Blog

Keep ICE’s Big Tech partners out of our kids’ counseling services!

Mental health is a prerequisite for learning, and all kids deserve access to mental healthcare. As the Trump administration ramps up its mass deportation campaign across the country, the already urgent need for mental health services for students is only increasing.

Chicago has been the focus of this campaign for many weeks, and, concerningly, Chicago Public Schools (CPS) is directing families and students to a for-profit mental health tech company, Hazel Health, that’s just merged with another startup with deep connections to one of ICE’s Big Tech partners, Palantir.

The Parent Coalition for Student Privacy wrote to the Chicago Board of Education along with other advocacy groups to urge the Board to address the inadequate protection for student data in Hazel Health’s contract with CPS just last week. After sending that letter, news emerged about Hazel Health’s merger.

Here’s what we know so far…

What to know about Hazel Health

Last fall, CPS signed a no-cost contract for Hazel Health’s telehealth counseling services for high school students and rolled out these services in March. The services Hazel is providing to CPS students are being underwritten by United Healthcare for students’ whose own public or private insurance doesn’t cover these counseling sessions. Hazel is privately-held, and its venture capital investors include Bain Capital and the firm of a heiress in the Walton family.

CPS’ contract with Hazel is set to renew automatically for two years on December 31, 2025. But if the Board of Ed gives notice by December 1st, the contract can be modified or canceled.

As mentioned above, last week, Illinois Families for Public Schools, Legal Action Chicago, Legal Council for Health Justice, NAMI Chicago, NASW-Illinois Chapter, and the Parent Coalition for Student Privacy, sent a letter to the Chicago Board of Ed and CEO/Superintendent urging them to review, rectify and—if necessary—cancel their contract with Hazel Health because of major issues with student data protection. You can read that letter here.

Why would advocates urge the Board to consider ending a contract for “free” mental health services for students at a time when there is ever increasing need and demand for counseling services?

First and foremost—nothing is free; it’s a truism at this point that free tech means you’re the product, not the customer, and Hazel’s parental consent form raises numerous red flags along these lines. It is both broad and vague—parents must agree that Hazel can use their child’s identifiable data for any research and development purposes. On top of that, parents also must agree that their child’s sensitive mental health and other data may be stolen (“illegally accessed”) once Hazel holds it.

Hazel’s website also has marketing trackers from Amazon, Google and Facebook—something that ed tech vendors can’t use under Illinois’ Student Online Personal Protection Act (SOPPA).

And Hazel’s contract doesn’t provide any details about what sort of highly sensitive data Hazel is collecting—even though that’s something required by SOPPA! As a result, families don’t know: Are these counseling sessions recorded? Are they transcribed? Are students’ eye movement, facial expressions and keystrokes tracked? Is any of this information combined with the medical data and screening assessments Hazel holds? No information about any of these types of data are even disclosed in CPS’ contract. IL-FPS has a more detailed explainer on Hazel’s privacy issues here.

And now Hazel has merged with Palantir-partner Little Otter…

Hazel announced this week that it merged with another mental health tech startup, Little Otter. Little Otter has an AI-based platform and uses the data from its clients to train its algorithms. All of Little Otter therapy sessions are recorded, and it’s unclear whether information from those recordings is being utilized as input for its AI platform.

Little Otter’s founder and CEO, Rebecca Egger, is one of the so-called “Palantir mafia”, having gotten her start in Silicon Valley at Palantir. Little Otter’s tech leads, including their previous CTO, COO and head of data engineering, are also all former Palantir employees.

Little Otter still has close ties to Palantir as one of its Global Builder startups that “use Palantir as a product multiplier to accelerate their missions.”

If you’re not familiar with surveillance tech behemoth Palantir, it’s been a major federal contractor for many years, and is now playing a key role in the Trump administration’s plan to merge data across federal agencies, including the IRS and the Social Security Administration.

One of those agencies is ICE. Palantir has been described as “the corporate backbone of ICE that the agency is relying on for surveillance and deportations,” and they are a—if not the—major tech partner in the Trump administration’s mass deportation plan.

What does this mean for CPS’ contract with Hazel?

Is data from CPS students’ online counseling sessions already being used to train AI algorithms? Will it be used that way in the future because of Hazel’s merger with Little Otter?

In response to the Trump administration’s ramping up federal law enforcement and military presence in Chicago, CPS has highlighted Hazel as a resource for students experiencing fear, anxiety and trauma, as communities across the city are terrorized by ICE’s secret police.

Which leads to another question: Could information from recordings or transcriptions of children’s counseling sessions eventually end up in a federal database? (The Chief Information Officer at the Department of Health and Human Services is also ex-Palantir.)

In light of all these questions, it’s simply not ok for the Chicago Board to allow the contract with Hazel automatically renew. CPS should review it, fix it—if that’s even possible—and if it can’t be fixed, cancel it.

Handing students’ most sensitive data over to tech broligarchs building the surveillance state to hunt down those students or their families is entirely unacceptable.

Free tech is never free, and that’s especially true in 2025.

What can you do?

If you are a Chicagoan, please advocate with their school district leaders about the existing contract with Hazel!

If you are not in Chicago, find out if your school district or state already has a contract with Hazel Health or is considering signing one. Hazel is in 19 states and 180 school districts, including many of the largest in the country: Los Angeles Unified School District, Miami-Dade and Broward County in Florida, Houston and Dallas ISDs in Texas, Fairfax Co VA, Clark Co NV, Jeffco CO, and the School District of Philadelphia.

You can check the Hazel website, and also Google for “Hazel Health” along with the name of your school district, state department of education or health or state’s lobbyist registration site. The North Carolina Department of Health and Human Services just signed a contract with Hazel which covers about 1/3 of the state. Iowa has a partnership with Hazel, as does Rhode Island. In both Virginia and in Georgia, Hazel is an approved vendor for the states’ respective departments of education.

Any and all of these type of contracts need scrutiny, as do any consent forms Hazel is using.

Hazel is also not the only tech company pushing to increase its market share in this space, any outsourcing to third-party tech firms merits a closer look. The data involved is extremely sensitive. There have been several significant ransomware attacks on school districts’ mental health data in recent years including  Los Angeles and Minneapolis, with devastating information released about students and staff on the dark web. A major breach of a Finnish mental healthcare startup in 2020 resulted in blackmail attempts and deaths by suicide. CPS itself had a ransomware attack that exposed data of more than 700K students’ in early 2025, including Medicaid ID numbers.

Please reach out if you need assistance with researching what is happening in your district or state:  info@studentprivacymatters.org. Even if your state does not have especially robust student privacy laws, your advocacy alone can make a difference!

Blog

Chicago Board Of Ed Should Overhaul Or Cancel Telehealth Counseling Contract

MEDIA RELEASE

October 9, 2025

CONTACT:
Cassie Creswell
Illinois Families for Public Schools
773-916-7794

Advocacy Orgs Call On Chicago Board Of Ed To Overhaul Or Cancel Telehealth Counseling Contract

CHICAGO — Yesterday five advocacy organizations sent a letter to the Chicago Board of Education and Chicago Public Schools Superintendent-CEO Macqueline King calling on them to cancel CPS’ contract with Hazel Health, a for-profit tech company providing mental health services to CPS high school students, or remedy the lack of protections for sensitive student data before the contract renews automatically on December 31, 2025.

Illinois Families for Public Schools, Legal Action Chicago, Legal Council for Health Justice, NAMI Chicago, NASW-Illinois Chapter, and the Parent Coalition for Student Privacy urged the Board to fix the lack of data protections in the contract and the consent form that parents sign in order for students to get services, along with ending the illegal targeted advertising on the Hazel website where families sign up for the program. If these significant issues can’t be rectified, then the contract should be canceled altogether.

Logos of five organizations: Illinois Families for Public Schools, Legal Action Chicago, Legal Council for Health Justice, NAMI Chicago, NASW-Illinois Chapter, and the Parent Coalition for Student PrivacyCPS contracted with Hazel Health starting last fall, and the contract will renew automatically for the first of four two-year terms on December 31, 2025 if the Board does not take any action before Dec 1. The contract is no-cost; students’ public or private insurance is billed, and additional costs appear to be covered by funding from United Healthcare. If no changes are made, the contract will run through 2033; it did not require any previous Board vote as a no-cost contract delegated to administrative approval only.

Hazel Health is a privately-held health tech startup formed in 2015 to provide both physical and mental healthcare telehealth services to public school students. A consortium of investors led by private equity firm Bain Capital hold the majority of Hazel shares, and the company has contracts with more than 180 school districts in 19 states, including many of the country’s largest: Los Angeles, Philadelphia, Houston, Miami, Jeffco (Colorado), Clark County (Nevada), and Fairfax County (Virginia). Hazel Health recently merged with an AI-based mental health startup, Little Otter, according to Axios.

Illinois’ state Student Online Personal Protection Act (SOPPA) has strong prohibitions on school contractors using students’ personally-identifiable information (PII) for commercial purposes, including targeted advertising, along with robust requirements for keeping data secure. Hazel’s parental consent form states that a student’s PII may be stolen and that the company can use their data for product development and research. The landing page that CPS sends parents to on the Hazel site has marketing trackers from Alphabet (Google’s parent company) and Amazon. Hazel’s own privacy policy says that they also have trackers from Facebook on their site.

Illinois Families for Public Schools executive director Cassie Creswell, who has been worried about how Hazel is treating student data since the district rolled out these services in March, said, “As a Chicago Public Schools parent myself, I know there is major unmet demand for therapy and counseling for students, but a no-cost contract with a for-profit company raises huge red flags about whether students are paying for this care with their data, which, frankly, is too high a price when it comes to the most sensitive possible data about minor children.”

CPS’s contract with Hazel Health provides no information about what medical, disability, counseling or mental health data the company collects, holds or generates. The company’s services are provided via video conferencing, so potentially the company is holding audio and video recordings, automatic transcriptions, counseling notes, medical, behavioral or disciplinary records, biometric information and more.

Under SOPPA, data should be cataloged in the contract between CPS and Hazel, but the current contract only includes a short list of rostering information, like a student’s name, email, grade level and parent contact information. In the wake of Hazel’s merger with health startup Little Otter, data that Hazel holds may be shared and used for training Little Otter’s AI platform.

CPS has been referring families to Hazel Health since March, and, in response to the Trump administration’s ramping up federal law enforcement and military presence in Chicago, has highlighted Hazel as a resource for students, including those in immigrant and mixed status families, LGBTQ+ students, and Black and Brown communities, who are experiencing anxiety and undergoing trauma.

“Protecting the personally-identifiable information and incredibly sensitive mental health data of students in vulnerable communities is especially crucial right now, and it is worrisome that families are being directed to a service with major unanswered questions about the level of protection of their data,” added Creswell.

“No school district should outsource its responsibility for protecting student confidentiality to private investors. CPS has a moral and legal obligation to ensure that every mental health partnership upholds the same privacy and professional standards that licensed clinicians follow every day,” said Kyle Hillman, director of legislative affairs for the National Association Of Social Workers – Illinois Chapter.

In a statement, Legal Council for Health Justice also expressed serious concerns about the use of Hazel Health’s services: “We fully support CPS’ goal of offering mental health treatment options to their students, but we can’t endorse a contract with an entity that takes so little responsibility for the security of sensitive information about those students.”

“We have also encountered overly lax privacy protections for student telehealth mental health services in New York City. But the agreement signed by Chicago Public Schools is among the worst we’ve ever encountered. The extremely sensitive personal data of students is being illegally sacrificed for commercial purposes and targeted ads in a manner that could seriously worsen their safety and emotional health,” said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy.

There have been several significant ransomware attacks on school districts’ mental health data in recent years, including Los Angeles and Minneapolis. A major breach of a Finnish mental healthcare startup in 2020 resulted in blackmail attempts and deaths by suicide. CPS itself had a ransomware attack that exposed data of more than 700K students’ in early 2025, including Medicaid ID numbers.

About Illinois Families for Public Schools

Illinois Families for Public Schools (IL-FPS) is a statewide, grassroots, non-profit 501c4 advocacy group founded in 2016. IL-FPS is the voice of public school families in Springfield and across the state, advocating to defend and improve Illinois public schools. More at ilfps.org.

About the Parent Coalition for Student Privacy

The Parent Coalition for Student Privacy (PCSP) is a national grassroots advocacy organization, founded in 2014, which built on the success of parent advocates to stop the creation of inBloom, a national database of K-12 student data to be used for commercial purposes. PCSP includes parents from nearly every state and assists families in addressing individual and systemic threats to student privacy. More information at studentprivacymatters.org

###

Blog

How NYC parents can opt out of data sharing and protect their child’s privacy

 Important update:  Our special privacy briefing via Zoom has been rescheduled to Wed. Oct. 22 at 6 PM! 

Oct. 6, 2025

In May 2025, the NYC Department of Education revised Chancellor’s regulations A-820, to authorize DOE and schools to disclose a category of student personal data called Directory Information for the first time within the school  or to non-school vendors, as long as parents were provided with the right to opt out.

Yet the instructions for parents on how to opt out on the DOE website are difficult to access and understand, requiring clicks across many webpages and forms.  In some cases, the webpages omit key details, including which grade levels these disclosures apply to and the deadlines for opting out.  In at least case, the deadline listed is from last year and in the case of disclosures to charter schools requires that you know your child’s OSIS number.

  1. How to opt out of the disclosure of your child’s Directory Information

To simplify the opt out process for parents, the Parent Coalition for Student Privacy has developed a simple one page opt out form that offers all this information in a clear and organized fashion, and can be printed, filled out and handed in at your child’s school.

To be clear, this is an unofficial form that we have created based on the opt out form used by Los Angeles public schools.  Though we repeatedly urged DOE to create a similar form, they have refused to do so.  Still, we recommend you print this form , fill it out and hand it in at your school as soon as possible.

  • In any case, to ensure that the DOE recognizes your intention to opt out, you should also check our instructions on how to opt out of four different directory information disclosures that DOE intends to make: to charter schools, the military and/or colleges for recruitment purposes, as well as the National Student Clearinghouse.
  • Also, here are  instructions on how opt out of the NYC Kids Rise savings program, which DOE and the company have made especially complicated.
  • Your school is also supposed to provide you with a separate opt-out form for whatever disclosures they intend to make to other organizations and/or purposes, as well as specific information about what data will be disclosed in each case if you do not opt out. If you haven’t received that form, ask your principal or Parent Coordinate for it asap.
  • If any of these disclosures are being made to companies or individuals outside of the school community, there must also be a written agreement or contract that protects the confidentiality of your child’s personal data. This is the only significant change that we managed to convince DOE to make to improve their initial proposed regulations.  Ask your principal to provide that written agreement.

Additional questions parents should be asking about their children’s privacy and ed tech at their schools

In any case, it is important to note that  the instructions above only deal with the category of directory information provided to non-school vendors, generally for non-educational purposes.

DOE and individual schools have signed up with more than 500 ed tech companies to provide various types of services and programs, each of which collect and process personal student  data, much of it extremely sensitive.  As a result, NYC students have suffered multiple damaging data breaches over the last few years.

While in most cases, parents cannot opt out of this type of disclosure, they do have the right under NY Ed Law 2D  to be alerted as to which companies have access to their children’s personal info, how it will be protected from breaches and misuse, and how they can check to see if it is accurate and ask for it to be corrected if necessary.  See our Parent Bill of Rights summary here.

So if you are concerned about your child’s privacy, here are some additional questions that you should ask your principal or School Leadership Team about the educational apps or programs employed in your child’s classroom and school:

  • Request the names of all the ed tech programs used by your children, their teachers, and/or school administrators that can access your child’s personal information. Be sure to request the names of all the programs that DOE has told them to use, as well as the programs that the administrators or teachers have chosen  that collect or process your child’s personal student data.
  • If they seem reluctant, remind them that the state student privacy law, Ed Law 2D, provides parents with the right to see the data collected by outside agencies, companies, organizations or other third parties. Parents cannot do that unless they know the names of these programs or apps.
  • Also, ask for a copy of the privacy and security protections for each of these programs, explaining how the data is secured, minimized and deleted when it is no longer necessary to provide the contracted services.

Some of that information is supposed to be on the DOE website but we have too often found that critical information there is missing or incomplete.   As a result, data breaches are all too common, including of the information of students  who have long graduated.

  • Be sure to ask specifically which of these programs use Artificial Intelligence, and which additional privacy protections are for these programs, if any. Many AI programs are known to mine personal student data to improve their products, which is illegal under Ed Law 2D and/or its regulations.
  • You should also ask how many hours per day or per week your child is spending on computers while in school. Now that there is a school cell phone ban, parents should also be concerned about excessive screen time in schools, which has been shown to be far less effective in terms of  student learning and engagement than classroom debate and discussion, as well as reading, writing and doing math on paper.

Finally, I will be holding a special privacy briefing for parents on Wed. October 22 at 6 PM to go over these and more issues in more depth. 

This  is  the same day as the deadline of October 22 to be able to opt out of the disclosure of personal info of 11th and 12th graders for the purposes of military and/or college recruitment.  You can register for this briefing here.

  • Speaking of college recruitment, if your child is in 11th or 12th grade and has signed up for a College Board account to take the PSAT or SAT, or plans to do so soon, please contact us by emailing info@studentprivacymatters.org ASAP.

We believe that the College Board may still be violating student privacy, despite the consent decree they signed with the Attorney General’s office to cease using student data for marketing and commercial purposes in February 2024.

Blog

Alert: Urge your Senators to eliminate the ban on regulating AI from the budget bill!

Update, July 1, 2025  —  Because of public outrage and the vehement opposition of parents, state and local officials, and advocates alike, the Senate voted 99-1 to eliminate this provision from the bill — so that states will be able to  regulate the use of AI, including in the classroom.  If you wrote a letter or called your Senator, thank you! 

The unregulated use of AI in the classroom is a profound threat to student privacy, as these programs collect and commercialize students’ personal data. It is also a threat to the personal connection, feedback and engagement central to a quality education. AI is one of the few technologies whose inventors have warned that it poses a serious risk to humanity itself, including Nobel Prize winner Geoffrey Hinton, often called the godfather of AI.

In a joint letter, more than 200 state legislators expressed their “strong opposition” to any ban on regulating AI, joining a bipartisan coalition of state attorneys general who expressed similar concerns.

Please write to your U.S. Senators today, to demand that they eliminate any language from the budget bill that would prevent or dissuade states and localities from passing laws on AI to protect the safety, education and the well-being of our children.  And please share this email with others who care.  Thank you!

Blog, press release

Parent leaders, elected officials, advocates & members of Chancellor’s Data Privacy Working Group urge Chancellor Ramos to postpone vote on student privacy regulation and allow parents the right of consent

The letter is embedded below the press release.

For immediate release: May 27, 2025

For more information:

Leonie Haimson, info@studentprivacymatters.org; 917-435-9329
Rosa Diaz, Rdiaz.cec4@gmail.com; 347-885-1687
Shannon Edwards, shannon@aiforfamilies.com; 347-719-2161
Kaye Dyja, kdyja@nyclu.org; 212-203-3532

On Wednesday May 28, 2025, the Panel for Educational Policy is scheduled to vote on the revisions to Chancellor’s regulation A-820, which would significantly weaken student privacy protections.  It would allow the Department of Education to share a wide range of sensitive student data with third parties as long as they believe it would benefit the student or the school system.  Members of the Chancellor’s Data Privacy Working Group, NYC Council Members, and Community Education Council leaders, as well as several advocacy organizations including  the  NY Civil Liberties Union, the Parent Coalition for Student Privacy, Dignity in Schools Coalition, and the Alliance for Quality Education, have signed onto a letter to Chancellor Ramos, urging her to delay this vote because of the risk to student safety and privacy if these regulations are approved.

The data that could be shared by Department of Education officials with any third party they please, as long as they considered it beneficial to the student or the system as a whole, would include a student’s name, email address, home address, phone number, and photo, as well as their parents’ contact information and a wide range of additional personal information.

Because of the concerns expressed by parents and advocates last October, including over 3,000 emails sent to the Chancellor and members of the PEP, the initial vote on these revisions was postponed and a Data Privacy Working Group (DPWG) was appointed by the Chancellor.  While some significant improvements have been made as a result of the Group’s discussions, the proposed regulations remain too risky, allowing the disclosure of highly sensitive student data with only an unreliable parent opt out method to prevent this.

Rosa Diaz, the chair of the Chancellor’s Parent Advisory Council and a member of the DPWG said, “Parents deserve the right to control the dispersal of their children’s sensitive personal information, especially when it’s being transmitted to companies or individuals not performing any services to our schools.  We are especially concerned about how this information might be used to threaten the safety of our most vulnerable immigrant children, at a time when their privacy is being  assaulted and data misused by the Trump administration.”

Nequan McLean, another member of the Chancellor’s DPWG, and President of Community Education Council 16 and the Education Council Consortium said, “If approved, this regulation would open up all sorts of unacceptable harms to public school families, including potentially allowing charter schools to aggressively recruit students directly and cherry picking the most academically successful ones by making their academic honors publicly available.  Already, parents are bombarded with charter school mailings and phone calls, even after they have opted out of such mailings.  This harassment could worsen if the proposed amendment to the Chancellor’s regulation A-820 is adopted.”

Shannon Edwards, founder of AI for Families and a member of both the Chancellor’s DPWG and the NY State Education Data Privacy Committee, pointed out, “Too many children are already preyed upon by social media companies and are vulnerable to deep-fake porn and harassment, undermining their mental health.  Sharing their personal email and photographs without strict controls could merely exacerbate this dangerous trend.  We need far more rigorous oversight and regulation preventing the release of this information, rather than loosening the restrictions, as these revisions to the regulation would allow.”

“Parents may not realize that the DOE is handing over their child’s sensitive information to an unknown number of agencies and private companies. This could include a student’s address, photos, and more; in fact, there are only a few exceptions to what can be shared. We believe that caregivers should have the right to give or withhold consent for their child’s information to be shared. It’s reasonable for schools to have the ability to share some basic information for the purposes of events and communication, but for the DOE as a whole to be able to share almost any information without consent is overreach that disenfranchises students and families. We have seen that our new Chancellor is genuinely responsive to the concerns of families, so we are hopeful that she will consider pausing the vote and revisiting the regulations to allow for more parent agency,” said Kaiser, organizer with the Alliance for Quality Education. 

“Given the excessive number of data breaches, the potential of identity theft, and troubling examples of student data already used for targeted advertising and commercial exploitation, as well as the enhanced risk of deportation for our most vulnerable immigrant students, the DOE’s student privacy regulations need strengthening rather than weakening at this time,” said Leonie Haimson, a member of the DPWG and co-chair of the Parent Coalition for Student Privacy.  “We urge the Chancellor not to push through these regulations without more careful consideration of their potential damage to student safety, and to require parent consent rather than opt out for these disclosures.”

###

letter to Chancellor on privacy regulation 5.27.25