Straxis | 2 | 1 | 50% |
Of the larger CEP developers (Apptegy, Finalsite, and Intrado), it’s clear that the apps’ configurability is influencing the presence of data brokers since not all of the apps were found to be communicating with data brokers. Finalsite, for example, provides an administrative dashboard that allows school districts to edit the URLs opened by the app. In 2021, ISL spoke with Blackboard (Anthology), then-owner of the Finalsite apps, and learned that the platform performed no checking on the domains entered by school administrators. We suggested that they add guardrails, checking for things like dangling or malicious domains, at a bare minimum. Finalsite acquired Anthology from Blackboard in September 2022.
The Palm Beach County School District Android app (a CEP app) by Intrado included the most data brokers, at a whopping 31. (See also the Safety Label for the app here: https://appmicroscope.org/app/1579/) The app is no longer available on the Google Play store.
Table 2 shows the five apps with the most data brokers from 2022 and from a recent retesting. Two of the apps have been removed from the store, but the other three are the same or worse with respect to the number of data brokers.
| App Name | Developer | # of Data Brokers (2022) | # of Data Brokers (2025) |
| Palm Beach County School District (Android) | Intrado Corp. | 31 | App removed from store |
| SBLive Sports (Android) | SB Live Sports | 27 | 28 |
| AllSides – Balanced News (iOS) | AllSides | 27 | 28 |
| Montgomery Public Schools (Android) | Finalsite | 27 | App removed from store |
| Westover Christian Academy (Android) | Apptegy | 25 | 34 |
2.2 EdTech
As discussed in Findings Report 1, the majority of apps from the benchmark weren’t strictly edtech apps; the benchmark included a surprising number of non-edtech, general use apps. Isolating edtech categories, we find that only 6 apps (2.0%) of the strictly edtech apps had observed traffic to data brokers. While this is substantially better than the overall sample rate, for these kinds of services, there should be no data brokers receiving data from the apps.
| Classroom Messaging Software (n = 30) |
Digital Learning Platform (n = 27) |
Safety Platform (n = 67) |
School Management Software (n = 61) |
Single Sign On (n = 5) |
Student Information System (n = 47) |
Study Tools (n = 28) |
Virtual Classroom Software (n = 12) |
Grand Total (n = 296) |
||||||||||
| # apps with data broker traffic | 1 | 3.3% | 0 | 0.0% | 0 | 0.0% | 3 | 4.9% | 0 | 0.0% | 1 | 2.1% | 0 | 0.0% | 1 | 8.3% | 6 | 2.0% |
The following are the EdTech apps communicating with data brokers:
- Classroom Messaging Software apps:
- FAMILIES | TalkingPoints (iOS)
- School Management Software apps:
- Choicelunch (Android)
- Choicelunch (iOS)
- WebMenus by ISITE Software (Android)
- Student Information System
- k12 (Android)
- Virtual Classroom Software
- ZOOM Cloud Meetings (Android)
2.3 Most Common Data Brokers
The three most frequently observed data brokers in the network traffic were PubMatic, LiveRamp, and Magnite (Table 4).
| Data Broker | # Apps in K12 Benchmark |
| PubMatic | 110 |
| LiveRamp | 100 |
| Magnite | 98 |
| Lotame | 78 |
| OpenX | 78 |
| Freewheel | 76 |
| Taboola | 72 |
| Oracle | 71 |
| Nielsen Marketing | 69 |
| Tapad | 65 |
| LiveIntent | 59 |
| ID5 | 58 |
| Neustar | 57 |
| PulsePoint | 50 |
| Outbrain | 45 |
| StackAdapt | 45 |
| Merkle Marketing | 42 |
| Media.net | 41 |
| Intent IQ | 38 |
| 33Across | 29 |
| Wunderkind | 29 |
| BounceX | 24 |
| GumGum | 24 |
| Zeta Global | 22 |
| Bombora | 21 |
2.4 State-based Observations
Data brokers were found in apps in every state and the District of Columbia. That is, every state sample of 13 schools had at least one school with at least one app with data broker traffic. Figure 1 shows how many schools from the 2022 benchmark had apps that were sending traffic to data brokers. 13 schools were sampled in each state, so the heatmap reflects up to 100% (i.e. all 13 schools) having apps with traffic to data brokers. Texas, Wisconsin and Louisiana each had apps with data brokers in all 13 studied schools.
Figure 1: Number of schools in state sample with at least one app with data broker traffic (13 schools max per state)
Figure 2 shows the total number of apps with data broker traffic for each state sample of 13 schools. The states with the most apps with data broker traffic were Maryland, Kansas, and Minnesota.
Figure 2: Total number of apps with data broker traffic
We hypothesize that the likelihood of apps with data broker traffic is mainly related to the sampled schools’ propensity to recommend a higher number of technologies to students. The correlation between the number apps with data brokers and the total number of apps was moderately strong at .69. Figure 3, the heatmap showing the total number of apps recommended by the 13 sampled schools in each state, indeed shows similarities (Texas, Minnesota, Wisconsin and Maryland, in particular).
Figure 3: Total number of apps per state
We were interested to see if there was any obvious correlation between state privacy laws and the number of data brokers observed. Figure 4 shows states with student data privacy laws. Indeed, three of the nine states that don’t have student data laws, Minnesota, Wisconsin, and Maryland, each had high numbers of apps with data broker traffic, and all 13 schools in Wisconsin had apps with data broker traffic. While inconclusive with respect to causation, the correlation warrants future study. It’s also possible that the absence of a state student data privacy law encourages a higher number of technologies being recommended to students in schools.
Figure 4: States with student data privacy laws
https://studentprivacycompass.org/state-laws/
There was no obvious correlation between states with children’s privacy laws and the number of apps with data broker traffic (Figure 5).
Figure 5: States with children’s privacy laws
https://www.huschblackwell.com/2024-state-childrens-privacy-law-tracker
3. Recommendations
-
- 1) App developers: Apps or websites used by children should never send data to data brokers. They should also not send user data to customer data repositories
-
- a) Community Engagement Platform App Developers
- ISL is calling on the community engagement app developers shown in Table 1 to immediately update all of their apps to remove all data brokers.
- We also call upon CEP app developers to install better guardrails in the administrative portal, minimally performing automated checking for dangling and malicious domains. Ideally, also disallowing or flagging any commercial sites with trackers (like MaxPreps), alerting school administrators of the risks of such sites with respect to student data sharing.
- ISL recommends that schools not use CEP apps until they have demonstrated significant improvement in dangerous data sharing.
- a) Community Engagement Platform App Developers
-
- 2) Schools, Educators, and Concerned Parents: While it’s 100% the responsibility of the app developer to ensure that their apps and websites are safe for children, schools may need to be the ones demanding removal of data brokers. To help you do this, we’ve updated our app safety labels to clearly identify the number of data brokers in the app (Figure 6). Educators, school IT personnel and concerned parents can look up the app safety label for any app that they’re recommending to students. If it includes data brokers, stay away from the app.
- Can’t find your app? Contact us and we’ll be happy to audit a new app or re-audit an existing app.
- 1) App developers: Apps or websites used by children should never send data to data brokers. They should also not send user data to customer data repositories
Figure 6: Updated app safety label https://appmicroscope.org/app/1579/
Figure 7: Apps with data broker traffic by app category
| State | # of schools in state with at least one app with data broker traffic (13 schools sampled per state) | % of schools in state using at least one app with data broker traffic | total # apps with data broker traffic | total # unique apps | State children’s privacy law? | State Student Data Privacy Law? |
|---|---|---|---|---|---|---|
| Alabama | 10 | 77% | 22 | 15 | ||
| Alaska | 3 | 23% | 5 | 5 | ||
| Arizona | 6 | 46% | 8 | 7 | Y | |
| Arkansas | 11 | 85% | 21 | 13 | Y | |
| California | 9 | 69% | 14 | 12 | Y | Y |
| Colorado | 5 | 38% | 7 | 5 | Y | Y |
| Connecticut | 12 | 92% | 30 | 17 | Y | Y |
| Delaware | 11 | 85% | 28 | 13 | Y | |
| Washington, D.C. | 9 | 69% | 18 | 6 | Y | |
| Florida | 9 | 69% | 36 | 23 | Y | Y |
| Georgia | 12 | 92% | 30 | 16 | Y | |
| Hawaii | 4 | 31% | 6 | 5 | Y | |
| Idaho | 7 | 54% | 10 | 6 | Y | |
| Illinois | 9 | 69% | 24 | 14 | ||
| Indiana | 9 | 69% | 25 | 13 | P | Y |
| Iowa | 5 | 38% | 18 | 18 | Y | |
| Kansas | 12 | 92% | 39 | 24 | Y | |
| Kentucky | 8 | 62% | 21 | 16 | Y | |
| Louisiana | 13 | 100% | 27 | 9 | Y | |
| Maine | 11 | 85% | 26 | 14 | Y | |
| Maryland | 11 | 85% | 47 | 28 | Y | |
| Massachusetts | 11 | 85% | 27 | 10 | Y | |
| Michigan | 9 | 69% | 21 | 11 | Y | |
| Minnesota | 9 | 69% | 39 | 23 | ||
| Mississippi | 10 | 77% | 24 | 17 | Y | |
| Missouri | 8 | 62% | 34 | 23 | Y | |
| Montana | 10 | 77% | 17 | 12 | Y | |
| Nebraska | 9 | 69% | 20 | 17 | Y | |
| Nevada | 4 | 31% | 7 | 6 | Y | |
| New Hampshire | 11 | 85% | 18 | 5 | Y | |
| New Jersey | 9 | 69% | 17 | 11 | ||
| New Mexico | 3 | 23% | 3 | 3 | Y | |
| New York | 6 | 46% | 12 | 6 | Y | Y |
| North Carolina | 7 | 54% | 9 | 4 | Y | |
| North Dakota | 8 | 62% | 24 | 19 | ||
| Ohio | 7 | 54% | 14 | 10 | Y | |
| Oklahoma | 10 | 77% | 26 | 12 | Y | |
| Oregon | 5 | 38% | 6 | 3 | ||
| Pennsylvania | 8 | 62% | 11 | 8 | Y | |
| Rhode Island | 12 | 92% | 29 | 10 | Y | |
| South Carolina | 10 | 77% | 15 | 4 | Y | |
| South Dakota | 8 | 62% | 23 | 17 | Y | |
| Tennessee | 11 | 85% | 28 | 16 | P | Y |
| Texas | 13 | 100% | 34 | 15 | Y | |
| Utah | 7 | 54% | 9 | 5 | Y | Y |
| Vermont | 11 | 85% | 15 | 6 | Y | |
| Virginia | 8 | 62% | 18 | 13 | Y | Y |
| Washington | 3 | 23% | 4 | 4 | Y | |
| West Virginia | 9 | 69% | 18 | 14 | Y | |
| Wisconsin | 13 | 100% | 36 | 15 | ||
| Wyoming | 7 | 54% | 9 | 5 | Y |
Footnotes:
- ISL is updating the database with both Texas and Oregon data broker registries.
- https://www.fcc.gov/document/fcc-fines-largest-wireless-carriers-sharing-location-data.
- https://www.wired.com/story/gravy-location-data-app-leak-rtb/.