From cyberbullies to prowling predators, parents have always had plenty of online threats to guard their children against. Now they can add identity thieves to the list.

Because kids generally have pristine credit—legally, they can’t get credit cards without parent or guardian permission—they are ideal targets. And identity theft resulting in undetected damage to children’s credit can impact their ability to receive college loans years later.

Few parents or educators are keenly aware of the risks of data collection and how to protect their child’s privacy. A teacher using a classroom management app on a school-issued iPad, for example, might unwittingly expose her students’ names, ages, e-mail addresses, interests—even Social Security numbers.

Until recently, there simply hasn’t been much personally identifiable child data to steal or misuse, says Sophia Cope, an attorney at the Electronic Frontier Foundation. But as kids increasingly interact online—whether at school, at home, or on mobile devices—they are becoming more vulnerable to all manner of online invasions.

The amount of child data collected through official and unofficial means has expanded rapidly in recent years, according to a recent Gartner report.

One student data management system alone—PowerSchool, which British education publisher Pearson sold to a U.S.-based equity firm earlier this year—accesses the attendance, behavior, and medical records of 6,100 schools and 13.5 million students across the United States, the report said.

Safeguarding children’s privacy while using big-data analysis to improve school management and student instruction is challenging, privacy advocates such as EFF’s Cope say. The Family Educational Rights and Privacy Act restricts the types of data that schools can share with third-party vendors, and the Children’s Online Privacy Protection Act “prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.”

“A teacher is not going to be able to effectively instruct a student unless they know them.” — Paige Kowalski, vice president of policy and advocacy, Data Quality Campaign

But while FERPA covers children under age 18, COPPA covers only those under age 13. So when it comes to data mining of Internet activity outside school, 13-year-olds are no more protected than 18-year-olds. Any online activity ranging from watching videos on YouTube to posting photos on Instagram is ripe for data mining, which means it is also rife with vulnerabilities.

Today’s upward trend in student data mining corresponds strongly with the rapid expansion of the education technology market. According to a Software & Information Industry Association report, the U.S. market for education software and digital resources increased 5.1 percent from 2013 to 2014 alone.

There are “many ways to pull [student] information together in a way that can inform a teacher to change instruction,” says Paige Kowalski, vice president of policy and advocacy at Data Quality Campaign, a D.C. organization contending that teachers, school administrators, and education software developers benefit from the collection and streamlining of student data. “A teacher is not going to be able to effectively instruct a student unless they know them.”

Khaliah Barnes, director of the Student Privacy Project at the Electronic Privacy Information Center, agrees that the mining of student data can improve instruction.

“With digital-learning tools, there can be a record of learning, which allows students to proceed at a pace that is specific to them,” Barnes says. “It requires the tracking of success and the lack of success.”

Barnes cautions, however, that “if a data broker has access to [an] online or educational application used in class, then they could mine that for marketing purposes.”

One marketing company, Scholarships.com, is under a Federal Trade Commission investigation for its handling of student data. The site began encrypting the data—scrambling it so it can’t easily be read—only after the complaint was filed.

Some companies are working with privacy advocates to improve children’s online protection. More than 150 organizations, ranging from software developers to digital-content publishers, have signed a privacy pledge pioneered by the Future of Privacy Forum and software industry group Software and Information Industry Association.

Others are simply highlighting the benefits of collecting student data.

“Colleges recruit students on our website, and they pay to be able to do that,” says Kevin Ladd, vice president of American Student Marketing, which provides student data to Scholarships.com. “There are also lenders who are looking for students who need student loans.”

The more information students provide about themselves, the more marketing companies are able to personalize their experience, Ladd said. “What you get out is what you put in. The potential is really great.”

Corrected on Oct. 28, 2015: This story misidentified the owner of education software maker PowerSchool. Its current owner is Vista Equity Partners.