For many school districts, ending a contract with an edtech vendor should be as simple as shutting down access and moving on. But as districts across the United States are discovering, breaking up with an edtech provider is far more complicated—and far riskier—than anyone expected. The challenge isn’t just losing a tool; it’s ensuring that sensitive student data is permanently deleted, verified, and protected long after the relationship ends.
When Florida administrator Kerri Wall attempted to offboard an edtech platform after a five-year contract, she didn’t anticipate months of unanswered emails and uncertainty. As the district’s designated student data privacy officer, she is legally responsible for confirming that the vendor deleted student names, grades, contact details, and guardian information. Yet by October, her repeated requests were met with silence. The danger? Without proper deletion, her district could face liability, compliance failures, and public safety concerns relating to exposed student data.
Her story is striking—but far from isolated.
Districts nationwide are reevaluating their edtech stacks amid budget tightening and growing privacy concerns. And as they do, they’re discovering a troubling reality: it’s often easier to sign a contract with an edtech vendor than to end one. Many vendors stop responding once a district ends a contract, leaving administrators in a dangerous limbo.
This emerging trend—known informally among tech leaders as “vendor ghosting”—is becoming a widespread challenge. Even districts with formal offboarding workflows report delays, incomplete data purges, and legal uncertainty. In Oregon, Beaverton School District’s CIO Steven Langford found that retiring a single tool takes an average of 72 days, far exceeding their contractual standard. Sometimes, he said, the biggest hurdle is simply finding the right person who actually controls the data.
But even when vendors respond, another, deeper issue emerges: How do you prove that deleted data is truly gone? Legal experts call this “proving a negative,” and the truth is unsettling. Many vendors admit they cannot certify that all backups, replications, or internal systems have fully erased student records. Others confuse “obfuscation” with deletion—masking data but not removing it.
This gap becomes even more hazardous when companies merge, collapse, or change ownership. Some districts discover years later that old student data is still stored on servers belonging to companies they no longer recognize.
Across multiple states, administrators report cases where sensitive student data from long-retired platforms was leaked or breached. One district suffered a breach involving a tool they hadn’t used in seven years—a stark reminder that data longevity is often out of the district’s control.
Experts say the solution starts with stronger contracts, clearer deletion clauses, and proactive planning. Every district should demand formal certificates of data destruction, something many vendors have never been asked to provide. They also emphasize reviewing privacy terms for even “free” tools—an often overlooked gateway for long-term data exposure.
But technology leaders warn that policy alone isn’t enough. Districts must remain vigilant, maintain clear communication channels, track tool usage, and monitor data retention standards as part of their ongoing responsibilities. Above all, they must approach vendor relationships with a mindset of trust but verify.
Conclusion: The rapid expansion of edtech has revolutionized learning, but it has also created a complex web of data risks that school districts are only beginning to untangle. As privacy regulations evolve and enforcement strengthens, the real test for edtech companies won’t be how much data they can collect—but whether they can responsibly delete it. For districts, breaking up with edtech may always be hard, but with stronger oversight and smarter contracts, it doesn’t have to be dangerous.
