Overview of the Settlement
On November 6, 2025, Attorneys General from California, Connecticut, and New York announced a landmark $5.1 million multistate settlement with Illuminate Education, Inc. (“Illuminate”), a leading provider of K-12 educational assessment and data analytics software. This agreement resolves allegations that Illuminate failed to implement adequate data security measures, leading to major breaches in late 2021 and early 2022 that exposed the personal information of over 5 million students and educators across the U.S. The case marks the first-ever enforcement actions under Connecticut’s Student Data Privacy Law and California’s K-12 Pupil Online Personal Information Protection Act, underscoring a growing emphasis on protecting sensitive student data in the ed-tech sector. The attorneys general hailed the settlement as a “strong message” to ed-tech companies about their privacy obligations, with California AG Rob Bonta emphasizing that “California law imposes heightened obligations for companies to secure children’s information.”
The breaches affected approximately 3 million California students (including 434,000 with sensitive data), 1.7 million New York students across 750 schools, and 28,610 Connecticut students. Illuminate, a subsidiary of Renaissance Learning, Inc., provides tools for student assessments, progress tracking, and instructional planning used in thousands of schools nationwide.
Background on the Violations
Illuminate’s platforms collect and store vast amounts of student data, including names, ages, grades, attendance records, assessment scores, and sensitive details such as race/ethnicity, special education status, accommodations, and coded medical conditions (e.g., disabilities requiring individualized education programs). The investigation by the three states revealed:
- Inadequate Security Practices: Despite receiving cybersecurity recommendations from a third-party auditor in 2021, Illuminate did not fully implement them. Basic safeguards—such as multi-factor authentication, network segmentation, and timely vulnerability patching—were lacking, making the company’s systems vulnerable to hackers.
- Data Breaches:
- December 2021: Unauthorized access exposed student data from multiple states.
- January 2022: A second breach compounded the damage, with hackers accessing and exfiltrating files containing personal information.
- Deceptive Representations: Illuminate’s privacy policy falsely claimed the company employed “reasonable” security measures that “meet or exceed applicable federal and state law” and “prevent unauthorized access and disclosure.” Additionally, it advertised itself as a signatory to the Future of Privacy Forum’s Student Privacy Pledge—a voluntary commitment to ethical data handling—but was removed from the list following the breaches.
These lapses violated state-specific laws:
- California’s K-12 Pupil Online Personal Information Protection Act (SOPIPA): Requires ed-tech providers to limit data collection, implement reasonable security, and prohibit unauthorized disclosure.
- Connecticut’s Student Data Privacy Law: Mandates security measures meeting or exceeding industry standards to protect against unauthorized access.
- New York’s Education Law § 2-d: Prohibits disclosure of student data without consent and requires robust protections.
The joint investigation highlighted the risks of ed-tech proliferation post-COVID, where remote learning amplified data collection without commensurate safeguards.
Terms of the Settlement
The $5.1 million in penalties is allocated based on impacted students:
- California: $3.25 million (largest share due to scale of breach).
- New York: $1.7 million.
- Connecticut: $150,000.
Beyond monetary relief, Illuminate must overhaul its practices through binding injunctive terms (subject to court approval in California), including:
| Requirement | Details |
|---|---|
| Data Security Program | Implement a comprehensive program with access controls, data encryption, network monitoring for suspicious activity, and a formal process for identifying/remediating vulnerabilities. |
| Contract Compliance | Review and update all contracts with school districts in the three states to align with privacy laws; certify compliance annually. |
| Incident Response | Enhance breach notification protocols and conduct regular third-party audits. |
| Training and Oversight | Train employees on data privacy and appoint a dedicated privacy officer. |
| Reporting | Provide annual reports to the attorneys general on compliance efforts for three years. |
These measures aim to prevent future incidents and ensure transparency. No admission of liability was required from Illuminate, which cooperated with the investigation.
Statements from Key Figures
- California AG Rob Bonta: “Data security concerns know no borders, and today’s settlements showcase that neither should state collaboration. This should send a clear message to tech companies, especially those in the education space.”
- Connecticut AG William Tong: “Illuminate failed to implement basic safeguards and exposed the personal information of millions of students… This action holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
- New York AG Letitia James: “Students, parents, and teachers should be able to trust that their schools’ online platforms are safe and secure. Illuminate violated that trust and did not take basic steps to protect students’ data.”
Illuminate did not issue a public statement but has notified affected schools and families.
Broader Implications
This settlement signals an era of heightened enforcement in student data privacy, particularly as ed-tech firms handle increasingly sensitive information amid AI-driven tools and personalized learning. It builds on federal frameworks like FERPA (Family Educational Rights and Privacy Act) but leverages state laws for stronger remedies, including civil penalties. For ed-tech companies:
- Compliance Push: Expect more audits, contract scrutiny, and accurate privacy disclosures; voluntary pledges like the Student Privacy Pledge carry real risks if breached.
- Multistate Coordination: The collaboration among AGs demonstrates efficient cross-border enforcement, potentially inspiring similar actions in other states (e.g., under Illinois’ Biometric Information Privacy Act for student biometrics).
- Industry-Wide Ripple: Similar scrutiny faces competitors like PowerSchool (facing class actions over a 2024 breach affecting 62 million students) and IXL Learning. Firms should prioritize “privacy by design” in product development.
For schools and parents, it reinforces the need for vendor vetting, including data processing agreements. The settlement, finalized without litigation, avoids prolonged court battles but sets a precedent for future violations. Updates on implementation will be monitored by the AG offices, with potential for additional remedies if non-compliant.