PITTSBURGH, Pa. – A recent study conducted by the Pittsburgh Post-Gazette shows education technology companies collect a lot of information about students, but few reveal exactly what they do with it.

“Parents are very nervous, and rightfully so, when third parties are empowered to build dossiers on their children,” Fordham Law School professor Joel Reidenberg told the news site. “Unless they have a means of learning what data is being collected, they have no way to independently assess the risks to their children, and whether this is a good product or a bad product.”

Student data has become a hot topic in the wake of new Common Core national standards, which encourage schools to increase the use of technology in the classroom and collection of student data that’s later shared with the federal government. The obvious concerns for student privacy are among numerous reasons an increasing number of parents are speaking out in opposition to Common Core.

MORE NEWS: Know These Before Moving From Cyprus To The UK

The Post-Gazette reviewed 143 education technology providers in Pennsylvania and found the amount of student information collected and how it’s used varied widely. Glogster EDU, a Czech Republic-based smartphone app used in Pennsylvania schools collects students’ “name, address, email … date of birth, gender, country … interests, hobbies, lifestyle choices, groups with whom they are affiliated (schools, companies), videos and/or pictures, private messages, bulletins or personal statements,” according to the news site.

That information could be sold or shared with “consumer products, telecom, financial, military, market research, entertainment, and educational services companies,” according to the company’s website.

The goal of much of the data collection is to personalize lessons for students based on their interests and skill level, but there are few laws protecting student privacy, and the technology companies that collect the information have widely different practices for how they handle it.

The majority in Pennsylvania don’t reveal how long the student information is maintained, or what they do with it in the event of a merger, bankruptcy or data breach.

The news site pointed to a 2009 case out of Texas in which the online learning giant K12 Inc. sued Socratic Learning Inc. when it realized the company sent data to India that eventually made its way back to a blogger in Arizona.

K12 operates 22 cyber schools in Pennsylvania and numerous others across the country, providing online courses to about 125,000 students a year. K12’s policy states the school “may collect information regarding you and your children … (to) include: first and last name; billing address; the names and ages of your children; the services you request; registration and enrollment information about your children; and an e-mail address,” according to the Post-Gazette.

MORE NEWS: How to prepare for face-to-face classes

The company “may shore your information with companies that are not affiliated with K12 but who are interested in sending you information about their products or services,” though parents are provided an avenue to opt out of that portion of the policy.

In the last year, only 12 parents requested to opt out.

“What that really means is that maybe 20 people way the (do-not-share) option, 14 people understood it and 12 people chose it,” Bill Fitzgerald, director at Common Sense Media, told the news site.

In many cases, he said, keeping students’ information private can mean locating “a checkbox which you often need to uncheck to opt out, buried at the bottom of a long page that most people never get to.”

“Other firms put no publicly available constraints on their use of student data, but still got district contracts,” according to the Post-Gazette.

And of the 143 ed tech companies serving 31 school districts in Pennsylvania analyzed by the news site only 10 vowed to notify schools if student data was stolen, with another four claiming they “may” alert school officials.

“Fewer than half said anything about ever deleting the student data they collect – a key means of reducing the scope of data theft,” the news site reports.

“’If you’re sitting on a data trove for years, it increases security risks, because it can be hacked or lost’ or sold,” Reidenberg said. “The default should be destruction.”