ChatGPT AI Generated Privacy and Education Supplementary

 # Why AI couldn't you do it yourself

Yes I could have but using the new feature helps me understand how it works. Plus I wanted to see if I was close in my view. You can read this if you like. If you are against AI, then sadly this is not for you. If you despise me for it. That is okay. Have fun with the read.

# Apple: Tracking Methods and Practices

**IP Address Tracking:** Apple services log the IP addresses of devices connecting to their servers. An IP address can reveal a user’s general location and serve as a consistent tag for network activity. Apple acknowledges using IP addresses to infer a user’s city or country for service customization, though it claims to _“not retain it”_ beyond that ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=We%20also%20collect%20data%20on,we%20do%20not%20retain%20it)). Despite this minimization claim, each Apple device that accesses iCloud, the App Store, or other Apple services exposes an IP, allowing Apple to **recognize repeat visits and approximate location**. In practice, IP tracking helps Apple detect suspicious logins, localize content (like the correct App Store region), and gather usage statistics tied to regions – all without needing a personal name or account.

**Device Fingerprinting:** Even without explicit IDs, Apple can identify a device through its unique characteristics. Apple devices each have hardware identifiers (serial numbers, etc.) and transmit device details when contacting Apple’s servers. For example, Apple notes it may collect information on _“your devices, including your device’s name, serial number, and other hardware identifiers”_ whenever you use Apple services ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=,the%20App%C2%A0Store%2C%20Apple%C2%A0Music%2C%20and%20Apple%C2%A0One)). This means **Apple can fingerprint a device** by its combination of model, OS version, and hardware/software configuration. Apple publicly positions itself against third-party fingerprinting – iOS and Safari include anti-tracking measures to **prevent websites or apps from gathering enough device details to **uniquely identify** you. But internally, Apple still uses device information for legitimate purposes like fraud prevention and syncing. In essence, Apple doesn’t sell a fingerprint profile to advertisers, but it certainly **knows “this is the same iPhone that connected yesterday”** via device metadata.

**Behavioral Analytics:** Apple collects data on how users interact with its apps and services, often under the banner of improving the user experience. This can occur even without the user’s name attached. For instance, Apple’s analytics may log what apps you open, what searches you perform in the App Store, or which articles you read in Apple News. Recent investigations found that **Apple’s own apps transmit detailed usage data back to Apple even when analytics are disabled**. A 2022 lawsuit alleges that apps like the App Store, Apple Music, and Stocks send Apple the same usage info regardless of the “Do Not Share Analytics” setting ([Apple sued for collecting user data despite opt-outs • The Register](https://www.theregister.com/2022/11/14/apple_data_collection_lawsuit/#:~:text=However%2C%20Apple%20does%20collect%20that,is%20toggled%20on%20or%20off)) ([Apple sued for collecting user data despite opt-outs • The Register](https://www.theregister.com/2022/11/14/apple_data_collection_lawsuit/#:~:text=According%20to%20the%20suit%2C%20the,articles%20read%20in%20the%20app)). The **granularity of this data is high** – the Stocks app was found to report which stock symbols a user follows or searches, and even news articles read in-app with timestamps ([Apple sued for collecting user data despite opt-outs • The Register](https://www.theregister.com/2022/11/14/apple_data_collection_lawsuit/#:~:text=According%20to%20the%20suit%2C%20the,articles%20read%20in%20the%20app)). Such behavioral analytics, tied to a device or account identifier, enable Apple to track user interests and habits (app usage patterns, content preferences) **without needing to know the user’s name**. Apple claims much of this data is either not linked to your Apple ID or is aggregated. In some cases, Apple applies “differential privacy” (adding statistical noise to individual data points) to collect trends (e.g. popular emoji or web domains) while obscuring individual identities. Nonetheless, the data flow shows Apple devices **report a wealth of behavioral information to Apple by default**, which Apple can use internally to enhance services or detect problems.

**Cross-Device Tracking:** Because many Apple users own multiple Apple products, Apple has the ability to track a person across their iPhone, iPad, Mac, etc. **Apple IDs unify user data** – if you’re signed into the same Apple account on each device, Apple’s servers can link your activities and preferences. This is by design: features like Handoff, iCloud Photos, and Continuity intentionally sync data across devices. For example, Apple keeps track of the apps you install and even “from where you install them” to sync app availability across your devices ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=,the%20App%C2%A0Store%2C%20Apple%C2%A0Music%2C%20and%20Apple%C2%A0One)). Apple’s privacy policy indicates that it may collect data on the apps you use and your subscriptions across Apple services ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=,and%20gift%20card%20redemption%20information)). In effect, Apple can build a **holistic profile of a user’s device ecosystem** – which apps are used most (and for how long), what websites are visited via Safari on each device (if not private-browsing and if iCloud syncing is on), etc. Unlike typical cross-device _advertising_ tracking, Apple uses this unified view primarily to **streamline your experience** (e.g. syncing settings or showing recommended apps/content based on your usage on another device). However, it also means Apple _“knows”_ when the same user (via Apple ID or device fingerprint) shifts from one device to another, or starts using a new Apple product. This cross-device knowledge can be leveraged for security (e.g. alerting your other devices of a new login) and marketing Apple services to you on all platforms.

**Advertising IDs & Persistent Identifiers:** Historically, Apple assigned each iPhone/iPad an **Identifier for Advertisers (IDFA)** – a random ID that apps could use to track a user across different apps. While the IDFA doesn’t reveal your name, it acted as a persistent tag tied to your device. In recent years Apple restricted this mechanism with App Tracking Transparency (requiring user permission for apps to access the IDFA). If permission is denied, the IDFA appears as all zeros to apps, effectively blocking third-party ad tracking. Apple itself also uses **persistent identifiers** for its own services. For example, Apple’s advertising platform (which serves ads in the App Store, Apple News, and Stocks) segments users by attributes like account age, app usage, and location, rather than sharing personal IDs with advertisers ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Ads%20that%20are%20delivered%20by,device%20data%20with%20data%20brokers)) ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Segments)). Apple creates cohorts of at least 5,000 users with similar characteristics for ad targeting ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Segments)). Still, internally, Apple has identifiers like your **Apple ID number**, device serial, or subscription ID that persist across sessions. These allow Apple to recognize you as the same user over time for features like purchase history and personalized content. Unlike Google, Apple says its advertising platform _“does not track you,”_ meaning it doesn’t combine its data with third-party data or follow your activity outside Apple’s own apps ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Ads%20that%20are%20delivered%20by,device%20data%20with%20data%20brokers)). Apple also offers a resettable **“Apple Advertising” identifier** that you can disable by turning off personalized ads. In summary, Apple’s tracking identifiers (IDFA, Apple ID, device IDs) exist to keep a consistent record of your device or account, but Apple tightly controls their use – positioning them as tools for either user convenience or Apple’s own ad system (with privacy safeguards), rather than for broad third-party tracking.

**Other Tracking Mechanisms:** Apple can also track users through **location data** and **online services usage**. If Location Services are on, Apple and its apps may get periodic location pings (e.g. for Find My or location-based suggestions). Apple says that for advertising, it only uses coarse location (city-level) and does not keep or use precise GPS for profiles ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=,Location%20Services)). Another mechanism is **iCloud server logs** – any time your device interacts with iCloud (backups, file sync, messaging), Apple can log metadata like timestamps, file sizes, and of course the device’s identity and IP. Apple likely treats these as operational logs, not as part of a marketing profile, but they nonetheless serve to **timestamp your activities across its services**. On macOS, a notable example of unintentional tracking was the Gatekeeper service: at one point, opening apps would ping an Apple server to verify the app certificate, transmitting the user’s IP and app ID. After public concern, Apple encrypted that process – but it illustrated how even system-level features can create data trails. Finally, Apple employs **analytics with privacy enhancements**. For instance, Apple’s “Siri analytics” or typing data may be collected with random identifiers, and Apple touts the use of on-device processing to limit what data leaves your device. The net effect is that Apple tends to **collect fewer categories of personal data than many competitors** (Apple “stores by far the least amount of your activity data,” one analysis noted ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20stores%20by%20far%20the,and%20duration%20of%20your%20activity))), but a _non-identifiable_ approach still yields useful insights. Apple knows how often you use certain features, the duration of your sessions, error/crash reports, etc., which all contribute to a profile of your behavior without needing your explicit identity ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Search%20Terms%20%20data%20is,Purchase%20Activity%20data%20not%20collected)) ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20stores%20by%20far%20the,and%20duration%20of%20your%20activity)).

#### Apple’s Terms of Service and Privacy Policy – Legal Framing

Apple’s public policies frame its data collection as **minimal and privacy-conscious**, aligning with its brand. Apple’s Privacy Policy discloses that it collects personal information such as _“name, email address, IP address, location,”_ along with _“how you use [Apple] devices and apps.”_ ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20collects%20your%20personal%20information,use%20their%20devices%20and%20apps)) ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20collects%20your%20personal%20information,use%20their%20devices%20and%20apps)). However, Apple emphasizes that many data points are either not linked to you or are used in aggregate. For example, Apple claims it might associate some usage data with your Apple ID **temporarily to troubleshoot issues**, but otherwise **“does not retain”** certain info like IP for long-term profiling ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=We%20also%20collect%20data%20on,we%20do%20not%20retain%20it)). Apple justifies tracking mainly as necessary to **deliver and improve services**. According to Apple, collecting device details, crash logs, and search queries helps _“provide you and others with better service and support”_ and for internal **“analytics purposes”** ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=These%20legitimate%20interests%20include%3A)). In legal terms, Apple often cites **legitimate interest** (e.g. preventing fraud, understanding product performance) as the basis for data that isn’t strictly required by a user’s contract but still collected ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=These%20legitimate%20interests%20include%3A)).

Importantly, Apple draws a distinction between its **first-party use of data and third-party tracking**. Its Terms and support documents make clear that **Apple does not share personal data with brokers or advertisers** – for instance, Apple’s advertising platform documentation states _“our platform doesn’t share personal data with third parties”_ ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Apple,personal%20data%20with%20third%20parties)) ([Legal - Apple Advertising & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-advertising/#:~:text=Our%20advertising%20platform%20doesn%E2%80%99t%20share,personal%20data%20with%20third%20parties)). Apple instead uses _contextual_ information and segments for ads, which it argues is privacy-friendly. Legally, Apple can say that by using an iPhone or Apple service, the user consents to Apple’s collection of necessary data as per the Privacy Policy. That policy explicitly notes Apple may collect **“unique identifiers, device type, OS, and IP address”** whenever a service contacts Apple ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20knows%20your%20IP%20address%2C,do%20with%20your%20IP%20address)). They frame this as **standard practice** needed to run online services (e.g. an App Store must know your device model and IP to deliver the correct app version and language ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20collects%20your%20personal%20information,use%20their%20devices%20and%20apps)) ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Device%20type%20data%20is%20collected,Operating%20system%20data%20is%20collected))). Apple also assures users (in support articles and settings dialogs) that they can **opt out of analytics and personalized ads**, suggesting that any remaining data collection is either anonymized or critical for security and functionality. In summary, Apple’s terms justify its tracking by **limiting the scope** (only Apple’s own services, no third-party mingling) and by claiming user benefit. The collection of user data is framed as a way to **keep accounts secure, prevent fraud, comply with law, and improve Apple products** ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Apple%20collects%20your%20data%20to,on%20any%20other%20privacy%20policy)) ([Legal - Apple Account & Privacy- Apple](https://www.apple.com/legal/privacy/data/en/apple-id/#:~:text=These%20legitimate%20interests%20include%3A)) – all legitimate uses under privacy laws. At the same time, Apple’s strong public stance on privacy serves as a legal and reputational shield: by explicitly prohibiting app developers from tracking users without consent and offering features like **“Limit Ad Tracking”** (now App Tracking Transparency), Apple positions any tracking it does as **aligned with user expectations and legal consent**, distinguishing it from the invasive profiling practices the company often criticizes in others.

# Google: Tracking Methods and Practices

**IP Address Tracking:** Google extensively uses IP addresses to identify and geo-locate users across its myriad services. Every time you connect to a Google service (Google Search, YouTube, Gmail, etc.), your IP address is recorded in Google’s server logs. Google’s own privacy disclosures confirm that they collect IP addresses as part of information about your “interaction of your apps, browsers, and devices with our services” ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=The%20information%20we%20collect%20includes,referrer%20URL%20of%20your%20request)). This means an IP is logged for everything from a web search to an Android device’s heartbeat check to Google servers. Because IP addresses often stay semi-consistent (at least within a session or day) and are sometimes unique to your network, Google can use them to **tie together activities from the same user or household**. For example, if a student’s laptop and phone are on the same Wi-Fi, Google knows those IPs are related, aiding in cross-device linking. IP data also gives Google an approximate location; they use IP-derived location to **localize search results and ads**. Unlike Apple – which tries to hide user IPs from third-party trackers via features like iCloud Private Relay – Google’s business benefits from IP knowledge. Even if you never sign in, Google can target content based on your IP’s location (e.g., showing local news or language) and recognize returning visitors by IP (especially when combined with browser fingerprints). In short, IP tracking is a foundational layer of Google’s ability to follow users around the web: it’s automatically included in every web request, and Google leverages it to identify unique sessions, enforce security (e.g., account login alerts for new IPs), and link activities to a rough physical location ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Google%20collects%20your%20IP%20address%2C,carrier%20name%2C%20and%20operating%20system)) ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=IP%20address%20data%20is%20collected,Operating%20system%20data%20is%20collected)).

**Device Fingerprinting:** Google is known for gathering **a vast array of device and browser attributes** to uniquely distinguish users – a technique known as fingerprinting. Through Google’s platforms (Chrome, Android) and third-party integrations (Google Analytics, Google Ads on websites), Google collects details like your browser type and version, operating system, screen resolution, installed fonts, device model, and even device sensors. Google openly states in its Privacy Policy that it collects _“unique identifiers, browser type and settings, device type and settings, operating system, mobile network information… and application version number,”_ as well as information about “the interaction of your apps and devices with our services, including IP address, crash reports, and the date/time of your request” ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=The%20information%20we%20collect%20includes,referrer%20URL%20of%20your%20request)). Each of these data points may seem generic, but together they form a unique signature. For example, **the combination of an Android phone model, OS build, carrier, plus the Google services installed** can be one-of-a-kind. On the web, Google’s tracking scripts (present on a majority of sites) retrieve your browser’s technical info and assign you a unique cookie ID, which effectively fingerprints your device ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=tools%20place%20cookies%20and%20run,entities%20apply%20Google%E2%80%99s%20tools%20to)) ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=30%20%E2%80%9CAdMob%20by%20Google%2C%E2%80%9D%20Google%2C,a%20rebrand%20of%20its%20as)). Google also uses more persistent identifiers at the device level: Android devices generate a Google Services Framework (GSF) ID when you first set up the phone, and older Android versions had a unique device ID or IMEI – these can act as permanent fingerprints tying data to a single device ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=IP%20address%20Semi,ids)) ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=GAID%2FIDFA%20Semi,iOS%20devices%20to%20allow)). Even without those, Google’s **Advertising ID (GAID)** on Android is a semi-permanent identifier (resettable, but most don’t reset often) that Google and third-party apps use to track a device across apps ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=Table%201%3A%20Identifiers%20passed%20to,iOS%20devices%20to%20allow)). All told, Google’s fingerprinting means that even if you don’t volunteer your name or login, Google can recognize _“this is the same browser/device as yesterday”_ with high accuracy. This enables **tracking a user’s behavior over time** (for instance, connecting that the same person who browsed CNN yesterday is now watching YouTube today). Device fingerprinting is a core part of Google’s tracking ecosystem, allowing them to deliver personalized content and ads even to “anonymous” users by reliably identifying their device or browser.

**Behavioral Analytics:** Few companies track user behavior as comprehensively as Google. Google builds detailed profiles of what you do online and in apps – ranging from the searches you make and links you click, to the videos you watch and places you go. According to one analysis of Google’s data collection, **Google keeps track of** virtually all online activities it can observe: _“search terms, videos watched, views and interactions with content and ads, voice and audio information if audio features are used, purchase activity, people you communicate with, activity on third-party sites and apps that use Google services, and browsing history (if using Chrome while signed in)”_ ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Search%20Terms%20%20data%20is,collected%20Reviews%20data%20not%20collected)) ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=People%20You%20Communicate%2F%20Share%20Content,Information%20%20data%20is%20collected)). Much of this comes from users directly interacting with Google products. For example, if you use Google Search, every query and the results you clicked are recorded in your account’s Web & App Activity log. On YouTube, every video watched or searched is logged. If you have an Android phone, Google receives telemetry about which apps you open and for how long, as well as your usage of Google apps. Additionally, Google’s reach extends to **millions of non-Google websites and apps** through tools like Google Analytics, Google Ads (DoubleClick), and various SDKs. The result is that **Google can see a large portion of a typical user’s browsing history and app usage** even outside Google-owned properties ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=While%20Google%20does%20not%20use,to%20prevent%20Google%E2%80%99s%20data%20collection)). For instance, if a news site uses Google Analytics, Google gets a ping that _your browser (ID XYZ)_ visited that site at a certain time, adding to its understanding of your interests. EFF’s research into Google’s education products revealed that on school-issued Chromebooks, the Chrome browser by default sends Google _“records of every Internet site students visit, every search term they use, the results they click on, videos they watch on YouTube, and even their saved passwords,”_ all without additional consent ([Student Data Tracking – Taking a Closer Look at Privacy - IDRA](https://www.idra.org/resource-center/student-data-tracking-taking-closer-look-privacy/#:~:text=Do%20companies%20really%20need%20this,aware%20that%20it%20is%20happening)). That showcases the breadth of behavioral data Google collects as you simply go about your online life. These behavioral analytics fuel Google’s **personalization engines** – allowing Google to recommend YouTube videos you might like, show you search results tailored to your habits, and of course, serve you targeted advertisements aligned with your interests. Notably, Google aggregates data across platforms: a user’s Gmail content might influence their Google Now/Assistant reminders; their Google searches influence ads seen on third-party sites using Google Ads. Through continuous monitoring of clicks, views, purchases, and location check-ins, Google essentially tracks a **detailed timeline of your digital (and sometimes physical) activities** with or without your explicit identification.

**Cross-Device Tracking:** Google has developed powerful capabilities to track the same user across multiple devices. One straightforward way is via your **Google Account**. If you’re signed into the same Google account on your phone, laptop, and tablet, Google knows those devices all belong to you. They then merge data from all sources into one unified profile (treated as your personal information) ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=When%20you%E2%80%99re%20not%20signed%20in,language%20preferences%20across%20browsing%20sessions)). For example, a user logged into Chrome on a laptop and also into Gmail on their phone will have their browsing and mobile app activity correlated. Even when not explicitly signed in, Google uses **sync and cookies to bridge devices**. Google can drop a cookie in your browser that uniquely identifies you; if you later log into Google on that browser, that cookie gets linked to your account, revealing your prior “anonymous” activity to Google. Similarly, Android phones periodically report device information and app usage to Google servers ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=We%20collect%20this%20information%20when,and%20which%20apps%20you%27ve%20installed)); if that phone ever logs into a Google account, historical data can attach to the account. Moreover, Google employs probabilistic methods: by comparing patterns (same IP address usage, same browsing patterns), Google’s algorithms can guess that a particular phone and laptop belong to the same person and use that for ad targeting (this is often called _cross-device matching_ in advertising). Google Analytics has a feature called **Google Signals** that, when enabled by a site and if the user has Ads Personalization on, allows Google to link a visitor’s activity on that site across devices using Google account data. In effect, Google can follow a user who starts reading a news article on their phone and later continues on their desktop. Another vector is Android itself: an Android phone typically communicates with Google’s cloud for notifications, backups, etc., all tied to a Google account or at least a device ID. If a student picks up a school tablet and logs into their Google account, all activity on that tablet will merge with their profile from home. **Cross-device tracking is a boon to Google’s advertising business**, ensuring that conversion tracking and ad personalization follow the user, not just the device. For instance, Google can show you an ad for a product on your phone (based on something you searched on your PC earlier) because it knows both devices are yours. Legally, users are often informed of this in privacy policies – Google outright says when you’re signed in, your data from different services and devices is associated with your account (treated as personal data) ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=When%20you%E2%80%99re%20not%20signed%20in,language%20preferences%20across%20browsing%20sessions)). Even under the hood, Google’s authentication and identification infrastructure (cookies, account sign-ins, mobile IDs) is built so that **no matter where you go, Google can usually connect the dots back to _you_**.

**Advertising IDs and Other Persistent IDs:** At the core of Google’s tracking ecosystem are persistent identifiers that allow long-term recognition of a user or device. One such identifier is the **Google Advertising ID (GAID)** on Android devices ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=Table%201%3A%20Identifiers%20passed%20to,iOS%20devices%20to%20allow)). This is a user-resettable ID that Google and app developers use to build an advertising profile for the device. By default, it persists until manually reset, so it enables months or years of continuous tracking across apps. When an app shares data with Google (say, via AdMob ads or Firebase analytics), it typically includes the GAID, letting Google link that app usage to the same user’s profile that includes web browsing data and more. On the web, the analog is the **DoubleClick cookie (now part of Google’s cookies)**: if you haven’t blocked third-party cookies, Google sets a unique cookie in your browser that can persist for a long time and identify you across any website that serves Google ads. Even in the absence of third-party cookies, Google uses **first-party cookies** with its Analytics scripts (each visitor gets a unique Client ID stored in a cookie) ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=targeted%20mobile%20ads,device%20is%20accessing%20the%20Internet)), and if you visit multiple sites that use Google Analytics, Google can theoretically correlate those visits via fingerprinting or account logins. Other persistent IDs include your **Google Account ID** (internally, a long number that identifies your account), which ties into everything you do while signed in. If you use an Android phone, there are also device-level IDs like the **Android Device ID** and the hardware **IMEI/MEID** (for cellular devices) ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=)). Google doesn’t routinely use IMEI for ad tracking (and it’s being phased out of many uses for privacy), but historically it was another unchangeable identifier that could link data to you. Google’s own documentation and research highlight these identifiers: **Table 1** of a Vanderbilt University study shows Google receives identifiers such as _“GAID/IDFA”_, _“Client ID”_ from cookies, and _“IP address”_ to pin down users ([Microsoft Word - Google data collection paper - FINAL.docx](https://www.dre.vanderbilt.edu/~schmidt/PDF/google-data-collection.pdf#:~:text=Table%201%3A%20Identifiers%20passed%20to,iOS%20devices%20to%20allow)). In practice, these persistent tags mean that even if Google doesn’t know your real name, it knows a certain unique ID (or set of IDs) that belong to one user profile. Over time, as you use the internet, that profile associated with that ID accumulates data: which ads you clicked, which YouTube channels you watch, which search queries you type, etc. Google says these identifiers help _“remember your preferences and maintain continuity”_ – e.g. keeping you logged in, or remembering your language settings across sessions ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=When%20you%E2%80%99re%20not%20signed%20in,language%20preferences%20across%20browsing%20sessions)) ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=Your%20apps%2C%20browsers%20%26%20devices)). But they are also the linchpin of Google’s **advertising dominance**: an advertiser can target audiences or track ad performance because Google can reliably recognize the user via these IDs on any platform. In summary, Google’s persistent identifiers (whether cookie-based, device-based, or account-based) ensure that **the tapestry of data Google collects is stitched together over time** – providing a full-color picture of each user without needing to attach it to a name or email (unless you sign in, in which case Google has those too!).

**Other Notable Tracking Mechanisms:** Google’s tracking extends into **physical world data and advanced techniques** as well. One major category is **location tracking**. If you use an Android phone or Google Maps, Google likely has a log of your location history (unless you opt out). Google collects GPS coordinates, Wi-Fi network IDs, and cell tower info to pinpoint where you go ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Time%20Zone%20%20data%20not,data%20is%20collected)). This can occur even when apps are not actively in use – for instance, Android devices periodically send location for services like weather or “find my device.” This means Google can track a user’s movements and routines (commute, travels, store visits) which greatly enriches their behavioral profile. Another mechanism is tracking through **integrated services**: Google’s single sign-on (Google Login) on third-party sites, or embedded content like YouTube videos on a page, will inform Google that _your account_ visited or interacted with that site. **Offline tracking** is a frontier Google has also approached – for example, matching ad exposures to in-store purchases by using location data or loyalty card data (though that involves explicitly personal data and partnerships). On the web, as the industry moves away from cookies, Google is introducing new techniques (under its Privacy Sandbox initiative) like **Topics API** and previously proposed **FLoC (Federated Learning of Cohorts)**. These aim to track users’ interests in the browser without a persistent ID, by assigning interest categories to the browser. While these are purportedly more privacy-friendly, they are essentially Google’s way to continue behavioral targeting by gleaning your browsing habits (e.g. what topics you frequent) **even if third-party cookies or IDs are blocked**. Additionally, Google products sometimes **listen for contextual cues** – e.g., Gmail scans your emails for keywords (to offer smart replies or remind you of bills, historically also for ad context, though Google says it stopped using Gmail content for ads in 2017). Google Assistant devices might store voice recordings of your queries. All these illustrate that Google’s tracking ecosystem goes well beyond the browser: it permeates email, voice, location, purchase history (Google Pay or Google Checkout data), and more. The scale and variety of Google’s data collection are such that even if one method is curtailed by regulation or user action (say, deleting cookies), **dozens of other signals remain** that keep Google’s picture of the user complete.

#### Google’s Terms of Service and Privacy Policy – Legal Framing

Google’s Terms of Service and Privacy Policy are explicit that **user data is collected and used to enhance services and deliver personalized experiences**. Google summarizes its approach as collecting data _“to provide better services to all our users”_ – from basic needs like language settings to _“more complex things like which ads you’ll find most useful”_ ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=We%20collect%20information%20to%20provide,you%20manage%20your%20privacy%20controls)). In legal terms, when a user agrees to Google’s terms, they consent to Google gathering information about their activities and devices. The Privacy Policy details categories of data (device information, activity data, location, etc.) and ties each to purposes. For instance, Google states: _“We collect information about your apps, browsers & devices… This helps us provide features like automatic product updates and… [for example] dimming your screen if your battery runs low.”_ ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=Your%20apps%2C%20browsers%20%26%20devices)). This frames device and system tracking as necessary for functionality. Similarly, Google justifies IP and device data collection for **performance and security** (detecting outages, protecting accounts) ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=The%20information%20we%20collect%20includes,referrer%20URL%20of%20your%20request)). In the realm of behavior data, Google openly says it uses your activity to **personalize content and ads**. According to Google, your searches, videos watched, and sites visited help them _“recommend a YouTube video you might like”_ or surface relevant search results ([Privacy & Terms - Google Policies](https://policies.google.com/privacy/archive/20200930-20210204?hl=en#:~:text=We%20collect%20information%20about%20your,The)). Their terms highlight that ad personalization doesn’t use sensitive categories like race, religion, or health status ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Aside%20from%20maintaining%20your%20services%2C,that%20are%20even%20more%20effective)) (both to comply with laws and reassure users), but does use your inferred interests and demographics. Legally, Google leans on user **consent and contract fulfillment**: by using a free Google service, you effectively _agree that Google will collect your data to operate that service and its business model (ads)_. This consent is often broad – covering even data collection on third-party sites that use Google tools. Google’s privacy terms note that when you’re not signed in, they may still tie your activity to _“unique identifiers tied to the browser, application, or device you’re using”_ ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=When%20you%E2%80%99re%20not%20signed%20in,language%20preferences%20across%20browsing%20sessions)), which is how they legally justify cookie tracking and device IDs. When signed in, data is associated with your account, which Google treats as personal data under GDPR and other laws ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=When%20you%E2%80%99re%20not%20signed%20in,language%20preferences%20across%20browsing%20sessions)).

Google also frames its data sharing in terms of user benefit and transparency. It tells users that certain data (like your Google profile info or YouTube playlists) may be visible to others _“when you choose to share or make it public”_, and that they share data with third parties only in defined circumstances (for example, with consent, with domain administrators for Google Workspace, or for external processing by trusted partners). However, Google’s business involves significant **third-party data collection for ads** – the policy explains that advertisers and publishers may receive reports containing **aggregated, non-identifying information** about ad performance, and that Google allows partners to set cookies or use similar tech to collect data from your browser ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Third)). Indeed, Google acknowledges that its partners (advertisers) can _“collect data from your browser and device using cookies”_ ([The Data Big Tech Companies Have On You | Security.org](https://www.security.org/resources/data-tech-companies-have/#:~:text=Third)) – essentially referencing the sprawling third-party tracking that Google facilitates. They legally cover this by requiring websites and apps that use Google services to obtain consent from users in jurisdictions like the EU (Google’s terms push that compliance burden to the site owners).

In comparing to Apple, Google’s terms are much more candid that **data will be used for advertising and personalization**. Google justifies this by saying it improves the user’s experience – you get more relevant ads, customized content, and smarter product features. They often cite **user control** as well: users can adjust their privacy settings, turn off ad personalization, or use incognito modes ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=example%2C%20you%20can%20sign%20up,how%20your%20information%20is%20used)) ([Google's Privacy Policy | Me and my Shadow](https://myshadow.org/lost-in-small-print/googles-privacy-policy#:~:text=use%20many%20Google%20services%20when,how%20your%20information%20is%20used)). In reality, even with some features off, Google still collects substantial data (for instance, turning off “Web & App Activity” stops storing your history to your account, but Google may still use recent activity contextually for immediate results or security). Legally, Google navigates privacy laws by providing an extensive privacy policy and obtaining user agreement to it (just by using the service, in most cases), and by complying with specific statutes like COPPA in restricted settings (e.g., Google does not show personalized ads to children under 13 in school accounts). Yet, as the EFF pointed out, some of Google’s practices have **tested the boundaries of these commitments**. EFF’s FTC complaint in 2015 noted that Google had signed the Student Privacy Pledge (a public commitment, which could be legally enforceable) promising not to collect or use student data beyond educational purposes, but then enabled Chrome Sync on school Chromebooks by default ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=While%20Google%20does%20not%20use,to%20prevent%20Google%E2%80%99s%20data%20collection)) ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=Google%E2%80%99s%20practices%20fly%20in%20the,or%20if%20parents%20provide%20permission)). Google’s defense was that it wasn’t using that data for ads, only for improving services, which highlights a key point in Google’s legal framing: **“Legitimate educational (or product) purpose”** can be a catch-all justification for extensive data collection. From a Terms of Service perspective, Google essentially tells users: _we will collect a lot of information, but in return you get free, personalized services; we will protect your data and give you some control, but we will use it to support our features and our advertising business._ By using any Google service (which most people do, given Google’s ubiquitous presence), users acquiesce to this trade-off as a legal agreement.

# Student Online Personal Protection Act (SOPPA) and Privacy Limitations

**Overview of SOPPA:** The Student Online Personal Protection Act (SOPPA) is an Illinois state law designed to safeguard K-12 students’ personal data when it’s collected by educational technology companies or school districts ([Student Online Personal Protection Act | Chicago Public Schools](https://www.cps.edu/about/policies/student-online-personal-protection-act/#:~:text=The%20Student%20Online%20Personal%20Protection,Education%2C%20and%20education%20technology%20vendors)). SOPPA defines “**covered information**” as personally identifiable information or materials linked to a student that are collected through an educational website, online service, or app for K-12 school purposes ([Student Online Personal Protection | Chicago Public Schools](https://www.cps.edu/sites/cps-policy-rules/policies/600/604/604-10/#:~:text=,purposes%20and%20personally%20identifies%20a)) ([Student Online Personal Protection | Chicago Public Schools](https://www.cps.edu/sites/cps-policy-rules/policies/600/604/604-10/#:~:text=student%2C%20including%2C%20but%20not%20limited,voice%20recordings%2C%20or%20geolocation%20information)). This is broad – it includes a student’s name, address, emails, disciplinary records, test results, photos, **search activity, voice recordings, and geolocation information**, among other data, if those are obtained in the context of a K-12 educational tool ([Student Online Personal Protection | Chicago Public Schools](https://www.cps.edu/sites/cps-policy-rules/policies/600/604/604-10/#:~:text=student%2C%20including%2C%20but%20not%20limited,voice%20recordings%2C%20or%20geolocation%20information)). Starting July 1, 2021, SOPPA mandates that Illinois schools only work with ed-tech operators under written agreements that **limit the use of student data to educational purposes** ([Doing Your Homework on Updated Illinois Student Privacy Compliance](https://www.zwillgen.com/privacy/updated-illinois-student-privacy-compliance-soppa/#:~:text=On%20July%201%2C%202021%2C%C2%A0amendments%C2%A0to%20Illinois%E2%80%99,information%20from%20Illinois%20public%20schools)) ([Doing Your Homework on Updated Illinois Student Privacy Compliance](https://www.zwillgen.com/privacy/updated-illinois-student-privacy-compliance-soppa/#:~:text=Students%E2%80%99%20CI%20may%20be%20collected,request%20corrections%20to%20factual%20inaccuracies)). It prohibits operators from selling or renting students’ information and from using data for **targeted advertising** (beyond what’s needed for school purposes) ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=Google%E2%80%99s%20practices%20fly%20in%20the,or%20if%20parents%20provide%20permission)). The law also gives parents rights to inspect, correct, or request deletion of their child’s data, and requires prompt breach notifications ([Doing Your Homework on Updated Illinois Student Privacy Compliance](https://www.zwillgen.com/privacy/updated-illinois-student-privacy-compliance-soppa/#:~:text=)) ([Doing Your Homework on Updated Illinois Student Privacy Compliance](https://www.zwillgen.com/privacy/updated-illinois-student-privacy-compliance-soppa/#:~:text=Second%2C%20operators%20must%20notify%20schools,%E2%80%9D)). In short, SOPPA’s intent is to **force companies like Google and Apple (when acting as school service providers) to handle student data with strict care**, using it only to support learning and not for monetization.

**Limitations and Loopholes:** While SOPPA represents a strong step for student privacy, it has important limitations that mean Apple and Google can _still_ monitor and track students in certain ways. One major limitation is **scope**: SOPPA applies to operators of online services **“designed and primarily used for K-12 school purposes.”** ([Doing Your Homework on Updated Illinois Student Privacy Compliance](https://www.zwillgen.com/privacy/updated-illinois-student-privacy-compliance-soppa/#:~:text=On%20July%201%2C%202021%2C%C2%A0amendments%C2%A0to%20Illinois%E2%80%99,information%20from%20Illinois%20public%20schools)) This implies that if Apple or Google provide a service explicitly for education (e.g. Google Classroom, G Suite for Education, Apple School Manager), then SOPPA’s restrictions kick in. Both companies do have such offerings. However, many Apple and Google products used by students aren’t exclusively for education. For example, a student might use a regular Google Search, YouTube, or an unapproved app on an iPad. Those general services are not “primarily for K-12 purposes,” so Google and Apple could argue SOPPA doesn’t directly govern that data flow. **If a student is using a personal Google account or Apple ID outside of school-managed channels, SOPPA’s protections may not technically apply.** This means a lot of tracking can occur on school devices when used for non-school activities (e.g., browsing the web at home) or when students use non-approved apps – and that data could still be collected under the companies’ standard terms.

Another limitation lies in what **“for school purposes”** allows. Ed-tech operators (like Google providing Chromebooks or Apple providing iPads to schools) inevitably collect some telemetry and background data as part of running the service. SOPPA says operators may not collect or use student data beyond K-12 purposes, but it doesn’t flat-out forbid data collection for **operational or product improvement reasons related to the service**. Companies can interpret this generously. For instance, Google could claim that collecting extensive usage data via Chrome Sync on a Chromebook is to improve the student’s browsing experience – a legitimate purpose – even if it incidentally builds a detailed profile. In fact, prior to SOPPA, the Electronic Frontier Foundation found **Google was logging students’ entire browsing history and search queries on Chromebooks by default** (through the Chrome browser’s sync feature) ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=While%20Google%20does%20not%20use,to%20prevent%20Google%E2%80%99s%20data%20collection)). Google wasn’t showing ads to those students (thus complying with the no targeted advertising pledge in letter), but it was still **data mining for “non-advertising purposes.”** ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=While%20Google%20does%20not%20use,to%20prevent%20Google%E2%80%99s%20data%20collection)) ([Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint | Electronic Frontier Foundation](https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade#:~:text=Google%E2%80%99s%20practices%20fly%20in%20the,or%20if%20parents%20provide%20permission)) Under SOPPA, such practice might be contested as excessive, but Google can argue it’s **“necessary for providing and improving the service”**, which SOPPA doesn’t forbid. Apple similarly might log how a student uses an iPad’s apps or when the device contacts iCloud, claiming it’s for improving device performance or security. These kinds of **first-party analytics and telemetry likely remain permissible** under SOPPA as long as they’re not used for non-educational external purposes. In essence, SOPPA stops a company from selling a student’s profile to advertisers, but it doesn’t necessarily stop the company from **building that profile for itself** (for product development, troubleshooting, or future features).

**Lack of Coverage for All Student Use:** SOPPA primarily puts obligations on schools and their chosen vendors. If a teacher or student uses a tool without a formal agreement, or if a school fails to vet a piece of software, that software might not be SOPPA-compliant. Unfortunately, surveys indicate many schools do a poor job of transparency – in one study, **45% of parents said their school did not provide disclosure about ed-tech data collection** ([Student Data Tracking – Taking a Closer Look at Privacy - IDRA](https://www.idra.org/resource-center/student-data-tracking-taking-closer-look-privacy/#:~:text=The%20Spying%20on%20Students%20report,out%20was%20available%E2%80%9D%20%28p.10)). This can lead to inadvertent loopholes: a district might approve Google Workspace (covered by SOPPA contract) but then allow students to browse the web freely. Google’s trackers on websites (via Ads or Analytics) could then **collect student data outside the agreed scope**. The school may not even be aware to restrict that because it’s outside the specific “operator agreement.” Similarly, an iPad might have YouTube or the App Store enabled for a student. Apple does have an education policy that disables certain tracking (for example, Apple’s **managed Apple IDs** for students under 13 have no targeted ads and limit certain data collection). Yet, some data flows remain – Apple will still gather app usage stats or device information from those iPads for its own purposes (like software updates, crash logs). SOPPA’s enforcement in such cases relies on **school configuration**: the school would need to restrict apps or use MDM settings to minimize data sharing. If they don’t, Apple and Google can still vacuum up data through their normal channels, as SOPPA doesn’t magically block the technical tracking; it only provides legal grounds to demand restrictions which must be operationalized by contracts and settings.

**Persistent Identifiers & De-identified Data:** Another gap is that SOPPA and similar laws target “personally identifiable” info, but companies can sometimes track using de-identified or aggregated data which may fall outside strict definitions. Apple, for instance, could aggregate student usage data across a district to find patterns (saying none of it is PII because individual device IDs are removed or anonymized). Google could use device identifiers or cookies that aren’t immediately linked to a student’s name. While SOPPA defines covered information broadly, an operator might argue that a device’s advertising ID or an IP address alone is not “personally identifiable” without additional context. This is a gray area – **IP addresses and device IDs are often considered personal data under privacy regulations**, but a company might present them as technical identifiers. If Google collects an Android tablet’s ID and telemetry, and claims it is used only in aggregate to improve Android for all students, the data might not be viewed as the student’s educational record per se. Thus, Apple and Google can **continue some level of monitoring under the guise of anonymous data** collection. The law would prohibit them from re-identifying and misusing it, but oversight is difficult.

**Despite SOPPA’s Protections – Real-world Monitoring Continues:** The spirit of SOPPA is to prevent the kind of rampant data exploitation that worried parents – selling student data, or using it to target ads. Apple and Google publicly adhere to those rules (both have pledged not to serve targeted ads to students in school environments, for example). Yet, both companies can still monitor students in more subtle ways **that SOPPA doesn’t fully prevent**:

- _Product Improvement Tracking:_ Both Apple and Google likely retain the right (in their contracts or policies) to collect **usage analytics** to improve their services. A Google Classroom or Apple Schoolwork app might collect how long a student spends on an assignment, or what errors occur – this is arguably in-service and allowed. Over time, it still builds a picture of student behavior.

- _Security Monitoring:_ They also track for security reasons – e.g., Google scanning a student’s Google Drive for viruses or explicit content (which it does even in edu accounts to enforce policies), or Apple logging device locations for lost device recovery. These uses are allowed and even beneficial, but they incidentally mean **constant surveillance of content and location** under a safety rationale.

- _Default Data Collection:_ Unless schools **actively configure devices for privacy**, default settings may transmit a lot. EFF’s report noted that many schools leave default settings on, resulting in extensive data flow to companies ([Student Data Tracking – Taking a Closer Look at Privacy - IDRA](https://www.idra.org/resource-center/student-data-tracking-taking-closer-look-privacy/#:~:text=survey%20conducted%20by%20the%20EFF,out%20was%20available%E2%80%9D%20%28p.10)). SOPPA now forces contracts that presumably forbid unnecessary data collection, but enforcement is tricky. Big providers like Google have amended their education terms (post-2015) to say they don’t use student data for ads. Yet in practice, **data was still being collected** – just not shown to advertisers. SOPPA doesn’t necessarily stop that practice; it just gives legal recourse if a school finds out and objects.

In summary, SOPPA significantly curtails overt misuse of student data and requires more transparency, but Apple and Google can **legally justify continued tracking** by: (1) classifying it as necessary for providing the service (thus within “school purposes”), (2) ensuring the data isn’t sold or used for external marketing (so technically complying), and (3) operating outside SOPPA’s scope whenever a student steps into a non-educational context online. As one education privacy advocate put it, gaps in laws allowed companies to collect “far more information on kids than is necessary and to store this information indefinitely” ([Student Data Tracking – Taking a Closer Look at Privacy - IDRA](https://www.idra.org/resource-center/student-data-tracking-taking-closer-look-privacy/#:~:text=Because%20the%20laws%20around%20student,at%20all%2C%20are%20unwittingly%20helping)). SOPPA attempts to plug those gaps, but **loopholes and practical enforcement challenges remain**. Apple and Google have such deep integration in devices and networks that some level of tracking is inevitable – they justify it as improving security or user experience, and SOPPA does not eliminate those justifications. Thus, even with SOPPA, **schools and parents must remain vigilant**. They need to ensure devices are configured for maximum privacy, and trust that Apple and Google honor not just the letter of the law but its spirit – refraining from peering into student data any more than absolutely needed. The reality is that these companies, by virtue of their platforms, can still watch much of what students do; SOPPA just fences off how they can use that information, leaving the **monitoring apparatus largely intact** behind the scenes.